Comments (9)
@prabhu
Yes, the problem was in old vdb version:
$ pip uninstall appthreat-vulnerability-db Found existing installation: appthreat-vulnerability-db 5.6.4 Uninstalling appthreat-vulnerability-db-5.6.4:
pip install -e .
python3 depscan/cli.py --no-banner --purl "pkg:pypi/[email protected]" --reports-dir temp_test --no-suggest ╭─────────────────── Risk Audit Capability ───────────────────╮ │ Depscan supports OSS Risk audit for this project. │ │ To enable set the environment variable ENABLE_OSS_RISK=true │ ╰─────────────────────────────────────────────────────────────╯ INFO [2024-04-01 19:00:14,048] Performing regular scan for /home/user/Desktop/Programs/dep-scan-feature-use-vdbxz using plugin pypi INFO [2024-04-01 19:00:14,052] No oss vulnerabilities detected ✅
Thanks!
from dep-scan.
@almaz045, will rework PR #282 without including the xz change and let you know once it's ready.
from dep-scan.
VDB version compare is incorrectly saying that 6.0.1 is within 3.01 and 5.4b2. Will work on a fix this weekend.
['4969711542_4969759212', 'pypi', 'pyyaml', '6.0.1'] 3.01 5.4b2 None None True
from dep-scan.
Fixed with vdb 5.6.6. PR to bump depscan is coming.
python depscan/cli.py --no-banner --purl "pkg:pypi/[email protected]" --reports-dir /tmp/reports --no-suggest ok 4s depscan py
╭─────────────────── Risk Audit Capability ───────────────────╮
│ Depscan supports OSS Risk audit for this project. │
│ To enable set the environment variable ENABLE_OSS_RISK=true │
╰─────────────────────────────────────────────────────────────╯
INFO [2024-03-29 22:20:57,636] Performing regular scan for /mnt/work/owasp-depscan/dep-scan using plugin pypi
INFO [2024-03-29 22:20:57,643] No oss vulnerabilities detected ✅
from dep-scan.
@almaz045 could you kindly test with PR #282?
from dep-scan.
dep-scan-feature-use-vdbxz/depscan$ python3 cli.py --no-banner --purl "pkg:pypi/[email protected]" --reports-dir temp_test --no-suggest ╭─────────────────── Risk Audit Capability ───────────────────╮ │ Depscan supports OSS Risk audit for this project. │ │ To enable set the environment variable ENABLE_OSS_RISK=true │ ╰─────────────────────────────────────────────────────────────╯ INFO [2024-04-01 10:10:29,707] Performing regular scan for dep-scan-feature-use-vdbxz/depscan using plugin pypi Dependency Scan Results (PYPI) ╔═══════════════════════╤═════════════════════╤═════════════╤══════════╤═══════╗ ║ CVE │ Insights │ Fix Version │ Severity │ Score ║ ╟───────────────────────┼─────────────────────┼─────────────┼──────────┼───────╢ ║ [email protected] ⬅ │ 🧾 Vendor Confirmed │ │ LOW │ 2.0 ║ ║ CVE-2020-14343 │ │ │ │ ║ ╟───────────────────────┼─────────────────────┼─────────────┼──────────┼───────╢ ║ [email protected] ⬅ │ 🧾 Vendor Confirmed │ │ LOW │ 2.0 ║ ║ CVE-2017-18342 │ │ │ │ ║ ╚═══════════════════════╧═════════════════════╧═════════════╧══════════╧═══════╝ ╭────────────── Recommendation ───────────────╮ │ ✅ No package requires immediate attention. │ ╰─────────────────────────────────────────────╯
from dep-scan.
@almaz045 could you uninstall any existing depscan or set PYTHONPATH to the cloned directory?
from dep-scan.
@almaz045 could you uninstall any existing depscan or set PYTHONPATH to the cloned directory?
I've deleted depscan binary file from path:
depscan bash: /home/user/.local/bin/depscan: No such file or directory
I've added PYTHONPATH to feature-branch
export PYTHONPATH="/home/user/Desktop/Programs/dep-scan-feature-use-vdbxz:$PYTHONPATH"
~/Desktop/Programs/dep-scan-feature-use-vdbxz$ python3 depscan/cli.py --no-banner --purl "pkg:pypi/[email protected]" --reports-dir temp_test --no-suggest ╭─────────────────── Risk Audit Capability ───────────────────╮ │ Depscan supports OSS Risk audit for this project. │ │ To enable set the environment variable ENABLE_OSS_RISK=true │ ╰─────────────────────────────────────────────────────────────╯ INFO [2024-04-01 17:55:25,318] Performing regular scan for /home/user/Desktop/Programs/dep-scan-feature-use-vdbxz using plugin pypi Dependency Scan Results (PYPI) ╔═══════════════════════╤═════════════════════╤═════════════╤══════════╤═══════╗ ║ CVE │ Insights │ Fix Version │ Severity │ Score ║ ╟───────────────────────┼─────────────────────┼─────────────┼──────────┼───────╢ ║ [email protected] ⬅ │ 🧾 Vendor Confirmed │ │ LOW │ 2.0 ║ ║ CVE-2017-18342 │ │ │ │ ║ ╟───────────────────────┼─────────────────────┼─────────────┼──────────┼───────╢ ║ [email protected] ⬅ │ 🧾 Vendor Confirmed │ │ LOW │ 2.0 ║ ║ CVE-2020-14343 │ │ │ │ ║ ╚═══════════════════════╧═════════════════════╧═════════════╧══════════╧═══════╝ ╭────────────── Recommendation ───────────────╮ │ ✅ No package requires immediate attention. │ ╰─────────────────────────────────────────────╯
from dep-scan.
@almaz045 can you also do?
pip uninstall appthreat-vulnerability-db
from dep-scan.
Related Issues (20)
- Bug: cvss score is appearing as 0 from certain CVEs HOT 3
- Bug: cvss score for pypi vulnerabilities are incorrect HOT 1
- Bug: Pypi misses
- Feature: nu plugin
- Feature: pyproject.nix poc
- Feature: Support for nix packages
- [v6] Support for cpe based searches
- [v6] Prefer xz vdb over rafs
- Feature: VDB update frequency information HOT 2
- False-Positive: CVE-2021-39913 HOT 7
- [FN] CVE-2023-5590 is not reported for [email protected] HOT 1
- False-Positive: I raised the topic on discord. I compared the DT, Depscan, and Grype analyzers. The results are presented in the table. I think it will be useful for correcting the quality of the analysis. HOT 1
- [dotnet] Runtime components naming
- [cdxgen 10.3.x] Breaking changes in cdxgen for go and npm HOT 1
- cargo:http is yielding a lot of false positives
- Bug: Reachability scan fails HOT 3
- [risk-audit] Detect use of Trusted publisher
- [container] almalinux 9.3 builds are broken
- [v6] choices for reachability analysis
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dep-scan.