您好,登录后才能下订单哦!
今天小编给大家分享一下python的pip-audit安全漏洞扫描工具怎么用的相关知识点,内容详细,逻辑清晰,相信大部分人都还太了解这方面的知识,所以分享这篇文章给大家参考一下,希望大家阅读完这篇文章后有所收获,下面我们一起来了解一下吧。
pip-audit是一款功能强大的安全漏洞扫描工具,该工具主要针对Python环境,可以帮助广大研究人员扫描和测试Python包中的已知安全漏洞。pip-audit使用了PythonPackagingAdvisory数据库PyPIJSONAPI作为漏洞报告源。
1、支持对本地环境和依赖组件(requirements风格文件)进行安全审计;
2、支持多种漏洞服务(PyPI、OSV);
3、支持以CycloneDX XML或JSON格式发送SBOM;
4、提供人类和机器均可读的输出格式(columnar、JSON);
5、无缝接入 / 重用本地pip缓存;
pip-audit基于Python开发,且要求本地环境为Python 3.7或更新版本。安装并配置好Python环境之后,就可以使用下列命令并通过pip来安装pip-audit了:
python -m pip install pip-audit
pip-audit的正常运行需要使用到多个第三方包,具体组件包名称和版本如下图所示:
除此之外,我们还可以通过conda来安装pip-audit:
conda install -c conda-forge pip-audit
我们可以直接将pip-audit以独立程序运行,或通过“python -m”运行:
pip-audit --help python -m pip_audit --help
usage: pip-audit [-h] [-V] [-l] [-r REQUIREMENTS] [-f FORMAT] [-s SERVICE] [-d] [-S] [--desc [{on,off,auto}]] [--cache-dir CACHE_DIR] [--progress-spinner {on,off}] [--timeout TIMEOUT] [--path PATHS] [-v] [--fix] [--require-hashes] audit the Python environment for dependencies with known vulnerabilities optional arguments: -h, --help show this help message and exit -V, --version show program's version number and exit -l, --local show only results for dependencies in the local environment (default: False) -r REQUIREMENTS, --requirement REQUIREMENTS audit the given requirements file; this option can be used multiple times (default: None) -f FORMAT, --format FORMAT the format to emit audit results in (choices: columns, json, cyclonedx-json, cyclonedx-xml) (default: columns) -s SERVICE, --vulnerability-service SERVICE the vulnerability service to audit dependencies against (choices: osv, pypi) (default: pypi) -d, --dry-run without `--fix`: collect all dependencies but do not perform the auditing step; with `--fix`: perform the auditing step but do not perform any fixes (default: False) -S, --strict fail the entire audit if dependency collection fails on any dependency (default: False) --desc [{on,off,auto}] include a description for each vulnerability; `auto` defaults to `on` for the `json` format. This flag has no effect on the `cyclonedx-json` or `cyclonedx-xml` formats. (default: auto) --cache-dir CACHE_DIR the directory to use as an HTTP cache for PyPI; uses the `pip` HTTP cache by default (default: None) --progress-spinner {on,off} display a progress spinner (default: on) --timeout TIMEOUT set the socket timeout (default: 15) --path PATHS restrict to the specified installation path for auditing packages; this option can be used multiple times (default: []) -v, --verbose give more output; this setting overrides the `PIP_AUDIT_LOGLEVEL` variable and is equivalent to setting it to `debug` (default: False) --fix automatically upgrade dependencies with known vulnerabilities (default: False) --require-hashes require a hash to check each requirement against, for repeatable audits; this option is implied when any package in a requirements file has a `--hash` option. (default: False)
任务完成后, pip-audit将会退出运行,并返回一个代码以显示其状态,其中:
0:未检测到已知漏洞;
1:检测到了一个或多个已知漏洞;
审计当前Python环境中的依赖:
$ pip-audit No known vulnerabilities found
审计给定requirements文件的依赖:
$ pip-audit -r ./requirements.txt No known vulnerabilities found
审计一个requirements文件,并排除系统包:
$ pip-audit -r ./requirements.txt -l No known vulnerabilities found
审计依赖中发现的安全漏洞:
$ pip-audit Found 2 known vulnerabilities in 1 package Name Version ID Fix Versions ---- ------- -------------- ------------ Flask 0.5 PYSEC-2019-179 1.0 Flask 0.5 PYSEC-2018-66 0.12.3
审计依赖(包含描述):
$ pip-audit --desc Found 2 known vulnerabilities in 1 package Name Version ID Fix Versions Description ---- ------- -------------- ------------ -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Flask 0.5 PYSEC-2019-179 1.0 The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1\. NOTE: this may overlap CVE-2018-1000656. Flask 0.5 PYSEC-2018-66 0.12.3 The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3\. NOTE: this may overlap CVE-2019-1010083.
审计JSON格式依赖:
$ pip-audit -f json | jq Found 2 known vulnerabilities in 1 package [ { "name": "flask", "version": "0.5", "vulns": [ { "id": "PYSEC-2019-179", "fix_versions": [ "1.0" ], "description": "The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1\. NOTE: this may overlap CVE-2018-1000656." }, { "id": "PYSEC-2018-66", "fix_versions": [ "0.12.3" ], "description": "The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3\. NOTE: this may overlap CVE-2019-1010083." } ] }, { "name": "jinja2", "version": "3.0.2", "vulns": [] }, { "name": "pip", "version": "21.3.1", "vulns": [] }, { "name": "setuptools", "version": "57.4.0", "vulns": [] }, { "name": "werkzeug", "version": "2.0.2", "vulns": [] }, { "name": "markupsafe", "version": "2.0.1", "vulns": [] } ]
审计并尝试自动审计存在漏洞的依赖:
$ pip-audit --fix Found 2 known vulnerabilities in 1 package and fixed 2 vulnerabilities in 1 package Name Version ID Fix Versions Applied Fix ----- ------- -------------- ------------ ---------------------------------------- flask 0.5 PYSEC-2019-179 1.0 Successfully upgraded flask (0.5 => 1.0) flask 0.5 PYSEC-2018-66 0.12.3 Successfully upgraded flask (0.5 => 1.0)
本项目的开发与发布遵循 Apache 2.0开源许可证协议。
以上就是“python的pip-audit安全漏洞扫描工具怎么用”这篇文章的所有内容,感谢各位的阅读!相信大家阅读完这篇文章都有很大的收获,小编每天都会为大家更新不同的知识,如果还想学习更多的知识,请关注亿速云行业资讯频道。
免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。