From feff59f48027dce32c222b9b391237c743e29505 Mon Sep 17 00:00:00 2001 From: AndreyLevchenko Date: Wed, 11 Aug 2021 14:14:37 +0600 Subject: [PATCH] feat(python): add support for requirements.txt (#1169) --- go.mod | 6 +- go.sum | 10 +- integration/fs_test.go | 8 ++ .../testdata/alpine-310-registry.json.golden | 3 +- .../testdata/fixtures/fs/pip/requirements.txt | 6 + integration/testdata/pip.json.golden | 121 ++++++++++++++++++ pkg/detector/library/driver.go | 2 +- 7 files changed, 147 insertions(+), 9 deletions(-) create mode 100644 integration/testdata/fixtures/fs/pip/requirements.txt create mode 100644 integration/testdata/pip.json.golden diff --git a/go.mod b/go.mod index 21defd8000a1..df9e02b59c40 100644 --- a/go.mod +++ b/go.mod @@ -7,13 +7,13 @@ require ( github.com/Masterminds/sprig v2.22.0+incompatible github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 - github.com/aquasecurity/fanal v0.0.0-20210722114116-f7a3626ddffb - github.com/aquasecurity/go-dep-parser v0.0.0-20210520015931-0dd56983cc62 + github.com/aquasecurity/fanal v0.0.0-20210805105520-af267919a460 + github.com/aquasecurity/go-dep-parser v0.0.0-20210725132212-29708b56ea7f github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798 github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46 github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492 - github.com/aquasecurity/trivy-db v0.0.0-20210531102723-aaab62dec6ee + github.com/aquasecurity/trivy-db v0.0.0-20210809142931-da8e09204404 github.com/caarlos0/env/v6 v6.0.0 github.com/cenkalti/backoff v2.2.1+incompatible github.com/cheggaaa/pb/v3 v3.0.3 diff --git a/go.sum b/go.sum index c63a42a69570..d1dd5f373766 100644 --- a/go.sum +++ b/go.sum @@ -182,10 +182,10 @@ github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo= github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30xLN2sUZcMXl50hg+PJCIDdJgIvIbVcKqLJ/ZrtM= github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8= -github.com/aquasecurity/fanal v0.0.0-20210722114116-f7a3626ddffb h1:PdsOZ3zazkIwU5LW7fynHbuGegvdfj1OlzGWxdkrLEQ= -github.com/aquasecurity/fanal v0.0.0-20210722114116-f7a3626ddffb/go.mod h1:dSRQn8xGe+Bx9pjm5gHyU988VMouysH0YIiFmTbrPLU= -github.com/aquasecurity/go-dep-parser v0.0.0-20210520015931-0dd56983cc62 h1:aahEMQZXrwhpCMlDgXi2d7jJVNDTpYGJOgLyNptGQoY= -github.com/aquasecurity/go-dep-parser v0.0.0-20210520015931-0dd56983cc62/go.mod h1:Cv/FOCXy6gwvDbz/KX48+y//SmbnKroFwW5hquXn5G4= +github.com/aquasecurity/fanal v0.0.0-20210805105520-af267919a460 h1:9e7hKVfaGsysdfXoeM/PsmKtIcGe31kIuH7XUNw/hRs= +github.com/aquasecurity/fanal v0.0.0-20210805105520-af267919a460/go.mod h1:3pvm36KePuLCzQxpg/zPVerL/4sZUgJvefXneZpesbs= +github.com/aquasecurity/go-dep-parser v0.0.0-20210725132212-29708b56ea7f h1:OT+1o8sddEHlLcP1wx2tgR071fQcqPRrPetjZqnS6bY= +github.com/aquasecurity/go-dep-parser v0.0.0-20210725132212-29708b56ea7f/go.mod h1:Cv/FOCXy6gwvDbz/KX48+y//SmbnKroFwW5hquXn5G4= github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM= github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce/go.mod h1:HXgVzOPvXhVGLJs4ZKO817idqr/xhwsTcj17CLYY74s= github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798 h1:eveqE9ivrt30CJ7dOajOfBavhZ4zPqHcZe/4tKp0alc= @@ -201,6 +201,8 @@ github.com/aquasecurity/tfsec v0.46.0 h1:R9djHTpk+YrFuFv2GRdfU4rRz6uk5wLrgfx1fp9 github.com/aquasecurity/tfsec v0.46.0/go.mod h1:Dafx5dX/1QV1d5en62shpzEXfq5F31IG6oNNxhleV5Y= github.com/aquasecurity/trivy-db v0.0.0-20210531102723-aaab62dec6ee h1:LeTtvFgevJhupkFcVVVwAYsXd2HM+VG4NW8WRpMssxQ= github.com/aquasecurity/trivy-db v0.0.0-20210531102723-aaab62dec6ee/go.mod h1:N7CWA/vjVw78GWAdCJGhFQVqNGEA4e47a6eIWm+C/Bc= +github.com/aquasecurity/trivy-db v0.0.0-20210809142931-da8e09204404 h1:6nJle4kjovrm3gK+xl1iuYkv1vbbMRRviHkR7fj3Tjc= +github.com/aquasecurity/trivy-db v0.0.0-20210809142931-da8e09204404/go.mod h1:N7CWA/vjVw78GWAdCJGhFQVqNGEA4e47a6eIWm+C/Bc= github.com/aquasecurity/vuln-list-update v0.0.0-20191016075347-3d158c2bf9a2 h1:xbdUfr2KE4THsFx9CFWtWpU91lF+YhgP46moV94nYTA= github.com/aquasecurity/vuln-list-update v0.0.0-20191016075347-3d158c2bf9a2/go.mod h1:6NhOP0CjZJL27bZZcaHECtzWdwDDm2g6yCY0QgXEGQQ= github.com/araddon/dateparse v0.0.0-20190426192744-0d74ffceef83/go.mod h1:SLqhdZcd+dF3TEVL2RMoob5bBP5R1P1qkox+HtCBgGI= diff --git a/integration/fs_test.go b/integration/fs_test.go index 5d1610a91ae6..40eb41c14f62 100644 --- a/integration/fs_test.go +++ b/integration/fs_test.go @@ -36,6 +36,14 @@ func TestFilesystem(t *testing.T) { }, golden: "testdata/nodejs.json.golden", }, + { + name: "pip", + args: args{ + securityChecks: "vuln", + input: "testdata/fixtures/fs/pip", + }, + golden: "testdata/pip.json.golden", + }, { name: "dockerfile", args: args{ diff --git a/integration/testdata/alpine-310-registry.json.golden b/integration/testdata/alpine-310-registry.json.golden index 4074905eabb4..c76d8ae5b60f 100644 --- a/integration/testdata/alpine-310-registry.json.golden +++ b/integration/testdata/alpine-310-registry.json.golden @@ -1,6 +1,7 @@ [ { - "Target": "localhost:55015/alpine:3.10 (alpine 3.10.2)", + "Target": "localhost:32779/alpine:3.10 (alpine 3.10.2)", + "Class": "os-pkgs", "Type": "alpine", "Vulnerabilities": [ { diff --git a/integration/testdata/fixtures/fs/pip/requirements.txt b/integration/testdata/fixtures/fs/pip/requirements.txt new file mode 100644 index 000000000000..da45028f7219 --- /dev/null +++ b/integration/testdata/fixtures/fs/pip/requirements.txt @@ -0,0 +1,6 @@ +click==8.0.0 +Flask==2.0.0 +itsdangerous==2.0.0 +Jinja2==3.0.0 +MarkupSafe>2.0.0 +Werkzeug==0.11 diff --git a/integration/testdata/pip.json.golden b/integration/testdata/pip.json.golden new file mode 100644 index 000000000000..1f0345252329 --- /dev/null +++ b/integration/testdata/pip.json.golden @@ -0,0 +1,121 @@ +[ + { + "Target": "requirements.txt", + "Class": "lang-pkgs", + "Type": "pip", + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2019-14806", + "PkgName": "Werkzeug", + "InstalledVersion": "0.11", + "FixedVersion": "0.15.3", + "Layer": { + "DiffID": "sha256:6393f36bbbee0b53834ba0f9f585194d9e5ab56b555a2910551254fc8a2aec19" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14806", + "Title": "python-werkzeug: insufficient debugger PIN randomness vulnerability", + "Description": "Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-331" + ], + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "V2Score": 5, + "V3Score": 7.5 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "V3Score": 7.5 + } + }, + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00034.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00047.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14806", + "https://github.com/pallets/werkzeug/blob/7fef41b120327d3912fbe12fb64f1951496fcf3e/src/werkzeug/debug/__init__.py#L168", + "https://github.com/pallets/werkzeug/commit/00bc43b1672e662e5e3b8cecd79e67fc968fa246", + "https://nvd.nist.gov/vuln/detail/CVE-2019-14806", + "https://palletsprojects.com/blog/werkzeug-0-15-3-released/" + ], + "PublishedDate": "2019-08-09T15:15:00Z", + "LastModifiedDate": "2019-09-11T00:15:00Z" + }, + { + "VulnerabilityID": "CVE-2016-10516", + "PkgName": "Werkzeug", + "InstalledVersion": "0.11", + "FixedVersion": "0.11.11", + "Layer": { + "DiffID": "sha256:6393f36bbbee0b53834ba0f9f585194d9e5ab56b555a2910551254fc8a2aec19" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2016-10516", + "Title": "python-werkzeug: Cross-site scripting in render_full function in debug/tbtools.py", + "Description": "Cross-site scripting (XSS) vulnerability in the render_full function in debug/tbtools.py in the debugger in Pallets Werkzeug before 0.11.11 (as used in Pallets Flask and other products) allows remote attackers to inject arbitrary web script or HTML via a field that contains an exception message.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-79" + ], + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V2Score": 4.3, + "V3Score": 6.1 + }, + "redhat": { + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", + "V3Score": 7.1 + } + }, + "References": [ + "http://blog.neargle.com/2016/09/21/flask-src-review-get-a-xss-from-debuger/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10516", + "https://github.com/pallets/werkzeug/pull/1001", + "https://lists.debian.org/debian-lts-announce/2017/11/msg00037.html", + "https://usn.ubuntu.com/usn/usn-3463-1" + ], + "PublishedDate": "2017-10-23T16:29:00Z", + "LastModifiedDate": "2018-02-04T02:29:00Z" + }, + { + "VulnerabilityID": "CVE-2020-28724", + "PkgName": "Werkzeug", + "InstalledVersion": "0.11", + "FixedVersion": "0.11.6", + "Layer": { + "DiffID": "sha256:6393f36bbbee0b53834ba0f9f585194d9e5ab56b555a2910551254fc8a2aec19" + }, + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-28724", + "Title": "Werkzeug before 0.11.6 includes an open redirect vulnerability via a double slash in the URL. See CVE-2020-28724.", + "Severity": "UNKNOWN" + }, + { + "VulnerabilityID": "pyup.io-26435", + "PkgName": "Werkzeug", + "InstalledVersion": "0.11", + "FixedVersion": "0.12", + "Layer": { + "DiffID": "sha256:6393f36bbbee0b53834ba0f9f585194d9e5ab56b555a2910551254fc8a2aec19" + }, + "Title": "The defaults of ``generate_password_hash`` in werkzeug 0.12 have been changed to more secure ones, see pull request ``#753``.", + "Severity": "UNKNOWN" + }, + { + "VulnerabilityID": "pyup.io-36967", + "PkgName": "Werkzeug", + "InstalledVersion": "0.11", + "FixedVersion": "0.15.0", + "Layer": { + "DiffID": "sha256:6393f36bbbee0b53834ba0f9f585194d9e5ab56b555a2910551254fc8a2aec19" + }, + "Title": "Werkzeug 0.15.0 refactors class:`~middleware.proxy_fix.ProxyFix` to support more headers, multiple values, and a more secure configuration.", + "Severity": "UNKNOWN" + } + ] + } +] \ No newline at end of file diff --git a/pkg/detector/library/driver.go b/pkg/detector/library/driver.go index a383f6b563a1..738762fe085d 100644 --- a/pkg/detector/library/driver.go +++ b/pkg/detector/library/driver.go @@ -33,7 +33,7 @@ func NewDriver(libType string) (Driver, error) { driver = newComposerDriver() case ftypes.Npm, ftypes.Yarn: driver = newNpmDriver() - case ftypes.Pipenv, ftypes.Poetry: + case ftypes.Pipenv, ftypes.Poetry, ftypes.Pip: driver = newPipDriver() case ftypes.NuGet: driver = newNugetDriver()