Skip to main content

Audit python packages for known vulnerabilities using Sonatype OSS Index v3 API

Project description

ossaudit-ng (Next Generation)

A fork of https://github.com/illikainen/ossaudit.git which appears to be no longer maintained.

This fork includes protions of PRs by sseide on the original ossaudit.git

New Features

About

ossaudit uses Sonatype OSS Index to audit Python packages for known vulnerabilities.

It can check installed packages and/or packages specified in dependency files. The following formats are supported with dparse:

  • PIP requirement files
  • Pipfile
  • Pipfile.lock
  • tox.ini
  • conda.yml

Installation

Normal

./setup.py develop

Usage

$ ossaudit --help
Usage: ossaudit [OPTIONS]

Options:
  -c, --config TEXT    Configuration file.
  -i, --installed      Audit installed packages.
  -f, --file FILENAME  Audit packages in file (can be specified multiple
                       times).
  --token TEXT         Token for authentication.
  --column TEXT        Column to show (can be specified multiple times or passed a comma separated list).
                       [default: name, version, title]  additional optons -- id, cve, cvss_score, description
  --ignore-id TEXT     Ignore a vulnerability by Sonatype ID or CVE (can be
                       specified multiple times).
  --ignore-cache       Temporarily ignore existing cache.
  --reset-cache        Remove existing cache.
  --json               Output vulnerabilities as json list
  --json-full          Output all dependencies found and their vulnerabilities
                       as json list (columns given are ignored)
  --http-proxy TEXT    HTTP proxy URL.
  --https-proxy TEXT   HTTPS proxy URL.
  --help               Show this message and exit.

As import

from ossaudit import scan
list_of_vulnerabilites = scan(installed=True)  # Pass options as args
for v in list_of_vulnerabilites:
  # v is type <class 'ossaudit.audit.Vulnerability'>
  print(v.name, v.version, v.title, v.cvss_score)

Configuration

Appdirs is used to determine storage paths. This means that the location of the configuration file is platform-specific:

  • *nix: ~/.config/ossaudit/config.ini
  • macOS: ~/Library/Preferences/ossaudit/config.ini
  • Windows: C:\Users\<username>\AppData\Local\ossaudit\ossaudit\config.ini

It can be overridden with the --config command-line argument and with the OSSAUDIT_CONFIG environment variable.

Example configuration:

[ossaudit]
# Optional: OSS Index API token (Bearer token auth).
# A free account and token can be created at https://ossindex.sonatype.org/
#token = string

# Optional: comma-separated list of columns to show.
# Default: name, version, title
# Supported: id, name, version, cve, cvss_score, title, description
#columns = name,version,title,cvss_score

# Optional: comma-separated list of vulnerability IDs (Sonatype ID or CVE) to ignore.
#ignore_ids = x,y,z

# Optional: Ignore cache
#ignore_cache = True

# Optional: Reset the cache
#reset_cache = True

# Optional: Output format to json
#json = True

# Optional: Full output of OSS Index results to json
#json_full = True

# Optional: HTTP/HTTPS proxy (can also be set via HTTP_PROXY/HTTPS_PROXY env vars)
#http_proxy = http://proxy.example.com:8080
#https_proxy = http://proxy.example.com:8080

Authentication is not required. However, requests are rate limited and authenticated requests are less restricted. A free account and API token can be created on OSS Index.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ossaudit_ng-1.0.1.tar.gz (52.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

ossaudit_ng-1.0.1-py3-none-any.whl (13.4 kB view details)

Uploaded Python 3

File details

Details for the file ossaudit_ng-1.0.1.tar.gz.

File metadata

  • Download URL: ossaudit_ng-1.0.1.tar.gz
  • Upload date:
  • Size: 52.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.2

File hashes

Hashes for ossaudit_ng-1.0.1.tar.gz
Algorithm Hash digest
SHA256 830c6d3e9607c8925f323531cca8d65c090e1908390d39a53972e1a4bef3e444
MD5 5af9bdbf58a17ad78a6fa607db94788d
BLAKE2b-256 c6604e7d8adf7a34fd177aec5bdeb4567db6db85219095a50dd2e34a15917aa6

See more details on using hashes here.

File details

Details for the file ossaudit_ng-1.0.1-py3-none-any.whl.

File metadata

  • Download URL: ossaudit_ng-1.0.1-py3-none-any.whl
  • Upload date:
  • Size: 13.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.2

File hashes

Hashes for ossaudit_ng-1.0.1-py3-none-any.whl
Algorithm Hash digest
SHA256 61ff37c2ec93f1836bbbed4a44a9759ef10c14e047042b2500af553d724a8d31
MD5 bf4c10c13a3aa04ecc104492709b0a40
BLAKE2b-256 9b462cbe546f6b7f9a9f9becb06a763786e4de8e1652f15ab7c71f3d7160b522

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page