Poetry plugin to check known vulnerabilities from poetry.lock
Project description
ko-poetry-audit-plugin
To check known vulnerabilities from poetry.lock
.
Inspired by pypa/pip-audit, this adds audit
command tip poetry
, for checking vulnerabilities of packages found in poetry.lock
.
Vulnerability reports are sourced from Python Packaging Advisory Database (https://github.com/pypa/advisory-database) using JSON API.
Installation
Please follow poetry Using Plugins for installation.
% poetry self add ko-poetry-audit-plugin
To integrate with pre-commit
, trigger scan whenever poetry.lock
is commit:
- repo: https://github.com/koyeung/ko-poetry-audit-plugin.git
rev: 0.6.0
hooks:
- id: poetry-audit
Note by default, it scans for main
and dev
dependencies groups only.
Usage
To check for main
group:
% poetry audit
No known vulnerabilities found
To include packages in dev
group:
% poetry audit --with dev
Found vulnerabilities
Group Name Version ID Withdrawn Fix Versions Link
------- ------ --------- ------------------- ----------- -------------- -------------------------------------------------
dev py 1.11.0 GHSA-w596-4wvx-j9j6 https://osv.dev/vulnerability/GHSA-w596-4wvx-j9j6
dev py 1.11.0 PYSEC-2022-42969 https://osv.dev/vulnerability/PYSEC-2022-42969
% echo $?
1
To show more details:
% poetry audit --with dev -vv
[ko_poetry_audit_plugin.auditor] get packages list from dependencies groups={'main', 'dev'}
[ko_poetry_audit_plugin.pypi_warehouse] package.name='boto3', package.version='1.26.8': no vulnerabilities found
[ko_poetry_audit_plugin.pypi_warehouse] package.name='jmespath', package.version='1.0.1': no vulnerabilities found
[ko_poetry_audit_plugin.pypi_warehouse] package.name='botocore', package.version='1.29.8': no vulnerabilities found
[ko_poetry_audit_plugin.pypi_warehouse] package.name='six', package.version='1.16.0': no vulnerabilities found
[ko_poetry_audit_plugin.pypi_warehouse] package.name='python-dateutil', package.version='2.8.2': no vulnerabilities found
[ko_poetry_audit_plugin.pypi_warehouse] package.name='s3transfer', package.version='0.6.0': no vulnerabilities found
[ko_poetry_audit_plugin.pypi_warehouse] package.name='py', package.version='1.11.0': vulnerabilities found
[ko_poetry_audit_plugin.pypi_warehouse] package.name='urllib3', package.version='1.26.12': no vulnerabilities found
Found vulnerabilities
Group Name Version ID Withdrawn Fix Versions Link
------- ------ --------- ------------------- ----------- -------------- -------------------------------------------------
dev py 1.11.0 GHSA-w596-4wvx-j9j6 https://osv.dev/vulnerability/GHSA-w596-4wvx-j9j6
dev py 1.11.0 PYSEC-2022-42969 https://osv.dev/vulnerability/PYSEC-2022-42969
Exit codes
poetry audit
exits with non-zero code, unless all vulnerabilities found have been withdrawn.
Note only packages found on pypi
could be checked.
Licensing
poetry audit
plugin is licensed under the Apache 2.0 License.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for ko_poetry_audit_plugin-0.7.0.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 6013fef67c14f7006528ba181e6b7fe46cb5b5ee570ed8b60ab544dcb0aaf1d5 |
|
MD5 | 43918813f12a7650163e63b7bfd8b8e3 |
|
BLAKE2b-256 | f69a15474eeba786dc7e054315cd181a4ccc1d711d388b32bc63787ade33eef7 |
Hashes for ko_poetry_audit_plugin-0.7.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | f56c7b7983d4f03e153529d1b4c628b105ae910617d21a71a4a80913be6151da |
|
MD5 | 082e7b91ab2061325f7cda3ed6e6fac0 |
|
BLAKE2b-256 | 1416a123a54b3ff518438e200cc3f263122a09deb60646ffd46d671423bb8d28 |