如何發現Python依賴庫漏洞
因為python程式設計的流行,python的各種庫也越來越多,但許多小夥伴可能只注意到了自己程式設計所要依賴的環境,但是卻忽略了庫的版本也有可能存在漏洞的風險,如果不及時檢查和更新python依賴庫,那麼很有可能你寫的程式碼本身就存在漏洞,因為你引用了一個包含已知漏洞的庫。
如何避免這種風險
今天就給大家帶來一個python庫環境漏洞檢測工具。
pip-audit是一種用於掃描 Python 環境以查詢具有已知漏洞的包的工具。它透過PyPI JSON API使用 Python 包裝諮詢資料庫作為漏洞報告的來源。
該專案由Trail of Bits在 Google 的支援下開發。這不是 Google 的官方產品。
如何使用呢
安裝
pip-audit需要Python 3.6或更新版本,可以直接透過pip安裝:
python -m pip install pip-audit
使用方法
usage: pip-audit [-h] [-V] [-l] [-r REQUIREMENTS] [-f FORMAT] [-s SERVICE]
[-d] [-S] [--desc [{on,off,auto}]] [--cache-dir CACHE_DIR]
[--progress-spinner {on,off}] [--timeout TIMEOUT]
audit the Python environment for dependencies with known vulnerabilities
optional arguments:
-h, --help show this help message and exit
-V, --version show program's version number and exit
-l, --local show only results for dependencies in the local
environment (default: False)
-r REQUIREMENTS, --requirement REQUIREMENTS
audit the given requirements file; this option can be
used multiple times (default: None)
-f FORMAT, --format FORMAT
the format to emit audit results in (choices: columns,
json, cyclonedx-json, cyclonedx-xml) (default:
columns)
-s SERVICE, --vulnerability-service SERVICE
the vulnerability service to audit dependencies
against (choices: osv, pypi) (default: pypi)
-d, --dry-run collect all dependencies but do not perform the
auditing step (default: False)
-S, --strict fail the entire audit if dependency collection fails
on any dependency (default: False)
--desc [{on,off,auto}]
include a description for each vulnerability; `auto`
defaults to `on` for the `json` format. This flag has
no effect on the `cyclonedx-json` or `cyclonedx-xml`
formats. (default: auto)
--cache-dir CACHE_DIR
the directory to use as an HTTP cache for PyPI; uses
the `pip` HTTP cache by default (default: None)
--progress-spinner {on,off}
display a progress spinner (default: on)
--timeout TIMEOUT set the socket timeout (default: 15)
舉例
審計當前Python環境的依賴項:
$ pip-audit
No known vulnerabilities found
審計一個給定需求檔案的依賴關係:
$ pip-audit -r ./requirements.txt
No known vulnerabilities found
審計當前Python環境(不包括系統包)的依賴項:
$ pip-audit -r ./requirements.txt -l
No known vulnerabilities found
當存在漏洞時,審計依賴:
$ pip-audit
Found 2 known vulnerabilities in 1 packages
Name Version ID Fix Versions
---- ------- -------------- ------------
Flask 0.5 PYSEC-2019-179 1.0
Flask 0.5 PYSEC-2018-66 0.12.3
審計依賴項,包括以下描述:
$ pip-audit --desc
Found 2 known vulnerabilities in 1 packages
Name Version ID Fix Versions Description
---- ------- -------------- ------------ --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Flask 0.5 PYSEC-2019-179 1.0 The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656.
Flask 0.5 PYSEC-2018-66 0.12.3 The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083.
審計JSON格式的依賴:
$ pip-audit -f json | jq
Found 2 known vulnerabilities in 1 packages
[
{
"name": "flask",
"version": "0.5",
"vulns": [
{
"id": "PYSEC-2019-179",
"fix_versions": [
"1.0"
],
"description": "The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656."
},
{
"id": "PYSEC-2018-66",
"fix_versions": [
"0.12.3"
],
"description": "The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083."
}
]
},
{
"name": "jinja2",
"version": "3.0.2",
"vulns": []
},
{
"name": "pip",
"version": "21.3.1",
"vulns": []
},
{
"name": "setuptools",
"version": "57.4.0",
"vulns": []
},
{
"name": "werkzeug",
"version": "2.0.2",
"vulns": []
},
{
"name": "markupsafe",
"version": "2.0.1",
"vulns": []
}
]
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/70023145/viewspace-2931201/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- 依賴注入?依賴注入是如何實現解耦的?依賴注入解耦
- python如何匯出專案依賴【pipreqs】Python
- [KubernetesClient | 底層依賴庫]client
- 不要依賴Mock庫 - ErwinMock
- SQL如何實現查詢節點依賴SQL
- Android開發好用的依賴庫和工具收集Android
- Maven什麼時候需要排除依賴,如何排除依賴Maven
- python 安裝依賴c++PythonC++
- 如何將python配置的依賴包以及版本匯出Python
- 文盤Rust -- 本地庫引發的依賴衝突Rust
- 使用 Swift Package Manager 整合依賴庫SwiftPackage
- 如何優雅的修改node_modules中的依賴庫
- 依賴管理和依賴範圍
- PHP 依賴注入容器實現PHP依賴注入
- 依賴注入實現元件化依賴注入元件化
- 如何用最簡單的方式解釋依賴注入?依賴注入是如何實現解耦的?(通俗易懂)依賴注入解耦
- WPF/C#:在WPF中如何實現依賴注入C#依賴注入
- 【python】【安裝包依賴關係】Python
- 依賴
- 再探迴圈依賴 → Spring 是如何判定原型迴圈依賴和構造方法迴圈依賴的?Spring原型構造方法
- Golang 依賴注入設計哲學|12.6K 🌟 的依賴注入庫 wireGolang依賴注入
- kubernetes 依賴庫apimachinery中的 wait 庫功能(1)APIMacAI
- 半導體“依賴症”:世界依賴中國、中國依賴世界
- 動態庫遞迴依賴專項遞迴
- 利用 uber-go/dig 庫管理依賴Go
- 【Android 安全】DEX 加密 ( 代理 Application 開發 | 加密解密演算法 API | 編譯代理 Application 依賴庫 | 解壓依賴庫 aar 檔案 )Android加密APP解密演算法API編譯
- Maven 原始碼解析:依賴調解是如何實現的?Maven原始碼
- go語言依賴注入實現Go依賴注入
- python 離線依賴包打包&安裝Python
- python離線安裝外部依賴包Python
- python 介面自動化 -- 依賴資料Python
- python3 依賴倒置原則示例Python
- Maven依賴管理:控制依賴的傳遞Maven
- npm如何管理依賴包的版本NPM
- Spring如何解決迴圈依賴?Spring
- 從原始碼解析vue的響應式原理-依賴收集、依賴觸發原始碼Vue
- 前端彙總系列:npm依賴(類庫工具)前端NPM
- 分解uber依賴注入庫dig-使用篇依賴注入