Git Product home page Git Product logo

ossaudit's Introduction

Build Status Cov

ossaudit

About

ossaudit uses Sonatype OSS Index to audit Python packages for known vulnerabilities.

It can check installed packages and/or packages specified in dependency files. The following formats are supported with dparse:

  • PIP requirement files
  • Pipfile
  • Pipfile.lock
  • tox.ini
  • conda.yml

Installation

Normal

pip install ossaudit

Development

Clone this repository and:

make install-dev

This installs ossaudit with pip. Note that each dependency in requirements/* is pinned with the hash for their respective source tarball. If you don't care about that you could simply:

./setup.py develop

Usage

$ ossaudit --help
Usage: ossaudit [OPTIONS]

Options:
  -c, --config TEXT    Configuration file.
  -i, --installed      Audit installed packages.
  -f, --file FILENAME  Audit packages in file (can be specified multiple
                       times).
  --username TEXT      Username for authentication.
  --token TEXT         Token for authentication.
  --column TEXT        Column to show (can be specified multiple times).
                       [default: name, version, title]
  --ignore-id TEXT     Ignore a vulnerability by Sonatype ID or CVE (can be
                       specified multiple times).
  --ignore-cache       Temporarily ignore existing cache.
  --reset-cache        Remove existing cache.
  --help               Show this message and exit.

Configuration

Appdirs is used to determine storage paths. This means that the location of the configuration file is platform-specific:

  • *nix: ~/.config/ossaudit/config.ini
  • macOS: ~/Library/Preferences/ossaudit/config.ini
  • Windows: C:\Users\<username>\AppData\Local\ossaudit\ossaudit\config.ini

It can be overridden with the --config command-line argument and with the OSSAUDIT_CONFIG environment variable.

Example configuration:

[ossaudit]
# Optional: OSS Index username.
username = string

# Optional: OSS Index token
token = string

# Optional: comma-separated list of columns to show.
# Default: name, version, title
# Supported: id, name, version, cve, cvss_score, title, description
columns = name, version, title

# Optional: comman-separated list of vulnerability IDs (Sonatype ID or CVE) to ignore.
ignore-ids = x,y,z

Authentication is not required. However, requests are rate limited and authenticated requests are less restricted. A free account can be created on OSS Index

ossaudit's People

Contributors

illikainen avatar sseide avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.