Skip to main content

Poetry plugin to check known vulnerabilities from poetry.lock

Project description

ko-poetry-audit-plugin

Code style: black formatter Imports: isort linting: pylint

To check known vulnerabilities from poetry.lock.

Inspired by pypa/pip-audit, this adds audit command tip poetry, for checking vulnerabilities of packages found in poetry.lock.

Vulnerability reports are sourced from Python Packaging Advisory Database (https://github.com/pypa/advisory-database) using JSON API.

Installation

Please follow poetry Using Plugins for installation.

% poetry self add ko-poetry-audit-plugin

To integrate with pre-commit, trigger scan whenever poetry.lock is commit:

  - repo: https://github.com/koyeung/ko-poetry-audit-plugin.git
    rev: 0.6.0
    hooks:
      - id: poetry-audit

Note by default, it scans for main and dev dependencies groups only.

Usage

To check for main group:

% poetry audit
No known vulnerabilities found

To include packages in dev group:

% poetry audit --with dev
Found vulnerabilities
Group    Name    Version    ID                   Withdrawn    Fix Versions    Link
-------  ------  ---------  -------------------  -----------  --------------  -------------------------------------------------
dev      py      1.11.0     GHSA-w596-4wvx-j9j6                               https://osv.dev/vulnerability/GHSA-w596-4wvx-j9j6
dev      py      1.11.0     PYSEC-2022-42969                                  https://osv.dev/vulnerability/PYSEC-2022-42969
% echo $?
1

To show more details:

% poetry audit --with dev -vv
[ko_poetry_audit_plugin.auditor] get packages list from dependencies groups={'main', 'dev'}
[ko_poetry_audit_plugin.pypi_warehouse] package.name='boto3', package.version='1.26.8': no vulnerabilities found
[ko_poetry_audit_plugin.pypi_warehouse] package.name='jmespath', package.version='1.0.1': no vulnerabilities found
[ko_poetry_audit_plugin.pypi_warehouse] package.name='botocore', package.version='1.29.8': no vulnerabilities found
[ko_poetry_audit_plugin.pypi_warehouse] package.name='six', package.version='1.16.0': no vulnerabilities found
[ko_poetry_audit_plugin.pypi_warehouse] package.name='python-dateutil', package.version='2.8.2': no vulnerabilities found
[ko_poetry_audit_plugin.pypi_warehouse] package.name='s3transfer', package.version='0.6.0': no vulnerabilities found
[ko_poetry_audit_plugin.pypi_warehouse] package.name='py', package.version='1.11.0': vulnerabilities found
[ko_poetry_audit_plugin.pypi_warehouse] package.name='urllib3', package.version='1.26.12': no vulnerabilities found
Found vulnerabilities
Group    Name    Version    ID                   Withdrawn    Fix Versions    Link
-------  ------  ---------  -------------------  -----------  --------------  -------------------------------------------------
dev      py      1.11.0     GHSA-w596-4wvx-j9j6                               https://osv.dev/vulnerability/GHSA-w596-4wvx-j9j6
dev      py      1.11.0     PYSEC-2022-42969                                  https://osv.dev/vulnerability/PYSEC-2022-42969

Exit codes

poetry audit exits with non-zero code, unless all vulnerabilities found have been withdrawn.

Note only packages found on pypi could be checked.

Licensing

poetry audit plugin is licensed under the Apache 2.0 License.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ko_poetry_audit_plugin-0.7.0.tar.gz (11.4 kB view details)

Uploaded Source

Built Distribution

ko_poetry_audit_plugin-0.7.0-py3-none-any.whl (11.9 kB view details)

Uploaded Python 3

File details

Details for the file ko_poetry_audit_plugin-0.7.0.tar.gz.

File metadata

File hashes

Hashes for ko_poetry_audit_plugin-0.7.0.tar.gz
Algorithm Hash digest
SHA256 6013fef67c14f7006528ba181e6b7fe46cb5b5ee570ed8b60ab544dcb0aaf1d5
MD5 43918813f12a7650163e63b7bfd8b8e3
BLAKE2b-256 f69a15474eeba786dc7e054315cd181a4ccc1d711d388b32bc63787ade33eef7

See more details on using hashes here.

File details

Details for the file ko_poetry_audit_plugin-0.7.0-py3-none-any.whl.

File metadata

File hashes

Hashes for ko_poetry_audit_plugin-0.7.0-py3-none-any.whl
Algorithm Hash digest
SHA256 f56c7b7983d4f03e153529d1b4c628b105ae910617d21a71a4a80913be6151da
MD5 082e7b91ab2061325f7cda3ed6e6fac0
BLAKE2b-256 1416a123a54b3ff518438e200cc3f263122a09deb60646ffd46d671423bb8d28

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page