Shulou(Shulou.com)06/01 Report--

Today, I would like to share with you the relevant knowledge about how to use python's pip-audit security vulnerability scanning tool. The content is detailed and the logic is clear. I believe most people still know too much about this, so share this article for your reference. I hope you can get something after reading this article. Let's take a look at it.

About pip-audit

Pip-audit is a powerful security vulnerability scanning tool, which is mainly aimed at Python environment and can help researchers scan and test known security vulnerabilities in Python packages. Pip-audit uses the PythonPackagingAdvisory database PyPIJSONAPI as the source of vulnerability reports.

Function introduction

1. Support security audit of local environment and dependent components (requirements-style files)

2. Support multiple vulnerability services (PyPI, OSV)

3. Support sending SBOM in CycloneDX XML or JSON format

4. Provide human and machine readable output formats (columnar, JSON)

5. Seamlessly access / reuse local pip cache

Tool installation

Pip-audit is based on Python development and requires the local environment to be Python 3.7 or later. Once the Python environment is installed and configured, you can use the following command and pip to install pip-audit:

Python-m pip install pip-audit third-party package

The normal operation of pip-audit requires the use of multiple third-party packages. The specific package name and version are shown in the following figure:

In addition, we can install pip-audit through conda:

Conda install-c conda-forge pip-audit tool use

We can run pip-audit directly as a stand-alone program, or through "python-m":

Pip-audit-- helppython-m pip_audit-- helpusage: pip-audit [- h] [- V] [- l] [- r REQUIREMENTS] [- f FORMAT] [- s SERVICE] [- d] [- S] [--desc [{on,off,auto}]] [--cache-dir CACHE_DIR] [--progress-spinner {on Off}] [--timeout TIMEOUT] [--path PATHS] [--v] [--fix] [--require-hashes] audit the Python environment for dependencies with known vulnerabilitiesoptional arguments:-h,-- help show this help message and exit-V,-- version show program's version number and exit-l -- local show only results for dependencies in the local environment (default: False)-r REQUIREMENTS,-- requirement REQUIREMENTS audit the given requirements file This option can be used multiple times (default: None)-f FORMAT,-- format FORMAT the format to emit audit results in (choices: columns, json, cyclonedx-json, cyclonedx-xml) (default: columns)-s SERVICE -- vulnerability-service SERVICE the vulnerability service to audit dependencies against (choices: osv, pypi) (default: pypi)-d,-- dry-run without `: fix`: collect all dependencies but do not perform the auditing step With `- fix`: perform the auditing step but do not perform any fixes (default: False)-S,-- strict fail the entire audit if dependency collection fails on any dependency (default: False)-- desc [{on,off,auto}] include a description for each vulnerability `auto`defaults to `on` for the `json` format. This flag has no effect on the `cyclonedx- json` or `cyclonedx- xml` formats. (default: auto)-- cache-dir CACHE_DIR the directory to use as an HTTP cache for PyPI Uses the `pip` HTTP cache by default (default: None)-progress-spinner {on,off} display a progress spinner (default: on)-timeout TIMEOUT set the socket timeout (default: 15)-path PATHS restrict to the specified installation path for auditing packages This option can be used multiple times (default: [])-v,-- verbose give more output This setting overrides the `PIP_AUDIT_ LOGLEVEL` variable and is equivalent to setting it to `debug` (default: False)-- fix automatically upgrade dependencies with known vulnerabilities (default: False)-- require-hashes require a hash to check each requirement against, for repeatable audits This option is implied when any package in a requirements file has a `--hash` option. (default: False) exit code

When the task is complete, pip-audit exits and returns a code to display its status, where:

0: no known vulnerability detected

1: one or more known vulnerabilities have been detected

Sample use of tools

Audit dependencies in the current Python environment:

$pip-auditNo known vulnerabilities found

Audit the dependencies of a given requirements file:

$pip-audit-r. / requirements.txtNo known vulnerabilities found

Audit a requirements file and exclude the system package:

$pip-audit-r. / requirements.txt-lNo known vulnerabilities found

Security vulnerabilities found in audit dependencies:

$pip-auditFound 2 known vulnerabilities in 1 packageName Version ID Fix Versions-----Flask 0.5 PYSEC-2019-179 1.0Flask 0.5 PYSEC-2018-66 0.12.3

Audit dependencies (including description):

$pip-audit-descFound 2 known vulnerabilities in 1 packageName Version ID Fix Versions Description - - -Flask 0.5 PYSEC-2019-179 1.0 The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656.Flask 0.5 PYSEC-2018-66 0.12.3 The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083.

The audit JSON format depends on:

$pip-audit-f json | jqFound 2 known vulnerabilities in 1 package [{"name": "flask", "version": "0.5", "vulns": [{"id": "PYSEC-2019-179", "fix_versions": ["1.0"], "description": "The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656. "}, {" id ":" PYSEC-2018-66 "," fix_versions ": [" 0.12.3 "]," description ":" The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083. "}]}, {" name ":" jinja2 "," version ":" 3.0.2 "," vulns ": []}, {" name ":" pip "," version ":" 21.3.1 "," vulns ": []}, {" name ":" setuptools "," version ":" 57.4.0 "," vulns ": []}, {" name ":" werkzeug " "version": "2.0.2", "vulns": []}, {"name": "markupsafe", "version": "2.0.1", "vulns": []}]

Audit and try to automatically audit flawed dependencies:

Pip-audit-- fixFound 2 known vulnerabilities in 1 package and fixed 2 vulnerabilities in 1 packageName Version ID Fix Versions Applied Fix- flask 0.5 PYSEC-2019-179 1.0 Successfully upgraded flask (0.5 = > 1.0) flask 0.5 PYSEC-2018-66 0.12.3 Successfully upgraded flask (0.5 = > 1.0) license Agreement

The development and release of this project follows the Apache 2.0 open source license agreement.

These are all the contents of this article entitled "how to use python's pip-audit vulnerability scanning tool". Thank you for reading! I believe you will gain a lot after reading this article. The editor will update different knowledge for you every day. If you want to learn more knowledge, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.