首页 > 编程语言 >如何发现Python依赖库漏洞

如何发现Python依赖库漏洞

时间:2023-01-06 18:02:45浏览次数:46  
标签:audit default 依赖 Python vulnerability 漏洞 version pip --

因为python编程的流行,python的各种库也越来越多,但许多小伙伴可能只注意到了自己编程所要依赖的环境,但是却忽略了库的版本也有可能存在漏洞的风险,如果不及时检查和更新python依赖库,那么很有可能你写的代码本身就存在漏洞,因为你引用了一个包含已知漏洞的库。

如何发现Python依赖库漏洞_Python

如何避免这种风险

今天就给大家带来一个python库环境漏洞检测工具。

pip-audit是一种用于扫描 Python 环境以查找具有已知漏洞的包的工具。它通过PyPI JSON API使用 Python 包装咨询数据库作为漏洞报告的来源。

该项目由Trail of Bits在 Google 的支持下开发。这不是 Google 的官方产品。

如何使用呢

安装

pip-audit需要Python 3.6或更新版本,可以直接通过pip安装:

python -m pip install pip-audit

使用方法

usage: pip-audit [-h] [-V] [-l] [-r REQUIREMENTS] [-f FORMAT] [-s SERVICE]
[-d] [-S] [--desc [{on,off,auto}]] [--cache-dir CACHE_DIR]
[--progress-spinner {on,off}] [--timeout TIMEOUT]

audit the Python environment for dependencies with known vulnerabilities

optional arguments:
-h, --help show this help message and exit
-V, --version show program's version number and exit
-l, --local show only results for dependencies in the local
environment (default: False)
-r REQUIREMENTS, --requirement REQUIREMENTS
audit the given requirements file; this option can be
used multiple times (default: None)
-f FORMAT, --format FORMAT
the format to emit audit results in (choices: columns,
json, cyclonedx-json, cyclonedx-xml) (default:
columns)
-s SERVICE, --vulnerability-service SERVICE
the vulnerability service to audit dependencies
against (choices: osv, pypi) (default: pypi)
-d, --dry-run collect all dependencies but do not perform the
auditing step (default: False)
-S, --strict fail the entire audit if dependency collection fails
on any dependency (default: False)
--desc [{on,off,auto}]
include a description for each vulnerability; `auto`
defaults to `on` for the `json` format. This flag has
no effect on the `cyclonedx-json` or `cyclonedx-xml`
formats. (default: auto)
--cache-dir CACHE_DIR
the directory to use as an HTTP cache for PyPI; uses
the `pip` HTTP cache by default (default: None)
--progress-spinner {on,off}
display a progress spinner (default: on)
--timeout TIMEOUT set the socket timeout (default: 15)

举例

审计当前Python环境的依赖项:

$ pip-audit
No known vulnerabilities found

审计一个给定需求文件的依赖关系:

$ pip-audit -r ./requirements.txt
No known vulnerabilities found

审计当前Python环境(不包括系统包)的依赖项:

$ pip-audit -r ./requirements.txt -l
No known vulnerabilities found

当存在漏洞时,审计依赖:

$ pip-audit
Found 2 known vulnerabilities in 1 packages
Name Version ID Fix Versions
---- ------- -------------- ------------
Flask 0.5 PYSEC-2019-179 1.0
Flask 0.5 PYSEC-2018-66 0.12.3

审计依赖项,包括以下描述:

$ pip-audit --desc
Found 2 known vulnerabilities in 1 packages
Name Version ID Fix Versions Description
---- ------- -------------- ------------ --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Flask 0.5 PYSEC-2019-179 1.0 The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656.
Flask 0.5 PYSEC-2018-66 0.12.3 The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083.

审计JSON格式的依赖:

$ pip-audit -f json | jq
Found 2 known vulnerabilities in 1 packages
[
{
"name": "flask",
"version": "0.5",
"vulns": [
{
"id": "PYSEC-2019-179",
"fix_versions": [
"1.0"
],
"description": "The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656."
},
{
"id": "PYSEC-2018-66",
"fix_versions": [
"0.12.3"
],
"description": "The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083."
}
]
},
{
"name": "jinja2",
"version": "3.0.2",
"vulns": []
},
{
"name": "pip",
"version": "21.3.1",
"vulns": []
},
{
"name": "setuptools",
"version": "57.4.0",
"vulns": []
},
{
"name": "werkzeug",
"version": "2.0.2",
"vulns": []
},
{
"name": "markupsafe",
"version": "2.0.1",
"vulns": []
}
]

标签:audit,default,依赖,Python,vulnerability,漏洞,version,pip,--
From: https://blog.51cto.com/u_14573321/5994486

相关文章

  • python 之复数
    #_*_coding:utf-8_*_#python2.7aa=123-12jprintaa.real#output实数部分123.0printaa.imag#output虚数部分-12.0#python3aa=123-12jprint(aa.real)print(aa.imag) ......
  • python之除法获取真实的结果
    #_*_coding:utf-8_*_from__future__importdivisiona=2b=5print(a/b)#output0.4主要是导入future模块......
  • python 序列类型的操作符
    #_*_coding:utf-8_*_a='abs'printa[0]printa[0:2]printa*4printa+'北京'print'a'inaprint'a'notina#a#ab#absabsabsabs#abs北京#True#False......
  • Python中的main方法教程
    估计很多人跟我一样初学python看代码的时候先找一下main()方法,从main往下看。但事实上python中是没有你理解中的“main()”方法的。言归正传ifname=="main":可以看成......
  • Python 函数递归教程
    1.什么是函数递归函数的嵌套调用:一个函数里面又写了一个函数。函数的递归调用:他是一种特殊的嵌套调用,他也是在函数里面调用函数,但是他在函数体内调用的函数时他自己本身......
  • python_selenium元素定位_xpath(2)
     selenium自动化脚本最基础的就是元素定位和元素操作,下面就以百度为例介绍最常见的xpath定位方式基本定位方式:以百度的搜索框为例fromseleniumimportwebdriverim......
  • python + selenium 常用公共方法封装
     selenium环境配置及浏览器驱动的安装:https://www.cnblogs.com/gancuimian/p/16435300.htmluiautomator2常用公共方法封装见之前的帖子:https://www.cnblogs.com/gancu......
  • Python爬取往期股票数据,分析中奖规律!
    快过年了,手头有点紧,但是作为一个男人,身上怎么能够没有大把钞票呢?于是我决定用Python来分析一波股票,赢了会所嫩*,输了下海干活!好了,上面是我吹牛逼的,不过确实有小伙......
  • python 调试 qml
    1.设置pycharm的parameters-qmljsdebugger=port:10002,block 2.python启动调试:点击debug按钮   3.设置qtcreaterqtcreater中打开要调试的文件,打上断点......
  • 基于Python的K-Means遥感影像聚类
    importnumpyasnpfromsklearnimportclusterfromosgeoimportgdal,gdal_arrayimportmatplotlib.pyplotaspltgdal.UseExceptions()gdal.AllRegister()img......