您的位置:首頁 > 網絡安全

                                            如何使用pip-audit掃描Python包中的安全漏洞

                                            發布時間:2022-02-27 03:03:34  來源:IT資訊網    采編:author  背景:

                                            關于pip-audit

                                            pip-audit是一款功能強大的安全漏洞掃描工具,該工具主要針對Python環境,可以幫助廣大研究人員掃描和測試Python包中的已知安全漏洞。pip-audit使用了PythonPackagingAdvisory數據庫和PyPIJSONAPI作為漏洞報告源。

                                            功能介紹支持對本地環境和依賴組件(requirements風格文件)進行安全審計;支持多種漏洞服務(PyPI、OSV);支持以CycloneDX XML或JSON格式發送SBOM;提供人類和機器均可讀的輸出格式(columnar、JSON);無縫接入 / 重用本地pip緩存;工具安裝

                                            pip-audit基于Python開發,且要求本地環境為Python

                                            3.7或更新版本。安裝并配置好Python環境之后,就可以使用下列命令并通過pip來安裝pip-audit了:

                                            python -m pip install pip-audit第三方包

                                            pip-audit的正常運行需要使用到多個第三方包,具體組件包名稱和版本如下圖所示:

                                            除此之外,我們還可以通過conda來安裝pip-audit:

                                            conda install -c conda-forge pip-audit工具使用

                                            我們可以直接將pip-audit以獨立程序運行,或通過"python -m"運行:

                                            pip-audit --helppython -m pip_audit --helpusage: pip-audit [-h] [-V] [-l] [-r REQUIREMENTS] [-f FORMAT] [-s SERVICE] [-d] [-S] [--desc [{on,off,auto}]] [--cache-dir CACHE_DIR] [--progress-spinner {on,off}] [--timeout TIMEOUT] [--path PATHS] [-v] [--fix] [--require-hashes] audit the Python environment for dependencies with known vulnerabilities optional arguments: -h, --help show this help message and exit -V, --version show program's version number and exit -l, --local show only results for dependencies in the local environment (default: False) -r REQUIREMENTS, --requirement REQUIREMENTS audit the given requirements file; this option can be used multiple times (default: None) -f FORMAT, --format FORMAT the format to emit audit results in (choices: columns, json, cyclonedx-json, cyclonedx-xml) (default: columns) -s SERVICE, --vulnerability-service SERVICE the vulnerability service to audit dependencies against (choices: osv, pypi) (default: pypi) -d, --dry-run without `--fix`: collect all dependencies but do not perform the auditing step; with `--fix`: perform the auditing step but do not perform any fixes (default: False) -S, --strict fail the entire audit if dependency collection fails on any dependency (default: False) --desc [{on,off,auto}] include a description for each vulnerability; `auto` defaults to `on` for the `json` format. This flag has no effect on the `cyclonedx-json` or `cyclonedx-xml` formats. (default: auto) --cache-dir CACHE_DIR the directory to use as an HTTP cache for PyPI; uses the `pip` HTTP cache by default (default: None) --progress-spinner {on,off} display a progress spinner (default: on) --timeout TIMEOUT set the socket timeout (default: 15) --path PATHS restrict to the specified installation path for auditing packages; this option can be used multiple times (default: []) -v, --verbose give more output; this setting overrides the `PIP_AUDIT_LOGLEVEL` variable and is equivalent to setting it to `debug` (default: False) --fix automatically upgrade dependencies with known vulnerabilities (default: False) --require-hashes require a hash to check each requirement against, for repeatable audits; this option is implied when any package in a requirements file has a `--hash` option. (default: False)退出代碼

                                            任務完成后, pip-audit將會退出運行,并返回一個代碼以顯示其狀態,其中:

                                            0:未檢測到已知漏洞;1:檢測到了一個或多個已知漏洞;工具使用樣例

                                            審計當前Python環境中的依賴:

                                            $ pip-auditNo known vulnerabilities found

                                            $ pip-audit

                                            No known vulnerabilities found審計給定requirements文件的依賴:

                                            $ pip-audit -r ./requirements.txtNo known vulnerabilities found

                                            審計一個requirements文件,并排除系統包:

                                            $ pip-audit -r ./requirements.txt -lNo known vulnerabilities found

                                            審計依賴中發現的安全漏洞:

                                            $ pip-auditFound 2 known vulnerabilities in 1 packageName Version ID Fix Versions---- ------- -------------- ------------Flask 0.5 PYSEC-2019-179 1.0Flask 0.5 PYSEC-2018-66 0.12.3

                                            審計依賴(包含描述):

                                            $ pip-audit --descFound 2 known vulnerabilities in 1 packageName Version ID Fix Versions Description---- ------- -------------- ------------ --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Flask 0.5 PYSEC-2019-179 1.0 The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656.Flask 0.5 PYSEC-2018-66 0.12.3 The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083.

                                            審計JSON格式依賴:

                                            $ pip-audit -f json | jqFound 2 known vulnerabilities in 1 package[ { "name": "flask", "version": "0.5", "vulns": [ { "id": "PYSEC-2019-179", "fix_versions": [ "1.0" ], "description": "The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656." }, { "id": "PYSEC-2018-66", "fix_versions": [ "0.12.3" ], "description": "The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083." } ] }, { "name": "jinja2", "version": "3.0.2", "vulns": [] }, { "name": "pip", "version": "21.3.1", "vulns": [] }, { "name": "setuptools", "version": "57.4.0", "vulns": [] }, { "name": "werkzeug", "version": "2.0.2", "vulns": [] }, { "name": "markupsafe", "version": "2.0.1", "vulns": [] }]

                                            審計并嘗試自動審計存在漏洞的依賴:

                                            $ pip-audit --fixFound 2 known vulnerabilities in 1 package and fixed 2 vulnerabilities in 1 packageName Version ID Fix Versions Applied Fix----- ------- -------------- ------------ ----------------------------------------flask 0.5 PYSEC-2019-179 1.0 Successfully upgraded flask (0.5 => 1.0)flask 0.5 PYSEC-2018-66 0.12.3 Successfully upgraded flask (0.5 => 1.0)許可證協議

                                            本項目的開發與發布遵循 Apache 2.0開源許可證協議。

                                            項目地址

                                            點審核:【??GitHub傳送門??】

                                              聲明:本文僅為傳遞更多網絡信息,不代表IT資訊網觀點和意見,僅供參考了解,更不能作為投資使用依據。


                                            返回網站首頁 本文來源:IT資訊網

                                            本文評論
                                            顯卡有必要更新驅動程序嗎?老玩家給你的建議請收好
                                            先來說說這個網友最為關心的問題,我們為什么需要更新顯
                                            日期:03-23
                                            各路明星斗法比拼魔法視頻 與你一起LIKE神穿越直達春晚
                                            “你家看春晚嗎?”“看啊,不光看,今年我
                                            日期:10-02
                                            攝像頭之瘍:小心你的攝像頭
                                            作為一名安全研究人員,筆者寫此文旨在提醒廣大攝像頭使
                                            日期:02-14
                                            揭秘:為什么需要管理員身份才能運行的軟件,99%都是流氓軟件?
                                            安裝一個軟件,彈出一個小框提示需要以管理員身份運行?這
                                            日期:03-12
                                            無線路由器的WiFi網絡到底有多少帶機量?
                                            用來衡量無線路由器性能的參數很多,其中有一個很重要的
                                            日期:03-13
                                            有時候用Wi-Fi搶購還不如4G 這是為什么?
                                            最近馬上要到一年一度大家“剁手”的節日了,這不,老家的
                                            日期:03-18
                                            從實戰出發,談談Nginx信號集
                                            一臺引流測試機器的一個 ngx_lua 服務突然出現了一些
                                            日期:01-23
                                            AI漏洞挖掘系統維陣公測進行時,公測時間至7月18日
                                            維陣是一款基于圖神經網絡技術對設備和應用的二進制文
                                            日期:02-20
                                            再添新色:三星Galaxy Note 9全新銀色版本上線
                                            (原標題:三星Galaxy Note 9新銀色版本現身:即將發布)
                                            日期:10-02
                                            JS API簡單三步完成組網內設備拉起
                                            分布式數據管理權限,允許不同設備間的數據交換,允許獲取
                                            日期:03-11
                                            SDN市場或許進入了慢熱期
                                            關于SDN概念的討論似乎已經安靜下來,因為技術正慢慢進
                                            日期:04-04
                                            專為高端服務器設計 英特爾將推15核芯片
                                            英特爾的Ivytown已經已經在使用22納米工藝,但該公司發
                                            日期:01-21
                                             

                                            精品无码久久午夜福利