项目介绍
pip-audit是一种用于扫描 Python 环境以查找具有已知漏洞的包的工具。它通过PyPI JSON API使用 Python 包装咨询数据库 ( https://github.com/pypa/advisory-db ) 作为漏洞报告的来源。
该项目由Trail of Bits在 Google 的支持下开发。这不是 Google 的官方产品。
项目地址
https://github.com/trailofbits/pip-audit
特征
- 支持审计本地环境和需求式文件
- 支持多种漏洞服务(PyPI、 OSV)
- 支持在 CycloneDX XML 或 JSON 中发出 SBOM
- 人类和机器可读的输出格式(柱状、JSON)
- 无缝重用您现有的本地
pip缓存
安装
pip-audit需要 Python 3.6 或更新版本,可以通过pip以下方式直接安装 :
python -m pip install pip-audit用法
您可以pip-audit作为独立程序运行,或通过python -m:
pip-audit --help python -m pip_audit --helpusage: pip-audit [-h] [-V] [-l] [-r REQUIREMENTS] [-f FORMAT] [-s SERVICE]
[-d] [-S] [--desc [{on,off,auto}]] [--cache-dir CACHE_DIR]
[--progress-spinner {on,off}] [--timeout TIMEOUT]
[--path PATHS] [-v]
audit the Python environment for dependencies with known vulnerabilities
optional arguments:
-h, --help show this help message and exit
-V, --version show program's version number and exit
-l, --local show only results for dependencies in the local
environment (default: False)
-r REQUIREMENTS, --requirement REQUIREMENTS
audit the given requirements file; this option can be
used multiple times (default: None)
-f FORMAT, --format FORMAT
the format to emit audit results in (choices: columns,
json, cyclonedx-json, cyclonedx-xml) (default:
columns)
-s SERVICE, --vulnerability-service SERVICE
the vulnerability service to audit dependencies
against (choices: osv, pypi) (default: pypi)
-d, --dry-run collect all dependencies but do not perform the
auditing step (default: False)
-S, --strict fail the entire audit if dependency collection fails
on any dependency (default: False)
--desc [{on,off,auto}]
include a description for each vulnerability; `auto`
defaults to `on` for the `json` format. This flag has
no effect on the `cyclonedx-json` or `cyclonedx-xml`
formats. (default: auto)
--cache-dir CACHE_DIR
the directory to use as an HTTP cache for PyPI; uses
the `pip` HTTP cache by default (default: None)
--progress-spinner {on,off}
display a progress spinner (default: on)
--timeout TIMEOUT set the socket timeout (default: 15)
--path PATHS restrict to the specified installation path for
auditing packages; this option can be used multiple
times (default: [])
-v, --verbose give more output; this setting overrides the
`PIP_AUDIT_LOGLEVEL` variable and is equivalent to
setting it to `debug` (default: False)
例子
审计当前 Python 环境的依赖项:
$ pip-audit
No known vulnerabilities found
审计给定需求文件的依赖关系:
$ pip-audit -r ./requirements.txt
No known vulnerabilities found
审核当前 Python 环境的依赖项,不包括系统包:
$ pip-audit -r ./requirements.txt -l
No known vulnerabilities found
存在漏洞时审计依赖项:
$ pip-audit
Found 2 known vulnerabilities in 1 packages
Name Version ID Fix Versions
---- ------- -------------- ------------
Flask 0.5 PYSEC-2019-179 1.0
Flask 0.5 PYSEC-2018-66 0.12.3
审核依赖项,包括描述:
$ pip-audit --desc
Found 2 known vulnerabilities in 1 packages
Name Version ID Fix Versions Description
---- ------- -------------- ------------ --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Flask 0.5 PYSEC-2019-179 1.0 The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656.
Flask 0.5 PYSEC-2018-66 0.12.3 The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083.
JSON 格式的审计依赖:
$ pip-audit -f json | jq
Found 2 known vulnerabilities in 1 packages
[
{
"name": "flask",
"version": "0.5",
"vulns": [
{
"id": "PYSEC-2019-179",
"fix_versions": [
"1.0"
],
"description": "The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656."
},
{
"id": "PYSEC-2018-66",
"fix_versions": [
"0.12.3"
],
"description": "The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083."
}
]
},
{
"name": "jinja2",
"version": "3.0.2",
"vulns": []
},
{
"name": "pip",
"version": "21.3.1",
"vulns": []
},
{
"name": "setuptools",
"version": "57.4.0",
"vulns": []
},
{
"name": "werkzeug",
"version": "2.0.2",
"vulns": []
},
{
"name": "markupsafe",
"version": "2.0.1",
"vulns": []
}
]
安全模型
这部分来说明你的安全的假设能和不能 使用的时候做pip-audit。
TL;DR:如果你不愿意pip install,你就不应该这样pip audit做。
pip-audit是一个用于审计 Python 环境中已知漏洞的包的工具 。“已知漏洞”是包中公开报告的缺陷,如果不纠正,可能允许恶意行为者执行意外操作。
pip-audit 可以通过告诉您何时拥有已知漏洞以及您应该如何升级它们来保护您免受已知漏洞的侵害。例如,如果您somepackage==1.2.3的环境中有,pip-audit 可以告诉您它需要升级到1.2.4.
你可以假设,pip-audit将尽最大努力,以充分解决 所有的Python的依赖和两种完全审核每个或已跳过哪些明确的状态,以及为什么它已跳过他们。
pip-audit是不是一个静态代码分析器。它分析依赖树,而不是代码,它不能保证任意依赖解析是静态发生的。要理解为什么会这样,请参阅 Dustin Ingram关于 Python 中的依赖项解析的 优秀文章。
因此:您不能假设这pip-audit会保护您免受恶意软件包的侵害。特别是,它是不正确的治疗 pip-audit -r INPUT作为一个“更安全”的变种pip-audit。出于所有意图和目的,pip-audit -r INPUT在功能上等同于 pip install -r INPUT,具有少量非安全隔离以避免与您的任何本地环境发生冲突。
超级版主![表情[guzhang]-FancyPig's blog](https://www.iculture.cc/wp-content/themes/fancypig/img/smilies/guzhang.gif)
