Skip to main content

Poetry plugin to check known vulnerabilities from poetry.lock

Project description

ko-poetry-audit-plugin

Code style: black formatter Imports: isort linting: pylint

To check known vulnerabilities from poetry.lock.

Inspired by pypa/pip-audit, this adds audit command tip poetry, for checking vulnerabilities of packages found in poetry.lock.

Vulnerability reports are sourced from Python Packaging Advisory Database (https://github.com/pypa/advisory-database) using JSON API.

Installation

Please follow poetry Using Plugins for installation.

% poetry self add ko-poetry-audit-plugin

To integrate with pre-commit, trigger scan whenever poetry.lock is commit:

  - repo: https://github.com/koyeung/ko-poetry-audit-plugin.git
    rev: 0.6.0
    hooks:
      - id: poetry-audit

Note by default, it scans for main and dev dependencies groups only.

Usage

To check for main group:

% poetry audit
No known vulnerabilities found

To include packages in dev group:

% poetry audit --with dev
Found vulnerabilities
Group    Name    Version    ID                   Withdrawn    Fix Versions    Link
-------  ------  ---------  -------------------  -----------  --------------  -------------------------------------------------
dev      py      1.11.0     GHSA-w596-4wvx-j9j6                               https://osv.dev/vulnerability/GHSA-w596-4wvx-j9j6
dev      py      1.11.0     PYSEC-2022-42969                                  https://osv.dev/vulnerability/PYSEC-2022-42969
% echo $?
1

To show more details:

% poetry audit --with dev -vv
[ko_poetry_audit_plugin.auditor] get packages list from dependencies groups={'main', 'dev'}
[ko_poetry_audit_plugin.pypi_warehouse] package.name='boto3', package.version='1.26.8': no vulnerabilities found
[ko_poetry_audit_plugin.pypi_warehouse] package.name='jmespath', package.version='1.0.1': no vulnerabilities found
[ko_poetry_audit_plugin.pypi_warehouse] package.name='botocore', package.version='1.29.8': no vulnerabilities found
[ko_poetry_audit_plugin.pypi_warehouse] package.name='six', package.version='1.16.0': no vulnerabilities found
[ko_poetry_audit_plugin.pypi_warehouse] package.name='python-dateutil', package.version='2.8.2': no vulnerabilities found
[ko_poetry_audit_plugin.pypi_warehouse] package.name='s3transfer', package.version='0.6.0': no vulnerabilities found
[ko_poetry_audit_plugin.pypi_warehouse] package.name='py', package.version='1.11.0': vulnerabilities found
[ko_poetry_audit_plugin.pypi_warehouse] package.name='urllib3', package.version='1.26.12': no vulnerabilities found
Found vulnerabilities
Group    Name    Version    ID                   Withdrawn    Fix Versions    Link
-------  ------  ---------  -------------------  -----------  --------------  -------------------------------------------------
dev      py      1.11.0     GHSA-w596-4wvx-j9j6                               https://osv.dev/vulnerability/GHSA-w596-4wvx-j9j6
dev      py      1.11.0     PYSEC-2022-42969                                  https://osv.dev/vulnerability/PYSEC-2022-42969

Exit codes

poetry audit exits with non-zero code, unless all vulnerabilities found have been withdrawn.

Note only packages found on pypi could be checked.

Licensing

poetry audit plugin is licensed under the Apache 2.0 License.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ko_poetry_audit_plugin-0.7.0a3.tar.gz (11.4 kB view hashes)

Uploaded Source

Built Distribution

ko_poetry_audit_plugin-0.7.0a3-py3-none-any.whl (12.0 kB view hashes)

Uploaded Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page