关于pip-audit
pip-audit是一款功能强大的安全漏洞扫描工具,该工具主要针对Python环境,可以帮助广大研究人员扫描和测试Python包中的已知安全漏洞。pip-audit使用了PythonPackagingAdvisory数据库和PyPIJSONAPI作为漏洞报告源。
功能介绍
- 支持对本地环境和依赖组件(requirements风格文件)进行安全审计;
- 支持多种漏洞服务(PyPI、OSV);
- 支持以CycloneDX XML或JSON格式发送SBOM;
- 提供人类和机器均可读的输出格式(columnar、JSON);
- 无缝接入 / 重用本地pip缓存;
工具安装
pip-audit基于Python开发,且要求本地环境为Python 3.7或更新版本。安装并配置好Python环境之后,就可以使用下列命令并通过pip来安装pip-audit了:
python-mpipinstallpip-audit
第三方包
pip-audit的正常运行需要使用到多个第三方包,具体组件包名称和版本如下图所示:
除此之外,我们还可以通过conda来安装pip-audit:
condainstall-cconda-forgepip-audit
工具使用
我们可以直接将pip-audit以独立程序运行,或通过”python -m”运行:
pip-audit--help
python-mpip_audit--help
usage: pip-audit [-h] [-V] [-l] [-rREQUIREMENTS] [-fFORMAT] [-sSERVICE]
[-d] [-S] [--desc [{on,off,auto}]] [--cache-dirCACHE_DIR]
[--progress-spinner {on,off}] [--timeoutTIMEOUT]
[--pathPATHS] [-v] [--fix] [--require-hashes]
auditthePythonenvironmentfordependencieswithknownvulnerabilities
optionalarguments:
-h, --helpshowthishelpmessageandexit
-V, --versionshowprogram's version number and exit
-l, --localshowonlyresultsfordependenciesinthelocal
environment (default: False)
-rREQUIREMENTS, --requirementREQUIREMENTS
auditthegivenrequirementsfile; thisoptioncanbe
usedmultipletimes (default: None)
-fFORMAT, --formatFORMAT
theformattoemitauditresultsin (choices: columns,
json, cyclonedx-json, cyclonedx-xml) (default:
columns)
-sSERVICE, --vulnerability-serviceSERVICE
thevulnerabilityservicetoauditdependencies
against (choices: osv, pypi) (default: pypi)
-d, --dry-runwithout`--fix`: collectalldependenciesbutdonot
performtheauditingstep; with`--fix`: performthe
auditingstepbutdonotperformanyfixes (default:
False)
-S, --strictfailtheentireauditifdependencycollectionfails
onanydependency (default: False)
--desc [{on,off,auto}]
includeadescriptionforeachvulnerability; `auto`
defaultsto`on`forthe`json`format. Thisflaghas
noeffectonthe`cyclonedx-json`or`cyclonedx-xml`
formats. (default: auto)
--cache-dirCACHE_DIR
thedirectorytouseasanHTTPcacheforPyPI; uses
the`pip`HTTPcachebydefault (default: None)
--progress-spinner {on,off}
displayaprogressspinner (default: on)
--timeoutTIMEOUTsetthesockettimeout (default: 15)
--pathPATHSrestricttothespecifiedinstallationpathfor
auditingpackages; thisoptioncanbeusedmultiple
times (default: [])
-v, --verbosegivemoreoutput; thissettingoverridesthe
`PIP_AUDIT_LOGLEVEL`variableandisequivalentto
settingitto`debug` (default: False)
--fixautomaticallyupgradedependencieswithknown
vulnerabilities (default: False)
--require-hashesrequireahashtocheckeachrequirementagainst, for
repeatableaudits; thisoptionisimpliedwhenany
packageinarequirementsfilehasa`--hash`option.
(default: False)
退出代码
任务完成后, pip-audit将会退出运行,并返回一个代码以显示其状态,其中:
- 0:未检测到已知漏洞;
- 1:检测到了一个或多个已知漏洞;
工具使用样例
审计当前Python环境中的依赖:
$pip-audit
Noknownvulnerabilitiesfound
$ pip-audit No known vulnerabilities found审计给定requirements文件的依赖:
$pip-audit-r ./requirements.txt
Noknownvulnerabilitiesfound
审计一个requirements文件,并排除系统包:
$pip-audit-r ./requirements.txt-l
Noknownvulnerabilitiesfound
审计依赖中发现的安全漏洞:
$pip-audit
Found2knownvulnerabilitiesin1package
NameVersionIDFixVersions
-------------------------------------
Flask0.5PYSEC-2019-1791.0
Flask0.5PYSEC-2018-660.12.3
审计依赖(包含描述):
$pip-audit--desc
Found2knownvulnerabilitiesin1package
NameVersionIDFixVersionsDescription
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Flask0.5PYSEC-2019-1791.0ThePalletsProjectFlaskbefore1.0isaffectedby: unexpectedmemoryusage. Theimpactis: denialofservice. Theattackvectoris: craftedencodedJSONdata. Thefixedversionis: 1.NOTE: thismayoverlapCVE-2018-1000656.
Flask0.5PYSEC-2018-660.12.3ThePalletsProjectflaskversionBefore0.12.3containsaCWE-20: ImproperInputValidationvulnerabilityinflaskthatcanresultinLargeamountofmemoryusagepossiblyleadingtodenialofservice. ThisattackappeartobeexploitableviaAttackerprovidesJSONdatainincorrectencoding. Thisvulnerabilityappearstohavebeenfixedin0.12.3. NOTE: thismayoverlapCVE-2019-1010083.
审计JSON格式依赖:
$pip-audit-fjson|jq
Found2knownvulnerabilitiesin1package
[
{
"name": "flask",
"version": "0.5",
"vulns": [
{
"id": "PYSEC-2019-179",
"fix_versions": [
"1.0"
],
"description": "The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656."
},
{
"id": "PYSEC-2018-66",
"fix_versions": [
"0.12.3"
],
"description": "The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083."
}
]
},
{
"name": "jinja2",
"version": "3.0.2",
"vulns": []
},
{
"name": "pip",
"version": "21.3.1",
"vulns": []
},
{
"name": "setuptools",
"version": "57.4.0",
"vulns": []
},
{
"name": "werkzeug",
"version": "2.0.2",
"vulns": []
},
{
"name": "markupsafe",
"version": "2.0.1",
"vulns": []
}
]
审计并尝试自动审计存在漏洞的依赖:
$pip-audit--fix
Found2knownvulnerabilitiesin1packageandfixed2vulnerabilitiesin1package
NameVersionIDFixVersionsAppliedFix
------------------------------------------------------------------------------
flask0.5PYSEC-2019-1791.0Successfullyupgradedflask (0.5=>1.0)
flask0.5PYSEC-2018-660.12.3Successfullyupgradedflask (0.5=>1.0)
许可证协议
本项目的开发与发布遵循 Apache 2.0开源许可证协议。
项目地址
点审核:【GitHub传送门】
文章来源网络,作者:运维,如若转载,请注明出处:https://shuyeidc.com/wp/130982.html<
