Security audit Python project dependencies against security advisory databases.

Overview

Test Coverage

        .         .    .      Skjold /skjɔl/
    ,-. | , . ,-. |  ,-|
    `-. |<  | | | |  | |      Security audit python project dependencies
    `-' ' ` | `-' `' `-´      against several security advisory databases.
           `'

Introduction

It currently supports fetching advisories from the following sources:

Source Name Notes
GitHub Advisory Database github
PyUP.io safety-db pyup
GitLab gemnasium-db gemnasium
PYPA Advisory Database pypa Experimental! Only supports ECOSYSTEM and SEMVER!
OSV.dev Database osv Experimental! Only supports ECOSYSTEM and SEMVER!
Sends package information to OSV.dev API.

No source is enabled by default! Individual sources can be enabled by setting sources list (see Configuration). There is (currently) no de-duplication meaning that using all of them could result in a lot of duplicates.

Motivation

Skjold was initially created for myself to replace safety. Which appears to no longer receive monthly updates (see pyupio/safety-db #2282). I wanted something I can run locally and use for my local or private projects/scripts.

I currently also use it during CI builds and before deploying/publishing containers or packages.

Installation

skjold can be installed from either PyPI or directly from Github using pip:

pip install skjold                                        # Install from PyPI
pip install git+https://github.com/twu/[email protected]  # Install from Github

This should provide a script named skjold that can then be invoked. See Usage.

Usage

$ pip list --format=freeze | skjold -v audit --sources gemnasium -

When running audit one can either provide a path to a frozen requirements.txt, a poetry.lock or a Pipfile.lock file. Alternatively, dependencies can also be passed in via stdin (formatted as package==version).

skjold will maintain a local cache (under cache_dir) that will expire automatically after cache_expires has passed. The cache_dir and cache_expires can be adjusted by setting them in tools.skjold section of the projects pyproject.toml (see Configuration for more details). The cache_dirwill be created automatically, and by default unless otherwise specified will be located under $HOME/.skjold/cache.

For further options please read skjold --help and/or skjold audit --help.

Examples

All examples involving github assume that SKJOLD_GITHUB_API_TOKEN is already set (see Github).

# Using pip list. Checking against GitHub only.
$ pip list --format=freeze | skjold audit -s github -

# Be verbose. Read directly from supported formats.
$ skjold -v audit requirements.txt
$ skjold -v audit poetry.lock
$ skjold -v audit Pipenv.lock

# Using poetry.
$ poetry export -f requirements.txt | skjold audit -s github -s gemnasium -s pyup -

# Using poetry, format output as json and pass it on to jq for additional filtering.
$ poetry export -f requirements.txt | skjold audit -o json -s github - | jq '.[0]'

# Using Pipenv, checking against Github
$ pipenv run pip list --format=freeze | skjold audit -s github -

# Checking a single package via stdin against Github and format findings as json.
$ echo "urllib3==1.23" | skjold audit -o json -r -s github -
[
  {
    "severity": "HIGH",
    "name": "urllib3",
    "version": "1.23",
    "versions": "<1.24.2",
    "source": "github",
    "summary": "High severity vulnerability that affects urllib3",
    "references": [
      "https://nvd.nist.gov/vuln/detail/CVE-2019-11324"
    ],
    "url": "https://github.com/advisories/GHSA-mh33-7rrq-662w"
  }
]

# Checking a single package via stdin against Gemnasium and report findings (`-o cli`).
$ echo "urllib3==1.23" | skjold audit -o cli -r -s gemnasium -

urllib3==1.23 (<=1.24.2) via gemnasium

CRLF injection. In the urllib3 library for Python, CRLF injection is possible
if the attacker controls the request parameter.
https://nvd.nist.gov/vuln/detail/CVE-2019-11236
--

urllib3==1.23 (<1.24.2) via gemnasium

Weak Authentication Caused By Improper Certificate Validation. The urllib3
library for Python mishandles certain cases where the desired set of CA
certificates is different from the OS store of CA certificates, which results
in SSL connections succeeding in situations where a verification failure is the
correct outcome. This is related to use of the `ssl_context`, `ca_certs`, or
`ca_certs_dir` argument.
https://nvd.nist.gov/vuln/detail/CVE-2019-11324
--

urllib3==1.23 (<1.25.9) via gemnasium

Injection Vulnerability. urllib3 allows CRLF injection if the attacker controls
the HTTP request method, as demonstrated by inserting `CR` and `LF` control
characters in the first argument of `putrequest()`. NOTE: this is similar to
CVE-2020-26116.
https://nvd.nist.gov/vuln/detail/CVE-2020-26137
--

Ignore Findings

Findings can be ignored either by manually adding an entry using the sources identifier to a file named .skjoldignore (See Example) or by using in the CLI. Below are a few possible usage examples.

skjold audit -s pyup poetry.lock # ... or using -i/--ignore-file $ skjold audit -s pyup -i poetry.lock">
# Ignore PYSEC-2020-148 finding from PyPA source until a certain date with a specific reason.
$ skjold ignore urllib3 PYSEC-2020-148 --reason "Very good reason." --expires "2021-01-01T00:00:00+00:00"
Ignore urllib3 in PYSEC-2020-148 until 2021-01-01 00:00:00+00:00?
Very good reason.
--
Add to '.skjoldignore'? [y/N]: y

# Ignore PYSEC-2020-148 finding from PyPA source for 7 days with "No immediate remediation." reason.
$ skjold ignore urllib3 PYSEC-2020-148
Ignore urllib3 in PYSEC-2020-148 until ...?
No immediate remediation.
--
Add to '.skjoldignore'? [y/N]: y

# Audit `poetry.lock` using a custom `.skjoldignore` file location via `ENV`...
$ SKJOLD_IGNORE_FILE=
    
      skjold audit -s pyup poetry.lock

# ... or using -i/--ignore-file
$ skjold audit -s pyup -i 
     
       poetry.lock

     
    

Configuration

skjold can read its configuration from the tools.skjold section of a projects pyproject.toml. Arguments specified via the command-line should take precedence over any configured or default value.

[tool.skjold]
sources = ["github", "pyup", "gemnasium"]  # Sources to check against.
report_only = true                         # Report only, always exit with zero.
report_format = 'json'                     # Output findings as `json`. Default is 'cli'.
cache_dir = '.skjold_cache'                # Cache location (default: `~/.skjold/cache`).
cache_expires = 86400                      # Cache max. age.
ignore_file = '.skjoldignore'              # Ignorefile location (default `.skjoldignore`).
verbose = true                             # Be verbose.

To take a look at the current configuration / defaults run:

$ skjold config
sources: ['pyup', 'github', 'gemnasium']
report_only: True
report_format: json
verbose: False
cache_dir: .skjold_cache
cache_expires: 86400
ignore_file = '.skjoldignore'

Github

For the github source to work you'll need to provide a Github API Token via an ENV variable named SKJOLD_GITHUB_API_TOKEN. You can create a new Github Access Token here. You do not have to give it any permissions as it is only required to query the GitHub GraphQL API v4 API.

Version Control Integration

To use skjold with the excellent pre-commit framework add the following to the projects .pre-commit-config.yaml after installation.

repos:
  - repo: https://github.com/twu/skjold
    rev: vX.X.X
    hooks:
    - id: skjold
      verbose: true  # Important if used with `report_only`, see below.

After running pre-commit install the hook should be good to go. To configure skjold in this scenario I recommend adding the entire configuration to the projects pyproject.toml instead of manipulating the hook args. See this projects pyproject.toml for an example.

Important!: When using skjold as a pre-commit-hook it only gets triggered if you want to commit changed dependency files (e.g. Pipenv.lock, poetry.lock, requirements.txt,...). It will not continuously check your dependencies on every commit!

You could run pre-commit run skjold --all-files manually in your workflow/scripts or run skjold manually. If you have a better solution please let me know!

Important!: If you use report_only in any way make sure that you add verbose: true to your hook configuration otherwise pre-commit won't show you any output since the hook is always returning with a zero exit code due to report_only being set!

Contributing

Pull requests are welcome! For major changes, please open an issue first to discuss what you would like to change.

Please make sure to update tests as appropriate.

Comments
  • Bump pytest-mock from 3.9.0 to 3.10.0

    Bump pytest-mock from 3.9.0 to 3.10.0

    Bumps pytest-mock from 3.9.0 to 3.10.0.

    Release notes

    Sourced from pytest-mock's releases.

    v3.10.0

    • Added new mocker.stop(m) method to stop specific mocker.patch or mocker.spy calls (#319).
    Changelog

    Sourced from pytest-mock's changelog.

    3.10.0 (2022-10-05)

    • Added new mocker.stop(m) method to stop specific mocker.patch or mocker.spy calls ([#319](https://github.com/pytest-dev/pytest-mock/issues/319)_).

    .. _#319: pytest-dev/pytest-mock#319

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies python 
    opened by dependabot[bot] 5
  • Pre-commit hook fails if multiple lock or requirements files are modified at same time

    Pre-commit hook fails if multiple lock or requirements files are modified at same time

    If you in your repo have multiple files that should be analyzed by skjold and use it as a pre-commit hook, the hook fails if you modify multiple lock/requirements files in the same commit.

    The reason to the problem is that pre-commit tries to invoke skjold audit with multiple files as arguments at once and the skjold audit command only accepts one file at a time.

    A minimal POC can be obtained by just creating an empty git repo (mkdir skjold-poc; cd skjold-poc; git init), enabling pre-commit (pre-commit install), adding a .pre-commit-config.yaml containing

    repos:
      - repo: https://github.com/twu/skjold
        rev: v0.4.1
        hooks:
        - id: skjold
          verbose: true
    

    and then creating two (or more) requirements files (touch requirements.txt requirements-dev.txt) and then running git add .

    If you then try to commit with git commit -m "Adding requirements files" you will be greeted with an error saying: Error: Got unexpected extra argument (requirements.txt). If you add even more different lock files or requirements-something.txt files the message will be expanded with more extra arguments.

    It's probably not that common people would have both poetry.lock and Pipfile.lock files, but possible people want to have multiple requirements.txt files (one for dev and one for prod) or multiple lock files in different directories of the same repo and get them all analyzed. It's of course possible to somewhat well avoid the problem by modifying only one lock file at a time, but the same issue also affects pre-commit run --all-files that will scan all the matched files regardless of if they've been changed or not.

    bug 
    opened by joakimnordling 4
  • More flexibility in requirements.txt format

    More flexibility in requirements.txt format

    If a requirements file has anything extra, this error is raised:

      File "/Users/brondsem/tmp/py3venv/lib/python3.6/site-packages/skjold/cli.py", line 169, in audit_
        packages = extract_package_list_from(config, file, file_format)
      File "/Users/brondsem/tmp/py3venv/lib/python3.6/site-packages/skjold/formats.py", line 80, in extract_package_list_from
        for package in reader_func(file):
      File "/Users/brondsem/tmp/py3venv/lib/python3.6/site-packages/skjold/formats.py", line 47, in read_requirements_txt_from
        package_name, package_version = line.strip().split(" ")[0].split("==")
    ValueError: not enough values to unpack (expected 2, got 1)
    

    The most common example that can cause this is # for comments.

    I also have requirements.txt files with hashes specified and spanning multiple lines, like this:

    beautifulsoup4==4.8.0 \
        --hash=sha256:05668158c7b85b791c5abde53e50265e16f98ad601c402ba44d70f96c4159612 \
        --hash=sha256:25288c9e176f354bf277c0a10aa96c782a6a18a17122dba2e8cec4a97e03343b \
        --hash=sha256:f040590be10520f2ea4c2ae8c3dae441c7cfff5308ec9d58a0ec0c1b8f81d469
    

    There are other things that can be in a valid requiremens.txt file too, like extra pip options. https://pip.pypa.io/en/latest/reference/pip_install/#requirements-file-format

    These can all be worked around by massaging the requirements file first and passing it as stdin something like: cat requirements.txt | sed 's/#.*//' | skjold audit -s gemnasium - But it would be very handy for skjold to handle any requirements.txt file that is valid for pip

    enhancement 
    opened by brondsem 4
  • Invalid specifier error

    Invalid specifier error

    Hi @twu !! I got the bellow error. Can I help to fix this?

    specifiers.SpecifierSet(f"=={x}", prereleases=True) File "/home/bernardo.abreu/.cache/pre-commit/repow4ikj4am/py_env-python3/lib/python3.10/site-packages/packaging/specifiers.py", line 700, in __init__ parsed.add(Specifier(specifier)) File "/home/bernardo.abreu/.cache/pre-commit/repow4ikj4am/py_env-python3/lib/python3.10/site-packages/packaging/specifiers.py", line 234, in __init__ raise InvalidSpecifier(f"Invalid specifier: '{spec}'") packaging.specifiers.InvalidSpecifier: Invalid specifier: '==0.7.1.fix1'

    opened by Bernardoow 3
  • Bump coverage from 7.0.0 to 7.0.1

    Bump coverage from 7.0.0 to 7.0.1

    Bumps coverage from 7.0.0 to 7.0.1.

    Changelog

    Sourced from coverage's changelog.

    Version 7.0.1 — 2022-12-23

    • When checking if a file mapping resolved to a file that exists, we weren't considering files in .whl files. This is now fixed, closing issue 1511_.

    • File pattern rules were too strict, forbidding plus signs and curly braces in directory and file names. This is now fixed, closing issue 1513_.

    • Unusual Unicode or control characters in source files could prevent reporting. This is now fixed, closing issue 1512_.

    • The PyPy wheel now installs on PyPy 3.7, 3.8, and 3.9, closing issue 1510_.

    .. _issue 1510: nedbat/coveragepy#1510 .. _issue 1511: nedbat/coveragepy#1511 .. _issue 1512: nedbat/coveragepy#1512 .. _issue 1513: nedbat/coveragepy#1513

    .. _changes_7-0-0:

    Commits
    • c5cda3a docs: releases take a little bit longer now
    • 9d4226e docs: latest sample HTML report
    • 8c77758 docs: prep for 7.0.1
    • da1b282 fix: also look into .whl files for source
    • d327a70 fix: more information when mapping rules aren't working right.
    • 35e249f fix: certain strange characters caused reporting to fail. #1512
    • 152cdc7 fix: don't forbid plus signs in file names. #1513
    • 31513b4 chore: make upgrade
    • 873b059 test: don't run tests on Windows PyPy-3.9
    • 5c5caa2 build: PyPy wheel now installs on 3.7, 3.8, and 3.9. #1510
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies python 
    opened by dependabot[bot] 3
  • Allow ignoring CVEs

    Allow ignoring CVEs

    Motivation: One might need a way to ignore a vulnerability

    • temporarily until a migration to a new library would take place so that safety check does not fail every day until you migrate
    • permanently for example, if you faced a CVE like this: https://nvd.nist.gov/vuln/detail/CVE-2020-28463
    enhancement 
    opened by micheller 3
  • report-only and report_format not implemented ?

    report-only and report_format not implemented ?

    Hello, Thanks for this program. I do tried the report_only mode with report_format as json but cannot make it work, it seems the program just ignore it. I check a bit into the code but i didn't found the part of the code that does make these parameter work, so i'm thinking that maybe an unimplemented feature ?

    bug 
    opened by inkhey 3
  • `Warning: No advisory sources configured!` must not be raised if advisory sources were passed via CLI

    `Warning: No advisory sources configured!` must not be raised if advisory sources were passed via CLI

    Reproducible sample

    SKJOLD_GITHUB_API_TOKEN=<YOUR_TOKEN> skjold -v audit poetry.lock -s pyup -s gemnasium -s pypa -s osv -s github
    

    Versions

    skjold, version 0.5.1

    Related source code

    https://github.com/twu/skjold/blob/1de5a6696d78b846a7eadbf8f7cf20f20ac31a2b/src/skjold/tasks.py#L60

    Possible fix

    Check CLI arguments before raising the warning.

    opened by AIGeneratedUsername 2
  • pypa audits raise ScannerError: mapping values are not allowed here

    pypa audits raise ScannerError: mapping values are not allowed here

    pypa audits started failing in the past day or so. Here's an example:

    $ rm -rf .skjold_cache/
    $ echo 'bottle==0.12.23' | skjold audit -s pypa -
    Warning: No 'pyproject.toml' found!
    Traceback (most recent call last):
      File "../env/bin/skjold", line 8, in <module>
        sys.exit(cli())
      File "../env/lib/python3.7/site-packages/click/core.py", line 1130, in __call__
        return self.main(*args, **kwargs)
      File "../env/lib/python3.7/site-packages/click/core.py", line 1055, in main
        rv = self.invoke(ctx)
      File "../env/lib/python3.7/site-packages/click/core.py", line 1657, in invoke
        return _process_result(sub_ctx.command.invoke(sub_ctx))
      File "../env/lib/python3.7/site-packages/click/core.py", line 1404, in invoke
        return ctx.invoke(self.callback, **ctx.params)
      File "../env/lib/python3.7/site-packages/click/core.py", line 760, in invoke
        return __callback(*args, **kwargs)
      File "../env/lib/python3.7/site-packages/click/decorators.py", line 84, in new_func
        return ctx.invoke(f, obj, *args, **kwargs)
      File "../env/lib/python3.7/site-packages/click/core.py", line 760, in invoke
        return __callback(*args, **kwargs)
      File "../env/lib/python3.7/site-packages/skjold/cli.py", line 184, in audit_
        findings = audit(config, packages, ignore=ignore)
      File "../env/lib/python3.7/site-packages/skjold/tasks.py", line 225, in audit
        if source.has_security_advisory_for(dependency):
      File "../env/lib/python3.7/site-packages/skjold/sources/pypa.py", line 65, in has_security_advisory_for
        return dependency.canonical_name in self.advisories.keys()
      File "../env/lib/python3.7/site-packages/skjold/core.py", line 123, in advisories
        self.populate_from_cache()
      File "../env/lib/python3.7/site-packages/skjold/sources/pypa.py", line 43, in populate_from_cache
        doc = yaml.load(obj_fh, Loader=yaml.SafeLoader)
      File "../env/lib/python3.7/site-packages/yaml/__init__.py", line 81, in load
        return loader.get_single_data()
      File "../env/lib/python3.7/site-packages/yaml/constructor.py", line 49, in get_single_data
        node = self.get_single_node()
      File "../env/lib/python3.7/site-packages/yaml/composer.py", line 36, in get_single_node
        document = self.compose_document()
      File "../env/lib/python3.7/site-packages/yaml/composer.py", line 55, in compose_document
        node = self.compose_node(None, None)
      File "../env/lib/python3.7/site-packages/yaml/composer.py", line 84, in compose_node
        node = self.compose_mapping_node(anchor)
      File "../env/lib/python3.7/site-packages/yaml/composer.py", line 127, in compose_mapping_node
        while not self.check_event(MappingEndEvent):
      File "../env/lib/python3.7/site-packages/yaml/parser.py", line 98, in check_event
        self.current_event = self.state()
      File "../env/lib/python3.7/site-packages/yaml/parser.py", line 428, in parse_block_mapping_key
        if self.check_token(KeyToken):
      File "../env/lib/python3.7/site-packages/yaml/scanner.py", line 116, in check_token
        self.fetch_more_tokens()
      File "../env/lib/python3.7/site-packages/yaml/scanner.py", line 223, in fetch_more_tokens
        return self.fetch_value()
      File "../env/lib/python3.7/site-packages/yaml/scanner.py", line 579, in fetch_value
        self.get_mark())
    yaml.scanner.ScannerError: mapping values are not allowed here
      in ".skjold_cache/pypa.cache", line 2, column 98
    
    source:osv 
    opened by brondsem 2
  • Links to pyup.io point to 404 page

    Links to pyup.io point to 404 page

    Here's an example of an issue reported by skjold:

    cryptography==38.0.1 (<39.0.0) via pyup as pyup.io-51159 found in poetry.lock
    
    Cryptography 39.0.0 drops support for C library "LibreSSL" < 3.4, as these
    versions are not receiving security support anymore.
    https://pyup.io/pyup.io-51159
    

    The link at the last line points to https://pyup.io/pyup.io-51159, however it should point to https://pyup.io/vulnerabilities/CVE-2021-41581/51159/

    It's likely appending the id instead of the more_info_path to the domain when constructing the link.

    bug source:pyup 
    opened by joakimnordling 2
  • Pre-commit hooks only checks files in root of repo

    Pre-commit hooks only checks files in root of repo

    The pattern for files in .pre-commit-hooks.yaml are set up to only check any poetry.lock, Pipfile.lock and requirements*.txt files in the root of the repo. However it's not really uncommon that you have such files elsewhere in the repo. I'd suggest changing the pattern so that it'll scan such files elsewhere as well.

    If you agree on the idea, I can create a PR, or you can just update the line to be: files: (^|/)(poetry\.lock|Pipfile\.lock|requirements.*\.txt)$

    bug 
    opened by joakimnordling 2
  • Bump actions/checkout from 3.2.0 to 3.3.0

    Bump actions/checkout from 3.2.0 to 3.3.0

    Bumps actions/checkout from 3.2.0 to 3.3.0.

    Release notes

    Sourced from actions/checkout's releases.

    v3.3.0

    What's Changed

    New Contributors

    Full Changelog: https://github.com/actions/checkout/compare/v3.2.0...v3.3.0

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies github_actions 
    opened by dependabot[bot] 0
Releases(v0.6.1)
  • v0.6.1(Dec 11, 2022)

    Bugfix/Maintenance release.

    What's Changed

    • CLI: Remove duplicate error/warning when sources are passed via CLI instead. (#163). Thanks @AIGeneratedUsername!
    • Dependencies: Support packaging >=21,<23.0. (#162). Thanks @whardier!
    • Dependencies: Bump types-toml from 0.10.8 to 0.10.8.1 (#156)
    • Dependencies: Bump mypy from 0.990 to 0.991 (#157)
    • Actions: Bump actions/setup-python from 4.3.0 to 4.3.1 (#160)

    Full Changelog: https://github.com/twu/skjold/compare/v0.6.0...v0.6.1

    Source code(tar.gz)
    Source code(zip)
  • v0.6.0(Nov 11, 2022)

    Feature release.

    This release breaks .skjoldignore files when containing PyUP identifiers (See #148). You might need to re-add them to the ignore file using the CVE or new PyUP identifier.

    Changes

    • PyUP: Use 'cve' field as 'pyup' identifier. (#149). Thanks @joakimnordling!
    • Dependencies: Bump mypy from 0.981 to 0.982 (#141)
    • Dependencies: Bump black from 22.8.0 to 22.10.0 (#144)
    • Dependencies: Bump pytest-mock from 3.9.0 to 3.10.0 (#143)
    • Dependencies: Bump pytest from 7.1.3 to 7.2.0 (#146)
    • Dependencies: Bump types-pyyaml from 6.0.12 to 6.0.12.1 (#147)
    • Dependencies: Bump pytest-sugar from 0.9.5 to 0.9.6 (#151)
    • Dependencies: Bump mypy from 0.982 to 0.990 (#152)
    • Dependencies: Bump types-pyyaml from 6.0.12.1 to 6.0.12.2 (#153)
    • Actions: Bump actions/checkout from 3.0.2 to 3.1.0 (#142)
    • Actions: Bump actions/setup-python from 4.2.0 to 4.3.0 (#145)

    Full Changelog: https://github.com/twu/skjold/compare/v0.5.1...v0.6.0

    Source code(tar.gz)
    Source code(zip)
  • v0.5.1(Oct 3, 2022)

    Hotfix release.

    Changes

    • PyUP: Use more_info_path to create correct pyup.io URLs (https://github.com/twu/skjold/pull/140). Thanks @joakimnordling!
    • Dependencies: Bump types-pyyaml from 6.0.9 to 6.0.12 (https://github.com/twu/skjold/pull/134).
    • Dependencies: Bump types-toml from 0.10.7 to 0.10.8 (https://github.com/twu/skjold/pull/124).
    • Actions: Bump coverage from 6.4.1 to 6.5.0 (https://github.com/twu/skjold/pull/138).
    • Actions: Bump actions/setup-python from 4.0.0 to 4.2.0 (https://github.com/twu/skjold/pull/128, https://github.com/twu/skjold/pull/122).

    Full Changelog: https://github.com/twu/skjold/compare/v0.5.0...v0.5.1

    Source code(tar.gz)
    Source code(zip)
  • v0.5.0(Jul 2, 2022)

    Feature / Hotfix release.

    Breaking: This version drops support for Python 3.6 (#117) and adds the filename to both output formats (#118).

    Changes

    • Packaging: Switch to poetry-core (#91). Thanks @fabaff!
    • Gemnasium: Properly handle false positives/withdrawn CVEs marked with (,0) (#90). Thanks @stesix!
    • OSV: Support latest OSV/PyPA schema (only using ECOSYSTEM + versions) (#115). Thanks @Kurt-von-Laven!
    • Feature: Support handling multiple input files (#118). Thanks @joakimnordling!
    • Actions: Bump actions/checkout from 2.3.4 to 2.4.0 (#82).
    • Actions: Bump actions/setup-python from 2.2.2 to 2.3.2 (#93).
    • Breaking: Drops support for Python 3.6 (#117)

    Full Changelog: https://github.com/twu/skjold/compare/v0.4.1...v0.5.0

    Source code(tar.gz)
    Source code(zip)
  • v0.4.1(Aug 9, 2021)

    Hotfix release.

    Changes

    • Github: Properly parse/handle github fixed version specifiers e.g. = 1.4.2. Fixes #61. Thanks @brondsem!
    • Github: Show correct environment variable name if Github API Token is not defined. See #62. Thanks @markus-k!
    Source code(tar.gz)
    Source code(zip)
  • v0.4.0(Aug 8, 2021)

    Feature/Maintenance release.

    Important!: From this release onwards skjold depends on/uses packaging instead of poetry-semver (See #52 for details).

    Changes

    • Use packaging for parsing versions instead of poetry-semver. See #52
    • Display helpful message if Github Token is not found/set when using the github source. See #56
    • Updated dependencies.
    Source code(tar.gz)
    Source code(zip)
  • v0.3.2(Jun 21, 2021)

    Bugfix release.

    Changes

    • Removing verbose flag from .pre-commit-hook.yaml as it is only supposed to be used during debugging. See Comment Thanks @asottile!
    • Bump types-pyyaml from 0.1.9 to 5.4.3 (#49)
    Source code(tar.gz)
    Source code(zip)
  • v0.3.1(Jun 20, 2021)

  • v0.3.0(Jun 20, 2021)

    Feature / Maintenance release.

    Important!: When using skjold as a pre-commit-hook it only gets triggered if you want to commit changed dependency files (e.g. Pipenv.lock, poetry.lock, requirements.txt,...). It will not continuously check your dependencies on every commit!

    Important!: If you use report_only in any way make sure that you add verbose: true to your hook configuration otherwise pre-commit won't show you any output since the hook is always returning with a zero exit code due to report_only being set!

    Breaking Changes

    • CLI: skjold will now always write the number of ignored findings and vulnerable packages to stderr. The rest of the output json or cli are still written to stdout for easier redirection.

    Changes

    • CLI: Temporarily or permanently ignore findings based on their source identifiers added to .skjoldignore. (See #47) Thanks @micheller!
    • CLI: skjold now outputs ignored findings when using cli or json output formats.
    • OSV/PyPA Advisory DB: Initial support for using either osv or pypa as sources. (See #45)
    • CLI: Advisories with additional references are added to the cli output if present.
    • Bumps mypy to 0.902
      • Moves mypy.ini to pyproject.toml.
      • Adds types-toml and types-PyYAML as dev dependencies.
    • Update README.md.
    Source code(tar.gz)
    Source code(zip)
  • v0.2.1(Feb 1, 2021)

    Bugfix / Maintenance release.

    Changes

    • Gemnasium: Assume all versions are affected if 'affected_versions' string is empty. (#30). Thanks @dermoumi!
    • Bump pyyaml from 5.3.1 to 5.4.1 (#24, #26)
    • Bump coverage from 5.3.1 to 5.4 (#29)
    • Bump pytest from 6.2.1 to 6.2.2 (#28)
    • Bump mypy from 0.790 to 0.800 (#27)
    • Bump pytest-cov from 2.10.1 to 2.11.1 (#23, #25)
    • Bump pytest-mock from 3.4.0 to 3.5.1 (#21, #22)
    • Update README.md.
    Source code(tar.gz)
    Source code(zip)
  • v0.2.0(Jan 2, 2021)

    Bugfix / Feature release.

    Changes

    • Refactored CLI.
    • Fix issue with CLI defaults overriding already set values. Fixes #11. Thanks @inkhey!
    • Add py.typed marker file (PEP 561).
    • Replaced tomlkit with the more commonly used toml.
    • Replaced requests with urllib from the standard library.
    • Remove pytest-env since it is unused.
    • Use latest actions/checkout and actions/setup-python in test workflow.
    • Dependencies are now updated by dependabot.
    • Updated dependencies.
    Source code(tar.gz)
    Source code(zip)
  • v0.1.6(Oct 5, 2020)

    Bugfix / Maintenance release.

    Changes

    • Update README.md. Fix for wrong option name in documentation. Thanks @endwaa ! (#7)
    • Properly handle PyUp $meta field when populating advisories from cache. (#8)
    • Set pre-commit default python interpreter from 3.7 to 3.8.
    • Start testing against 3.9.0-rc2.
    • Use latest actions/[email protected] and actions/[email protected] in test workflow.
    • Update pre-commit hook (v2.5.0 -> v3.2.0) and black hook (19.10b0 -> 20.8b1) repositories.
    • Updated dependencies.
    Source code(tar.gz)
    Source code(zip)
  • v0.1.5(Mar 4, 2020)

    Feature release.

    Changes

    • Determine severity (Base Score) using CVSS 2.0 / CVSS 3.x vectors from Gemnasium records.
    • Print Warning to stderr when failing to extract package and pinned version from a requirements.txt-formatted file. Thanks @brondsem! (#3)
    • Simplify pre-commit instructions. Thanks @asottile ! (#6)
    • Updated dependencies.
    Source code(tar.gz)
    Source code(zip)
  • v0.1.4(Mar 1, 2020)

    Bugfix release.

    Changes

    • Fix #4: CLI crashes when given unknown severity level. Thanks @brondsem! (PR #5)
    • Use red instead of yellow for results with UNKNOWN severity from PyUP and Gemnasium where skjold is (currently) not able to extract or calculate the severity of the item.
    • Colorize results with UNKNOWN severity red instead of yellow.
    • Extend CLI coloring dictionary to cover CVSS v2.0 and CVSS v3.0 severity levels.
    • Set returned severity of PyUP results to 'UNKNOWN' as severity is not present in safety-db.
    • Start handling comments in requirements.txt. Thanks @brondsem!
    • Add bug tracker and changelog URLs to pyproject.toml.
    • Update README.md. Thanks @brondsem!
    • Extended tests.
    Source code(tar.gz)
    Source code(zip)
  • v0.1.3(Feb 8, 2020)

    Bugfix release.

    Changes

    • Support for Python 3.6.
    • Type annotations for tests.

    Documentation

    • Fixed broken links in README.md. Thanks @ghtyrant!
    Source code(tar.gz)
    Source code(zip)
  • v0.1.2(Jan 29, 2020)

  • v0.1.1(Jan 26, 2020)

Argument Injection in Dragonfly Ruby Gem

CVE-2021-33564 PoC Exploit script for CVE-2021-33564 (Argument Injection in Dragonfly Ruby Gem). Usage Arbitrary File Read python3 poc.py -u https://

Michael Tsai 12 Nov 09, 2022
A Modified version of TCC's Osprey poc framework......

fierce-fish fierce-fish是由TCC(斗象能力中心)出品并维护的开源漏洞检测框架osprey的改写,去掉臃肿功能的精简版本poc框架 PS:真的用不惯其它臃肿的功能,不过作为一个收集漏洞poc && exp的框架还是非常不错的!!! osprey For beginners fr

lUc1f3r11 10 Dec 30, 2022
Remote Desktop Protocol in Twisted Python

RDPY Remote Desktop Protocol in twisted python. RDPY is a pure Python implementation of the Microsoft RDP (Remote Desktop Protocol) protocol (client a

Sylvain Peyrefitte 1.6k Dec 30, 2022
Malware-analysis-writeups - Some of my Malware Analysis writeups

About This repo contains some malware analysis writeups i've created over time m

Itay Migdal 14 Jun 22, 2022
web指纹识别工具

前言 一直苦于没有用的顺手的web指纹识别工具,学习前辈s7ckTeam的Glass和broken5的WebAliveScan优秀开源程序开发的轻量型web指纹工具。

EASY 966 Dec 26, 2022
Exploit tool for Adminer 1.0 up to 4.6.2 Arbitrary File Read vulnerability

AdminerRead Exploit tool for Adminer 1.0 up to 4.6.2 Arbitrary File Read vulnerability Installation git clone https://github.com/p0dalirius/AdminerRea

Podalirius 58 Dec 05, 2022
This is a multi-password‌ cracking tool that can help you hack facebook accounts very quickly

Pro_Crack Facebook Fast Cracking Tool This is a multi-password‌ cracking tool that can help you hack facebook accounts very quickly Installation On Te

•JINN• 1 Jan 16, 2022
Password-Manager GUI

PASSWORD-MANAGER This repo contains all the project files. Project Description A Tkinter GUI that allows you to store website info like website name,

David .K. Danso 1 Dec 08, 2021
A Python & JavaScript Obfuscator made in Python 3.

Python Code Obfuscator A script that converts code into full on random numerical expressions. Simple Scripts: Python Mode... Input: Function that deco

Karim 3 Mar 24, 2022
Client script for the fisherman phishing tool

Client script for the fisherman phishing tool

Pushkar Raj 1 Feb 23, 2022
Profil3r is an OSINT tool that allows you to find potential profiles of a person on social networks, as well as their email addresses 🕵️

Profil3r is an OSINT tool that allows you to find potential profiles of a person on social networks, as well as their email addresses. This program also alerts you to the presence of a data leak for

1.1k Aug 24, 2021
An intranet tool for easily intranet pentesting

IntarKnife v1.0 a tool can be used in intarnet for easily pentesting moudle hash spray U can use this tool to spray hash on a webshell IntraKnife.exe

4 Nov 24, 2021
A simple Burp Suite extension to extract datas from source code

DataExtractor A simple Burp Suite extension to extract datas from source code. Features in scope parsing file extensions to ignore files exclusion bas

Gwendal Le Coguic 86 Dec 31, 2022
Generate obfuscated meterpreter shells

Generator Evade AV with obfuscated payloads Installation must install dotnet prior to running the script with net45 Running ./generator.py -ip Your-I

Fawaz Al-Mutairi 219 Nov 28, 2022
Using python 3 and Flask an MVC system where the AES 128 CBC and Trivium algorithms

This project was developed using python 3 and Flask, it is an MVC system where the AES 128 CBC and Trivium algorithms can be tested through a communication between the computer and a device such as a

Brandon Israel Camacho Reyes 1 Dec 26, 2021
List of S3 Hacks

s3-leaks List of AWS S3 Leaks Feel free to send in a PR if you know of other leaks Date Description Notes Aug2020 S3 bucket mess up exposed 182GB of s

Nag 291 Dec 28, 2022
💣 Bomb Crypto Bot 💣

💣 Bomb Crypto Bot 💣 ⚠️ Warning I am not responsible for any penalties incurred by those who use the bot, use it at your own risk. 📄 Documentation -

Matheus Benites 4 Apr 27, 2022
A decompilation of the Nintendo Switch version of Captain Toad: Treasure Tracker

cttt-decomp A decompilation of the Nintendo Switch version of Captain Toad: Trea

shibbs 14 Aug 17, 2022
A tool to find good RCE From my series: A powerful Burp extension to make bounties rain

A tool to find good RCE From my series: A powerful Burp extension to make bounties rain

52 Dec 16, 2022
A cross-platform Python module that displays **** for password input. Works on Windows, unlike getpass. Formerly called stdiomask.

PWInput A cross-platform Python module that displays **** for password input. Works on Windows, unlike getpass. Formerly called stdiomask. Installatio

Al Sweigart 26 Sep 04, 2022