Poetry plugin to check known vulnerabilities from poetry.lock
Project description
ko-poetry-audit-plugin
To check known vulnerabilities from poetry.lock
.
Inspired by pypa/pip-audit, this adds audit
command tip poetry
, for checking vulnerabilities of packages found in poetry.lock
.
Vulnerability reports are sourced from Python Packaging Advisory Database (https://github.com/pypa/advisory-database) using JSON API.
Installation
Please follow poetry Using Plugins for installation.
Usage
To check for main
group:
% poetry audit
No known vulnerabilities found
To include packages in dev
group:
% poetry audit --with dev
Found vulnerabilities
Group Name Version ID Withdrawn Fix Versions Link
------- ------ --------- ------------------- ----------- -------------- -------------------------------------------------
dev py 1.11.0 GHSA-w596-4wvx-j9j6 https://osv.dev/vulnerability/GHSA-w596-4wvx-j9j6
dev py 1.11.0 PYSEC-2022-42969 https://osv.dev/vulnerability/PYSEC-2022-42969
% echo $?
1
To show more details:
% poetry audit --with dev -vv
[ko_poetry_audit_plugin.auditor] get packages of dependencies groups={'dev', 'main'} from lock
[ko_poetry_audit_plugin.pypi_warehouse] no vulnerabilities found for package.name='boto3', package.version='1.26.7'
[ko_poetry_audit_plugin.pypi_warehouse] no vulnerabilities found for package.name='jmespath', package.version='1.0.1'
[ko_poetry_audit_plugin.pypi_warehouse] vulnerabilities found for package.name='py', package.version='1.11.0'
[ko_poetry_audit_plugin.pypi_warehouse] no vulnerabilities found for package.name='s3transfer', package.version='0.6.0'
[ko_poetry_audit_plugin.pypi_warehouse] no vulnerabilities found for package.name='six', package.version='1.16.0'
[ko_poetry_audit_plugin.pypi_warehouse] no vulnerabilities found for package.name='botocore', package.version='1.29.7'
[ko_poetry_audit_plugin.pypi_warehouse] no vulnerabilities found for package.name='python-dateutil', package.version='2.8.2'
[ko_poetry_audit_plugin.pypi_warehouse] no vulnerabilities found for package.name='urllib3', package.version='1.26.12'
Found vulnerabilities
Group Name Version ID Withdrawn Fix Versions Link
------- ------ --------- ------------------- ----------- -------------- -------------------------------------------------
dev py 1.11.0 GHSA-w596-4wvx-j9j6 https://osv.dev/vulnerability/GHSA-w596-4wvx-j9j6
dev py 1.11.0 PYSEC-2022-42969 https://osv.dev/vulnerability/PYSEC-2022-42969
Exit codes
poetry audit
exits with non-zero code, unless all vulnerabilities found have been withdrawn.
Note only packages found on pypi
could be checked.
Licensing
poetry audit
plugin is licensed under the Apache 2.0 License.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for ko_poetry_audit_plugin-0.2.0.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 99258b7eb7bd4eb4f323dd01d42278422dc5fb15ab26b176a3c0a38647e8f555 |
|
MD5 | 42a85468dbc8d01d2dda50e3f68a94e0 |
|
BLAKE2b-256 | d9308be58e9e0019de88b222bc7f4310ff324fd1e4ffe3a50933bce19ebb5a7f |
Hashes for ko_poetry_audit_plugin-0.2.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | e8e21491c726e41180f828523a16987b9c8c75b9b6fad6beddfe94ab9f776f73 |
|
MD5 | bfe01fa302786ecdb54d12e23f6f7c4e |
|
BLAKE2b-256 | 7b63303efc14ec5facdf375b2e25c9e7af7d24a9ee70bde26411d3139a99392a |