ossaudit

Release 0.5.0

Audit python packages for known vulnerabilities

Homepage PyPI Python

License
BSD-2-Clause
Install
pip install ossaudit==0.5.0

Documentation

Build Status Cov

ossaudit

About

ossaudit uses Sonatype OSS Index to audit Python packages for known vulnerabilities.

It can check installed packages and/or packages specified in dependency files. The following formats are supported with dparse:

  • PIP requirement files
  • Pipfile
  • Pipfile.lock
  • tox.ini
  • conda.yml

Installation

Normal

pip install ossaudit

Development

Clone this repository and:

make install-dev

This installs ossaudit with pip. Note that each dependency in requirements/* is pinned with the hash for their respective source tarball. If you don't care about that you could simply:

./setup.py develop

Usage

$ ossaudit --help
Usage: ossaudit [OPTIONS]

Options:
  -c, --config TEXT    Configuration file.
  -i, --installed      Audit installed packages.
  -f, --file FILENAME  Audit packages in file (can be specified multiple
                       times).
  --username TEXT      Username for authentication.
  --token TEXT         Token for authentication.
  --column TEXT        Column to show (can be specified multiple times).
                       [default: name, version, title]
  --ignore-id TEXT     Ignore a vulnerability by Sonatype ID or CVE (can be
                       specified multiple times).
  --ignore-cache       Temporarily ignore existing cache.
  --reset-cache        Remove existing cache.
  --help               Show this message and exit.

Configuration

Appdirs is used to determine storage paths. This means that the location of the configuration file is platform-specific:

  • *nix: ~/.config/ossaudit/config.ini
  • macOS: ~/Library/Preferences/ossaudit/config.ini
  • Windows: C:\Users\<username>\AppData\Local\ossaudit\ossaudit\config.ini

It can be overridden with the --config command-line argument and with the OSSAUDIT_CONFIG environment variable.

Example configuration:

[ossaudit]
# Optional: OSS Index username.
username = string

# Optional: OSS Index token
token = string

# Optional: comma-separated list of columns to show.
# Default: name, version, title
# Supported: id, name, version, cve, cvss_score, title, description
columns = name, version, title

# Optional: comman-separated list of vulnerability IDs (Sonatype ID or CVE) to ignore.
ignore-ids = x,y,z

Authentication is not required. However, requests are rate limited and authenticated requests are less restricted. A free account can be created on OSS Index

Stats

Dependencies
5
Dependent packages
3
Dependent repositories
3
Total releases
5
Latest release
First release
Stars
11
Forks
3
Watchers
2
Contributors
2
Repository size
94.7 KB
SourceRank
9

Development practices

Source repo 2FA enabled
TEXT!
Package manager 2FA enabled
TEXT!
Is security responsive
TEXT!
Dependencies are managed
TEXT!
Issue-free release available
TEXT!
Succession plan available
TEXT!
Package manager 2FA enabled
TEXT!

The Tidelift Subscription provides access to a continuously curated stream of human-researched and maintainer-verified data on open source packages and their licenses, releases, vulnerabilities, and development practices.

Learn more

Releases

0.5.0
0.4.0
0.3.0
0.2.0
0.1.0

Contributors

Hans Jerry Illikainen sseide


See all contributors

Something wrong with this page? Make a suggestion

Export .ABOUT file for this package

Last synced: 2023-12-02 01:19:59 UTC

Login to resync this project