feat(python): add support for requirements.txt (#1169)

aquasecurity · Aug 11, 2021 · feff59f · feff59f
1 parent 0ea9936
commit feff59f
Show file tree

Hide file tree

Showing 7 changed files with 147 additions and 9 deletions.
diff --git a/go.mod b/go.mod
@@ -7,13 +7,13 @@ require (
 	github.com/Masterminds/sprig v2.22.0+incompatible
 	github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
-	github.com/aquasecurity/fanal v0.0.0-20210722114116-f7a3626ddffb
-	github.com/aquasecurity/go-dep-parser v0.0.0-20210520015931-0dd56983cc62
+	github.com/aquasecurity/fanal v0.0.0-20210805105520-af267919a460
+	github.com/aquasecurity/go-dep-parser v0.0.0-20210725132212-29708b56ea7f
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
 	github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492
-	github.com/aquasecurity/trivy-db v0.0.0-20210531102723-aaab62dec6ee
+	github.com/aquasecurity/trivy-db v0.0.0-20210809142931-da8e09204404
 	github.com/caarlos0/env/v6 v6.0.0
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/cheggaaa/pb/v3 v3.0.3

diff --git a/go.sum b/go.sum
@@ -182,10 +182,10 @@ github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6
 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30xLN2sUZcMXl50hg+PJCIDdJgIvIbVcKqLJ/ZrtM=
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
-github.com/aquasecurity/fanal v0.0.0-20210722114116-f7a3626ddffb h1:PdsOZ3zazkIwU5LW7fynHbuGegvdfj1OlzGWxdkrLEQ=
-github.com/aquasecurity/fanal v0.0.0-20210722114116-f7a3626ddffb/go.mod h1:dSRQn8xGe+Bx9pjm5gHyU988VMouysH0YIiFmTbrPLU=
-github.com/aquasecurity/go-dep-parser v0.0.0-20210520015931-0dd56983cc62 h1:aahEMQZXrwhpCMlDgXi2d7jJVNDTpYGJOgLyNptGQoY=
-github.com/aquasecurity/go-dep-parser v0.0.0-20210520015931-0dd56983cc62/go.mod h1:Cv/FOCXy6gwvDbz/KX48+y//SmbnKroFwW5hquXn5G4=
+github.com/aquasecurity/fanal v0.0.0-20210805105520-af267919a460 h1:9e7hKVfaGsysdfXoeM/PsmKtIcGe31kIuH7XUNw/hRs=
+github.com/aquasecurity/fanal v0.0.0-20210805105520-af267919a460/go.mod h1:3pvm36KePuLCzQxpg/zPVerL/4sZUgJvefXneZpesbs=
+github.com/aquasecurity/go-dep-parser v0.0.0-20210725132212-29708b56ea7f h1:OT+1o8sddEHlLcP1wx2tgR071fQcqPRrPetjZqnS6bY=
+github.com/aquasecurity/go-dep-parser v0.0.0-20210725132212-29708b56ea7f/go.mod h1:Cv/FOCXy6gwvDbz/KX48+y//SmbnKroFwW5hquXn5G4=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce/go.mod h1:HXgVzOPvXhVGLJs4ZKO817idqr/xhwsTcj17CLYY74s=
 github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798 h1:eveqE9ivrt30CJ7dOajOfBavhZ4zPqHcZe/4tKp0alc=
@@ -201,6 +201,8 @@ github.com/aquasecurity/tfsec v0.46.0 h1:R9djHTpk+YrFuFv2GRdfU4rRz6uk5wLrgfx1fp9
 github.com/aquasecurity/tfsec v0.46.0/go.mod h1:Dafx5dX/1QV1d5en62shpzEXfq5F31IG6oNNxhleV5Y=
 github.com/aquasecurity/trivy-db v0.0.0-20210531102723-aaab62dec6ee h1:LeTtvFgevJhupkFcVVVwAYsXd2HM+VG4NW8WRpMssxQ=
 github.com/aquasecurity/trivy-db v0.0.0-20210531102723-aaab62dec6ee/go.mod h1:N7CWA/vjVw78GWAdCJGhFQVqNGEA4e47a6eIWm+C/Bc=
+github.com/aquasecurity/trivy-db v0.0.0-20210809142931-da8e09204404 h1:6nJle4kjovrm3gK+xl1iuYkv1vbbMRRviHkR7fj3Tjc=
+github.com/aquasecurity/trivy-db v0.0.0-20210809142931-da8e09204404/go.mod h1:N7CWA/vjVw78GWAdCJGhFQVqNGEA4e47a6eIWm+C/Bc=
 github.com/aquasecurity/vuln-list-update v0.0.0-20191016075347-3d158c2bf9a2 h1:xbdUfr2KE4THsFx9CFWtWpU91lF+YhgP46moV94nYTA=
 github.com/aquasecurity/vuln-list-update v0.0.0-20191016075347-3d158c2bf9a2/go.mod h1:6NhOP0CjZJL27bZZcaHECtzWdwDDm2g6yCY0QgXEGQQ=
 github.com/araddon/dateparse v0.0.0-20190426192744-0d74ffceef83/go.mod h1:SLqhdZcd+dF3TEVL2RMoob5bBP5R1P1qkox+HtCBgGI=

diff --git a/integration/fs_test.go b/integration/fs_test.go
@@ -36,6 +36,14 @@ func TestFilesystem(t *testing.T) {
 			},
 			golden: "testdata/nodejs.json.golden",
 		},
+		{
+			name: "pip",
+			args: args{
+				securityChecks: "vuln",
+				input:          "testdata/fixtures/fs/pip",
+			},
+			golden: "testdata/pip.json.golden",
+		},
 		{
 			name: "dockerfile",
 			args: args{

diff --git a/integration/testdata/alpine-310-registry.json.golden b/integration/testdata/alpine-310-registry.json.golden
@@ -1,6 +1,7 @@
 [
   {
-    "Target": "localhost:55015/alpine:3.10 (alpine 3.10.2)",
+    "Target": "localhost:32779/alpine:3.10 (alpine 3.10.2)",
+    "Class": "os-pkgs",
     "Type": "alpine",
     "Vulnerabilities": [
       {

diff --git a/integration/testdata/fixtures/fs/pip/requirements.txt b/integration/testdata/fixtures/fs/pip/requirements.txt
@@ -0,0 +1,6 @@
+click==8.0.0
+Flask==2.0.0
+itsdangerous==2.0.0
+Jinja2==3.0.0
+MarkupSafe>2.0.0
+Werkzeug==0.11
diff --git a/integration/testdata/pip.json.golden b/integration/testdata/pip.json.golden
@@ -0,0 +1,121 @@
+[
+  {
+    "Target": "requirements.txt",
+    "Class": "lang-pkgs",
+    "Type": "pip",
+    "Vulnerabilities": [
+      {
+        "VulnerabilityID": "CVE-2019-14806",
+        "PkgName": "Werkzeug",
+        "InstalledVersion": "0.11",
+        "FixedVersion": "0.15.3",
+        "Layer": {
+          "DiffID": "sha256:6393f36bbbee0b53834ba0f9f585194d9e5ab56b555a2910551254fc8a2aec19"
+        },
+        "SeveritySource": "nvd",
+        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14806",
+        "Title": "python-werkzeug: insufficient debugger PIN randomness vulnerability",
+        "Description": "Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id.",
+        "Severity": "HIGH",
+        "CweIDs": [
+          "CWE-331"
+        ],
+        "CVSS": {
+          "nvd": {
+            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+            "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
+            "V2Score": 5,
+            "V3Score": 7.5
+          },
+          "redhat": {
+            "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
+            "V3Score": 7.5
+          }
+        },
+        "References": [
+          "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00034.html",
+          "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00047.html",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14806",
+          "https://github.com/pallets/werkzeug/blob/7fef41b120327d3912fbe12fb64f1951496fcf3e/src/werkzeug/debug/__init__.py#L168",
+          "https://github.com/pallets/werkzeug/commit/00bc43b1672e662e5e3b8cecd79e67fc968fa246",
+          "https://nvd.nist.gov/vuln/detail/CVE-2019-14806",
+          "https://palletsprojects.com/blog/werkzeug-0-15-3-released/"
+        ],
+        "PublishedDate": "2019-08-09T15:15:00Z",
+        "LastModifiedDate": "2019-09-11T00:15:00Z"
+      },
+      {
+        "VulnerabilityID": "CVE-2016-10516",
+        "PkgName": "Werkzeug",
+        "InstalledVersion": "0.11",
+        "FixedVersion": "0.11.11",
+        "Layer": {
+          "DiffID": "sha256:6393f36bbbee0b53834ba0f9f585194d9e5ab56b555a2910551254fc8a2aec19"
+        },
+        "SeveritySource": "nvd",
+        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2016-10516",
+        "Title": "python-werkzeug: Cross-site scripting in render_full function in debug/tbtools.py",
+        "Description": "Cross-site scripting (XSS) vulnerability in the render_full function in debug/tbtools.py in the debugger in Pallets Werkzeug before 0.11.11 (as used in Pallets Flask and other products) allows remote attackers to inject arbitrary web script or HTML via a field that contains an exception message.",
+        "Severity": "MEDIUM",
+        "CweIDs": [
+          "CWE-79"
+        ],
+        "CVSS": {
+          "nvd": {
+            "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
+            "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
+            "V2Score": 4.3,
+            "V3Score": 6.1
+          },
+          "redhat": {
+            "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
+            "V3Score": 7.1
+          }
+        },
+        "References": [
+          "http://blog.neargle.com/2016/09/21/flask-src-review-get-a-xss-from-debuger/",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10516",
+          "https://github.com/pallets/werkzeug/pull/1001",
+          "https://lists.debian.org/debian-lts-announce/2017/11/msg00037.html",
+          "https://usn.ubuntu.com/usn/usn-3463-1"
+        ],
+        "PublishedDate": "2017-10-23T16:29:00Z",
+        "LastModifiedDate": "2018-02-04T02:29:00Z"
+      },
+      {
+        "VulnerabilityID": "CVE-2020-28724",
+        "PkgName": "Werkzeug",
+        "InstalledVersion": "0.11",
+        "FixedVersion": "0.11.6",
+        "Layer": {
+          "DiffID": "sha256:6393f36bbbee0b53834ba0f9f585194d9e5ab56b555a2910551254fc8a2aec19"
+        },
+        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-28724",
+        "Title": "Werkzeug before 0.11.6 includes an open redirect vulnerability via a double slash in the URL. See CVE-2020-28724.",
+        "Severity": "UNKNOWN"
+      },
+      {
+        "VulnerabilityID": "pyup.io-26435",
+        "PkgName": "Werkzeug",
+        "InstalledVersion": "0.11",
+        "FixedVersion": "0.12",
+        "Layer": {
+          "DiffID": "sha256:6393f36bbbee0b53834ba0f9f585194d9e5ab56b555a2910551254fc8a2aec19"
+        },
+        "Title": "The defaults of ``generate_password_hash`` in werkzeug 0.12 have been changed to more secure ones, see pull request ``#753``.",
+        "Severity": "UNKNOWN"
+      },
+      {
+        "VulnerabilityID": "pyup.io-36967",
+        "PkgName": "Werkzeug",
+        "InstalledVersion": "0.11",
+        "FixedVersion": "0.15.0",
+        "Layer": {
+          "DiffID": "sha256:6393f36bbbee0b53834ba0f9f585194d9e5ab56b555a2910551254fc8a2aec19"
+        },
+        "Title": "Werkzeug 0.15.0 refactors class:`~middleware.proxy_fix.ProxyFix` to support more headers, multiple values, and a more secure configuration.",
+        "Severity": "UNKNOWN"
+      }
+    ]
+  }
+]
diff --git a/pkg/detector/library/driver.go b/pkg/detector/library/driver.go
@@ -33,7 +33,7 @@ func NewDriver(libType string) (Driver, error) {
 		driver = newComposerDriver()
 	case ftypes.Npm, ftypes.Yarn:
 		driver = newNpmDriver()
-	case ftypes.Pipenv, ftypes.Poetry:
+	case ftypes.Pipenv, ftypes.Poetry, ftypes.Pip:
 		driver = newPipDriver()
 	case ftypes.NuGet:
 		driver = newNugetDriver()