Audit python packages for known vulnerabilities using Sonatype OSS Index v3 API
Project description
ossaudit-ng (Next Generation)
A fork of https://github.com/illikainen/ossaudit.git which appears to be no longer maintained.
This fork includes protions of PRs by sseide on the original ossaudit.git
New Features
- Added JSON output, config file support, Bearer token auth, HTTP/HTTPS proxy support, and ability to import.
- Works with the new API URL: "https://api.guide.sonatype.com/api/v3/"
About
ossaudit uses Sonatype OSS Index to audit Python packages for
known vulnerabilities.
It can check installed packages and/or packages specified in dependency files. The following formats are supported with dparse:
- PIP requirement files
- Pipfile
- Pipfile.lock
- tox.ini
- conda.yml
Installation
Normal
./setup.py develop
Usage
$ ossaudit --help
Usage: ossaudit [OPTIONS]
Options:
-c, --config TEXT Configuration file.
-i, --installed Audit installed packages.
-f, --file FILENAME Audit packages in file (can be specified multiple
times).
--token TEXT Token for authentication.
--column TEXT Column to show (can be specified multiple times or passed a comma separated list).
[default: name, version, title] additional optons -- id, cve, cvss_score, description
--ignore-id TEXT Ignore a vulnerability by Sonatype ID or CVE (can be
specified multiple times).
--ignore-cache Temporarily ignore existing cache.
--reset-cache Remove existing cache.
--json Output vulnerabilities as json list
--json-full Output all dependencies found and their vulnerabilities
as json list (columns given are ignored)
--http-proxy TEXT HTTP proxy URL.
--https-proxy TEXT HTTPS proxy URL.
--help Show this message and exit.
As import
from ossaudit import scan
list_of_vulnerabilites = scan(installed=True) # Pass options as args
for v in list_of_vulnerabilites:
# v is type <class 'ossaudit.audit.Vulnerability'>
print(v.name, v.version, v.title, v.cvss_score)
Configuration
Appdirs is used to determine storage paths. This means that the location of the configuration file is platform-specific:
*nix:~/.config/ossaudit/config.inimacOS:~/Library/Preferences/ossaudit/config.iniWindows:C:\Users\<username>\AppData\Local\ossaudit\ossaudit\config.ini
It can be overridden with the --config command-line argument and with
the OSSAUDIT_CONFIG environment variable.
Example configuration:
[ossaudit]
# Optional: OSS Index API token (Bearer token auth).
# A free account and token can be created at https://ossindex.sonatype.org/
#token = string
# Optional: comma-separated list of columns to show.
# Default: name, version, title
# Supported: id, name, version, cve, cvss_score, title, description
#columns = name,version,title,cvss_score
# Optional: comma-separated list of vulnerability IDs (Sonatype ID or CVE) to ignore.
#ignore_ids = x,y,z
# Optional: Ignore cache
#ignore_cache = True
# Optional: Reset the cache
#reset_cache = True
# Optional: Output format to json
#json = True
# Optional: Full output of OSS Index results to json
#json_full = True
# Optional: HTTP/HTTPS proxy (can also be set via HTTP_PROXY/HTTPS_PROXY env vars)
#http_proxy = http://proxy.example.com:8080
#https_proxy = http://proxy.example.com:8080
Authentication is not required. However, requests are rate limited and authenticated requests are less restricted. A free account and API token can be created on OSS Index.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file ossaudit_ng-1.0.1.tar.gz.
File metadata
- Download URL: ossaudit_ng-1.0.1.tar.gz
- Upload date:
- Size: 52.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
830c6d3e9607c8925f323531cca8d65c090e1908390d39a53972e1a4bef3e444
|
|
| MD5 |
5af9bdbf58a17ad78a6fa607db94788d
|
|
| BLAKE2b-256 |
c6604e7d8adf7a34fd177aec5bdeb4567db6db85219095a50dd2e34a15917aa6
|
File details
Details for the file ossaudit_ng-1.0.1-py3-none-any.whl.
File metadata
- Download URL: ossaudit_ng-1.0.1-py3-none-any.whl
- Upload date:
- Size: 13.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
61ff37c2ec93f1836bbbed4a44a9759ef10c14e047042b2500af553d724a8d31
|
|
| MD5 |
bf4c10c13a3aa04ecc104492709b0a40
|
|
| BLAKE2b-256 |
9b462cbe546f6b7f9a9f9becb06a763786e4de8e1652f15ab7c71f3d7160b522
|