python環(huán)境功能強大的pip-audit安全漏洞掃描工具

更新時間：2022年02月19日 09:37:38 作者：kali_Ma

這篇文章主要為大家介紹了python環(huán)境中功能強大的pip-audit安全漏洞掃描工具的功能介紹及安裝使用說明，有需要的朋友可以借鑒參考下，希望能夠有所幫助

關于pip-audit

pip-audit是一款功能強大的安全漏洞掃描工具，該工具主要針對Python環(huán)境，可以幫助廣大研究人員掃描和測試Python包中的已知安全漏洞。pip-audit使用了PythonPackagingAdvisory數(shù)據(jù)庫PyPIJSONAPI作為漏洞報告源。

功能介紹

1、支持對本地環(huán)境和依賴組件（requirements風格文件）進行安全審計；
2、支持多種漏洞服務（PyPI、OSV）；
3、支持以CycloneDX XML或JSON格式發(fā)送SBOM；
4、提供人類和機器均可讀的輸出格式（columnar、JSON）；
5、無縫接入 / 重用本地pip緩存；

工具安裝

pip-audit基于Python開發(fā)，且要求本地環(huán)境為Python 3.7或更新版本。安裝并配置好Python環(huán)境之后，就可以使用下列命令并通過pip來安裝pip-audit了：

python -m pip install pip-audit

第三方包

pip-audit的正常運行需要使用到多個第三方包，具體組件包名稱和版本如下圖所示：

在這里插入圖片描述

除此之外，我們還可以通過conda來安裝pip-audit：

conda install -c conda-forge pip-audit

工具使用

我們可以直接將pip-audit以獨立程序運行，或通過“python -m”運行：

pip-audit --help

python -m pip_audit --help

usage: pip-audit [-h] [-V] [-l] [-r REQUIREMENTS] [-f FORMAT] [-s SERVICE]
                 [-d] [-S] [--desc [{on,off,auto}]] [--cache-dir CACHE_DIR]
                 [--progress-spinner {on,off}] [--timeout TIMEOUT]
                 [--path PATHS] [-v] [--fix] [--require-hashes]
audit the Python environment for dependencies with known vulnerabilities

optional arguments:
  -h, --help            show this help message and exit
  -V, --version         show program's version number and exit
  -l, --local           show only results for dependencies in the local
                        environment (default: False)
  -r REQUIREMENTS, --requirement REQUIREMENTS
                        audit the given requirements file; this option can be
                        used multiple times (default: None)
  -f FORMAT, --format FORMAT
                        the format to emit audit results in (choices: columns,
                        json, cyclonedx-json, cyclonedx-xml) (default:
                        columns)
  -s SERVICE, --vulnerability-service SERVICE
                        the vulnerability service to audit dependencies
                        against (choices: osv, pypi) (default: pypi)
  -d, --dry-run         without `--fix`: collect all dependencies but do not
                        perform the auditing step; with `--fix`: perform the
                        auditing step but do not perform any fixes (default:
                        False)
  -S, --strict          fail the entire audit if dependency collection fails
                        on any dependency (default: False)
  --desc [{on,off,auto}]
                        include a description for each vulnerability; `auto`
                        defaults to `on` for the `json` format. This flag has
                        no effect on the `cyclonedx-json` or `cyclonedx-xml`
                        formats. (default: auto)
  --cache-dir CACHE_DIR
                        the directory to use as an HTTP cache for PyPI; uses
                        the `pip` HTTP cache by default (default: None)
  --progress-spinner {on,off}
                        display a progress spinner (default: on)
  --timeout TIMEOUT     set the socket timeout (default: 15)
  --path PATHS          restrict to the specified installation path for
                        auditing packages; this option can be used multiple
                        times (default: [])
  -v, --verbose         give more output; this setting overrides the
                        `PIP_AUDIT_LOGLEVEL` variable and is equivalent to
                        setting it to `debug` (default: False)
  --fix                 automatically upgrade dependencies with known
                        vulnerabilities (default: False)
  --require-hashes      require a hash to check each requirement against, for
                        repeatable audits; this option is implied when any
                        package in a requirements file has a `--hash` option.
                        (default: False)

退出代碼

任務完成后， pip-audit將會退出運行，并返回一個代碼以顯示其狀態(tài)，其中：

0：未檢測到已知漏洞；

1：檢測到了一個或多個已知漏洞；

工具使用樣例

審計當前Python環(huán)境中的依賴：

$ pip-audit
No known vulnerabilities found

審計給定requirements文件的依賴：

$ pip-audit -r ./requirements.txt
No known vulnerabilities found

審計一個requirements文件，并排除系統(tǒng)包：

$ pip-audit -r ./requirements.txt -l
No known vulnerabilities found

審計依賴中發(fā)現(xiàn)的安全漏洞：

$ pip-audit
Found 2 known vulnerabilities in 1 package
Name  Version ID             Fix Versions
----  ------- -------------- ------------
Flask 0.5     PYSEC-2019-179 1.0
Flask 0.5     PYSEC-2018-66  0.12.3

審計依賴（包含描述）：

$ pip-audit --desc

Found 2 known vulnerabilities in 1 package

Name  Version ID             Fix Versions Description

----  ------- -------------- ------------ --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Flask 0.5     PYSEC-2019-179 1.0          The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1\. NOTE: this may overlap CVE-2018-1000656.

Flask 0.5     PYSEC-2018-66  0.12.3       The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3\. NOTE: this may overlap CVE-2019-1010083.

審計JSON格式依賴：

$ pip-audit -f json | jq
Found 2 known vulnerabilities in 1 package
[
{
"name": "flask",
"version": "0.5",
"vulns": [
{
"id": "PYSEC-2019-179",
"fix_versions": [
"1.0"
],
"description": "The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1\. NOTE: this may overlap CVE-2018-1000656."
},
{
"id": "PYSEC-2018-66",
"fix_versions": [
"0.12.3"
],
"description": "The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3\. NOTE: this may overlap CVE-2019-1010083."
}
]
},
{
"name": "jinja2",
"version": "3.0.2",
"vulns": []
},
{
"name": "pip",
"version": "21.3.1",
"vulns": []
},
{
"name": "setuptools",
"version": "57.4.0",
"vulns": []
},
{
"name": "werkzeug",
"version": "2.0.2",
"vulns": []
},
{
"name": "markupsafe",
"version": "2.0.1",
"vulns": []
}
]

審計并嘗試自動審計存在漏洞的依賴：

$ pip-audit --fix

Found 2 known vulnerabilities in 1 package and fixed 2 vulnerabilities in 1 package

Name  Version ID             Fix Versions Applied Fix

----- ------- -------------- ------------ ----------------------------------------

flask 0.5     PYSEC-2019-179 1.0          Successfully upgraded flask (0.5 => 1.0)

flask 0.5     PYSEC-2018-66  0.12.3       Successfully upgraded flask (0.5 => 1.0)

許可證協(xié)議

本項目的開發(fā)與發(fā)布遵循 Apache 2.0開源許可證協(xié)議。

以上就是python環(huán)境功能強大的pip-audit安全漏洞掃描工具的詳細內(nèi)容，更多關于pip-audit安全漏洞掃描工具的資料請關注腳本之家其它相關文章！

您可能感興趣的文章:

Python中turtle庫的使用實例
這篇文章主要介紹了Python中turtle庫的使用實例,文中通過示例代碼介紹的非常詳細，對大家的學習或者工作具有一定的參考學習價值,需要的朋友可以參考下
2019-09-09
python實現(xiàn)Virginia無密鑰解密
這篇文章主要為大家詳細介紹了python實現(xiàn)Virginia無密鑰解密，具有一定的參考價值，感興趣的小伙伴們可以參考一下
2019-03-03
django基礎之數(shù)據(jù)庫操作方法(詳解)
下面小編就為大家?guī)硪黄猟jango基礎之數(shù)據(jù)庫操作方法(詳解)。小編覺得挺不錯的，現(xiàn)在就分享給大家，也給大家做個參考。一起跟隨小編過來看看吧
2017-05-05
Python中字符串對齊方法介紹
這篇文章主要介紹了Python中字符串對齊方法介紹,本文介紹Python字符串內(nèi)置方法ljust、rjust、center的用法,需要的朋友可以參考下
2015-05-05
Django配置文件代碼說明
在本篇文章里小編給大家整理了關于Django配置文件代碼說明知識點，有需要的朋友們學習下。
2019-12-12
Python數(shù)據(jù)集切分實例
今天小編就為大家分享一篇Python數(shù)據(jù)集切分實例，具有很好的參考價值，希望對大家有所幫助。一起跟隨小編過來看看吧
2018-12-12
Python網(wǎng)絡請求模塊urllib與requests使用介紹
網(wǎng)絡爬蟲的第一步就是根據(jù)URL，獲取網(wǎng)頁的HTML信息。在Python3中，可以使用urllib和requests進行網(wǎng)頁數(shù)據(jù)獲取，這篇文章主要介紹了Python網(wǎng)絡請求模塊urllib與requests使用
2022-10-10
Python PyQt5學習之樣式設置詳解
這篇文章主要為大家詳細介紹了Python PyQt5中樣式設置的相關資料，例如為標簽添加背景圖片、為按鈕添加背景圖片、設置窗口透明等，感興趣的可以學習一下
2022-12-12
Python用于學習重要算法的模塊pygorithm實例淺析
這篇文章主要介紹了Python用于學習重要算法的模塊pygorithm,結合實例形式簡單分析了pygorithm模塊的功能、算法調用、源碼獲取、時間復雜度計算等相關操作技巧,需要的朋友可以參考下
2018-08-08
Python實現(xiàn)圖的廣度和深度優(yōu)先路徑搜索算法
圖是一種抽象數(shù)據(jù)結構，本質和樹結構是一樣的。圖與樹相比較，圖具有封閉性，可以把樹結構看成是圖結構的前生。本文將利用Python實現(xiàn)圖的廣度和深度優(yōu)先路徑搜索算法，感興趣的可以學習一下
2022-04-04