如何發現Python依賴庫漏洞
因為python程式設計的流行,python的各種庫也越來越多,但許多小夥伴可能只注意到了自己程式設計所要依賴的環境,但是卻忽略了庫的版本也有可能存在漏洞的風險,如果不及時檢查和更新python依賴庫,那麼很有可能你寫的程式碼本身就存在漏洞,因為你引用了一個包含已知漏洞的庫。
如何避免這種風險
今天就給大家帶來一個python庫環境漏洞檢測工具。
pip-audit是一種用於掃描 Python 環境以查詢具有已知漏洞的包的工具。它透過PyPI JSON API使用 Python 包裝諮詢資料庫作為漏洞報告的來源。
該專案由Trail of Bits在 Google 的支援下開發。這不是 Google 的官方產品。
如何使用呢
安裝
pip-audit需要Python 3.6或更新版本,可以直接透過pip安裝:
python -m pip install pip-audit
使用方法
usage: pip-audit [-h] [-V] [-l] [-r REQUIREMENTS] [-f FORMAT] [-s SERVICE]
[-d] [-S] [--desc [{on,off,auto}]] [--cache-dir CACHE_DIR]
[--progress-spinner {on,off}] [--timeout TIMEOUT]
audit the Python environment for dependencies with known vulnerabilities
optional arguments:
-h, --help show this help message and exit
-V, --version show program's version number and exit
-l, --local show only results for dependencies in the local
environment (default: False)
-r REQUIREMENTS, --requirement REQUIREMENTS
audit the given requirements file; this option can be
used multiple times (default: None)
-f FORMAT, --format FORMAT
the format to emit audit results in (choices: columns,
json, cyclonedx-json, cyclonedx-xml) (default:
columns)
-s SERVICE, --vulnerability-service SERVICE
the vulnerability service to audit dependencies
against (choices: osv, pypi) (default: pypi)
-d, --dry-run collect all dependencies but do not perform the
auditing step (default: False)
-S, --strict fail the entire audit if dependency collection fails
on any dependency (default: False)
--desc [{on,off,auto}]
include a description for each vulnerability; `auto`
defaults to `on` for the `json` format. This flag has
no effect on the `cyclonedx-json` or `cyclonedx-xml`
formats. (default: auto)
--cache-dir CACHE_DIR
the directory to use as an HTTP cache for PyPI; uses
the `pip` HTTP cache by default (default: None)
--progress-spinner {on,off}
display a progress spinner (default: on)
--timeout TIMEOUT set the socket timeout (default: 15)
舉例
審計當前Python環境的依賴項:
$ pip-audit
No known vulnerabilities found
審計一個給定需求檔案的依賴關係:
$ pip-audit -r ./requirements.txt
No known vulnerabilities found
審計當前Python環境(不包括系統包)的依賴項:
$ pip-audit -r ./requirements.txt -l
No known vulnerabilities found
當存在漏洞時,審計依賴:
$ pip-audit
Found 2 known vulnerabilities in 1 packages
Name Version ID Fix Versions
---- ------- -------------- ------------
Flask 0.5 PYSEC-2019-179 1.0
Flask 0.5 PYSEC-2018-66 0.12.3
審計依賴項,包括以下描述:
$ pip-audit --desc
Found 2 known vulnerabilities in 1 packages
Name Version ID Fix Versions Description
---- ------- -------------- ------------ --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Flask 0.5 PYSEC-2019-179 1.0 The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656.
Flask 0.5 PYSEC-2018-66 0.12.3 The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083.
審計JSON格式的依賴:
$ pip-audit -f json | jq
Found 2 known vulnerabilities in 1 packages
[
{
"name": "flask",
"version": "0.5",
"vulns": [
{
"id": "PYSEC-2019-179",
"fix_versions": [
"1.0"
],
"description": "The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656."
},
{
"id": "PYSEC-2018-66",
"fix_versions": [
"0.12.3"
],
"description": "The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083."
}
]
},
{
"name": "jinja2",
"version": "3.0.2",
"vulns": []
},
{
"name": "pip",
"version": "21.3.1",
"vulns": []
},
{
"name": "setuptools",
"version": "57.4.0",
"vulns": []
},
{
"name": "werkzeug",
"version": "2.0.2",
"vulns": []
},
{
"name": "markupsafe",
"version": "2.0.1",
"vulns": []
}
]
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/70023145/viewspace-2931201/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- 依賴注入?依賴注入是如何實現解耦的?依賴注入解耦
- python如何匯出專案依賴【pipreqs】Python
- 如何對 Android 庫進行依賴管理?Android
- python安裝依賴Python
- SQL如何實現查詢節點依賴SQL
- 不要依賴Mock庫 - ErwinMock
- iOS實現依賴注入iOS依賴注入
- Android開發好用的依賴庫和工具收集Android
- 文盤Rust -- 本地庫引發的依賴衝突Rust
- 依賴管理和依賴範圍
- 如何用最簡單的方式解釋依賴注入?依賴注入是如何實現解耦的?(通俗易懂)依賴注入解耦
- WPF/C#:在WPF中如何實現依賴注入C#依賴注入
- 如何將python配置的依賴包以及版本匯出Python
- PHP 依賴注入容器實現PHP依賴注入
- 依賴注入實現元件化依賴注入元件化
- python 安裝依賴c++PythonC++
- 依賴
- 如何優雅的修改node_modules中的依賴庫
- [KubernetesClient | 底層依賴庫]client
- 使用 Swift Package Manager 整合依賴庫SwiftPackage
- 【資料庫之函式依賴】資料庫函式
- 依賴倒置(DIP)與依賴注入(DI)依賴注入
- Maven 原始碼解析:依賴調解是如何實現的?Maven原始碼
- Golang 依賴注入設計哲學|12.6K 🌟 的依賴注入庫 wireGolang依賴注入
- SQL Server 2005實現資料庫快取依賴SQLServer資料庫快取
- go語言依賴注入實現Go依賴注入
- JavaScript依賴注入的實現思路JavaScript依賴注入
- npm如何管理依賴包的版本NPM
- 【python】【安裝包依賴關係】Python
- 從原始碼解析vue的響應式原理-依賴收集、依賴觸發原始碼Vue
- Maven依賴管理:控制依賴的傳遞Maven
- Maven依賴範圍及依賴傳遞Maven
- Android studio 匯入依賴庫Android
- 快取依賴(檔案、資料庫)快取資料庫
- 動態庫遞迴依賴專項遞迴
- iOS開發: CocoaPods遠端私有倉庫的維護-新增依賴庫iOS
- AI依賴算力,而算力依賴能源AI
- python 介面自動化--依賴資料Python