search

airbnb / nerve

A service registration daemon that performs health checks; companion to airbnb/synapse
MIT License
942 stars 151 forks source link

Project dependencies may have API risk issues #131

Open PyDeps opened 2 years ago

PyDeps commented 2 years ago

Hi, In nerve, inappropriate dependency versioning constraints can cause risks.

Below are the dependencies and version constraints that the project is using

alabaster==0.7.12
aniso8601==8.0.0
Babel==2.8.0
bcrypt==3.1.7
beautifulsoup4==4.9.1
bs4==0.0.1
certifi==2020.6.20
cffi==1.14.0
chardet==3.0.4
click==7.1.2
cryptography==3.0
decorator==4.4.2
dnspython==2.0.0
docutils==0.16
Flask==1.1.2
Flask-HTTPAuth==4.1.0
Flask-RESTful==0.3.8
html5lib==1.1
idna==2.10
imagesize==1.2.0
itsdangerous==1.1.0
Jinja2==2.11.2
MarkupSafe==1.1.1
mysql-connector==2.2.9
packaging==20.4
paramiko==2.7.1
Pillow==7.2.0
psutil==5.7.2
psycopg2-binary==2.8.5
pycparser==2.20
Pygments==2.6.1
pymongo==3.11.0
PyNaCl==1.4.0
pyparsing==2.4.7
PyPDF2==1.26.0
python-nmap==0.6.1
pytz==2020.1
redis==3.5.3
reportlab==3.5.46
requests==2.24.0
simplejson==3.17.2
six==1.15.0
snowballstemmer==2.0.0
soupsieve==2.0.1
Sphinx==3.1.2
sphinx-rtd-theme==0.5.0
sphinxcontrib-applehelp==1.0.2
sphinxcontrib-devhelp==1.0.2
sphinxcontrib-htmlhelp==1.0.3
sphinxcontrib-jsmath==1.0.1
sphinxcontrib-qthelp==1.0.3
sphinxcontrib-serializinghtml==1.1.4
urllib3==1.25.9
validators==0.18.1
webencodings==0.5.1
Werkzeug==1.0.1

The version constraint == will introduce the risk of dependency conflicts because the scope of dependencies is too strict. The version constraint No Upper Bound and * will introduce the risk of the missing API Error because the latest version of the dependencies may remove some APIs.

After further analysis, in this project, The version constraint of dependency beautifulsoup4 can be changed to >=4.10.0,<=4.11.1. The version constraint of dependency Jinja2 can be changed to >=2.7,<=3.1.2. The version constraint of dependency paramiko can be changed to >=1.13.0,<=2.11.0. The version constraint of dependency psutil can be changed to >=3.0.0,<=5.9.1. The version constraint of dependency pymongo can be changed to >=2.4,<=4.1.1. The version constraint of dependency python-nmap can be changed to >=0.3.4,<=0.7.1. The version constraint of dependency redis can be changed to >=2.0.0,<=4.3.3. The version constraint of dependency requests can be changed to >=2.4.0,<=2.15.1. The version constraint of dependency urllib3 can be changed to >=1.9,<=1.26.9. The version constraint of dependency validators can be changed to >=0.9,<=0.20.0. The version constraint of dependency Werkzeug can be changed to >=0.6.1,<=2.1.2.

The above modification suggestions can reduce the dependency conflicts as much as possible, and introduce the latest version as much as possible without calling Error in the projects.

The invocation of the current project includes all the following methods.

The calling methods from the beautifulsoup4 
bs4.BeautifulSoup
The calling methods from the Jinja2 
jinja2.Environment.get_template
The calling methods from the paramiko 
paramiko.SSHClient.close
paramiko.AutoAddPolicy
paramiko.SSHClient
paramiko.SSHClient.set_missing_host_key_policy
paramiko.SSHClient.connect
The calling methods from the psutil 
psutil.net_if_addrs
The calling methods from the pymongo 
pymongo.MongoClient
The calling methods from the python-nmap 
nmap.PortScanner
The calling methods from the redis 
redis.ConnectionPool
redis.Redis
The calling methods from the requests 
requests.head
requests.auth.HTTPBasicAuth
urllib3.disable_warnings
requests.post
requests.put
requests.get
requests.options
requests.delete
The calling methods from the urllib3 
urllib3.disable_warnings
The calling methods from the validators 
validators.domain
The calling methods from the Werkzeug 
werkzeug.security.generate_password_hash
werkzeug.security.check_password_hash
The calling methods from the all methods 
core.logging.logger.debug
email.mime.multipart.MIMEMultipart.attach
logging.getLogger.setLevel
core.reports.generate_txt
isinstance
self.http_request
paramiko.AutoAddPolicy
core.parser.ConfParser.get_cfg_webhook
socket.gethostname
core.parser.Helper
email.mime.multipart.MIMEMultipart
self.contains_password_form
flask.Flask.register_blueprint
validators.domain
ftplib.FTP.login
run_rules
core.port_scanner.Scanner
core.redis.rds.store_json
core.redis.rds.store
core.security.verify_password
flask_restful.Api
threading.Thread.start
socket.socket.close
paramiko.SSHClient.connect
self.r.sadd
self.nmap.scan.items
core.redis.rds.start_session
urllib3.disable_warnings
flask.request.get_json
core.manager.rule_manager
version.VERSION.replace.replace
core.utils.Utils.is_string_email
core.parser.ConfParser.get_cfg_networks
core.redis.rds.store_topology
core.utils.Charts.make_radar
host.data.add
jinja2.FileSystemLoader
u_settings.get.route
open
core.redis.rds.create_session
werkzeug.security.generate_password_hash
self.netutils.is_valid_port
ipaddress.ip_address
threading.enumerate
db.db_ports.database_ports.items
core.reports.generate_csv
pickle.loads
resp.text.startswith
self.is_file_ds_store
self.utils.hash_sha1
resp.headers.get
core.utils.Utils.generate_uuid
core.parser.ConfParser.get_cfg_custom_ports
core.utils.Utils.sev_to_human
core.parser.ConfParser
core.parser.ConfParser.get_cfg_usernames
psycopg2.connect.close
bs4.BeautifulSoup.find_all
logging.StreamHandler.setLevel
self.randomize_origin
core.redis.rds.is_ip_blocked
type
smtplib.SMTP.sendmail
core.redis.rds.get_vuln_data
app.config.update
core.parser.ConfParser.get_cfg_allow_bf
core.redis.rds.store_vuln
core.redis.rds.clear_session
dns.resolver.query
core.utils.Integration
k.decode.decode
self.r.dbsize
core.parser.ConfParser.get_cfg_exc_networks
flask.stream_with_context
core.parser.ScanParser.get_module
self.get_scan_progress
os.remove
core.parser.ConfParser.get_cfg_scan_threads
os.environ.get
smtplib.SMTP.login
os.urandom
self.rds.clear_session
core.redis.rds.get_last_scan
core.utils.Network
requests.put
copy.deepcopy.append
flask.render_template
core.utils.Integration.submit_webhook
__import__
logging.StreamHandler.setFormatter
core.triage.Triage.run_cmd
f.write
join
__import__.Rule
os.geteuid
scanner.scan.items
open.write
flask.request.get_json.get
format.decode
smtplib.SMTP
datetime.datetime.now.strftime
self.r.get
flask.Blueprint
self.mongodb_attack
k.decode.split
socket.socket.connect_ex
function_to_protect
self.generate_str
pickle.dumps
format.encode
resp.headers.get.lower
sys.path.insert
socket.socket.settimeout
redis.ConnectionPool
self.utils.is_string_url
core.parser.ConfParser.get_cfg_max_ports
requests.get
requests.options
self.rds.store_json
core.redis.rds.get_exclusions
core.parser.ScanParser
self.utils.generate_uuid
f.read
dict
core.triage.Triage.http_request
paramiko.SSHClient.close
core.utils.Utils.is_string_url
len
vulns.items
flask.session.get
self.r.scan_iter
core.redis.rds.end_session
json.dumps
core.redis.rds.initialize
core.utils.Charts
requests.post
self.is_scan_active
core.redis.rds.store_sch
conf.get_cfg_exc_networks.append
core.utils.Network.get_primary_ip
email.mime.multipart.MIMEMultipart.as_string
str
core.redis.rds.get_topology
xml.etree.ElementTree.SubElement
core.parser.ConfParser.get_cfg_netinterface
core.redis.rds.get_inventory_data
all
redis.Redis
p.get_module.lower
re.findall
core.register.Register
flask_httpauth.HTTPBasicAuth
self.store
pymongo.MongoClient
self.r.flushdb
core.utils.Utils
core.utils.Network.get_nics
core.workers.start_workers
requests.head
core.reports.generate_xml
logging.getLevelName
join.keys
ssl.create_default_context
self.is_attack_active
glob.glob
mysql.connector.connect
RedisManager
copy.deepcopy
socket.socket.sendall
flask.make_response
s.recv.decode
csv.writer.writerow
core.parser.ConfParser.get_cfg_passwords
bs4.BeautifulSoup.findAll
self.clear_session
self.netutils.is_dns
ipaddress.ip_network
core.manager.rule_manager.values
flask_restful.Api.add_resource
text.encode
struct.unpack_from
sys.exit
shlex.split
core.parser.ConfParser.get_cfg_allow_inet
xml.etree.ElementTree.Element
any
mysql.connector.connect.is_connected
paramiko.SSHClient
f.close
flask.flash
self.ssh_attack
email.mime.text.MIMEText.add_header
core.redis.rds.get_scan_data.items
requests.delete
logging.FileHandler.setLevel
self.r.smembers
sorted.items
core.parser.ScanParser.get_cpe
network.startswith
self.r.delete
re.match
functools.wraps
resp.url.startswith
xml.etree.ElementTree.tostring.items
schedule_domains
i.attrs.get
header.lower
hashlib.sha1
os.path.basename
subprocess.Popen
flask.Flask
core.utils.Integration.submit_slack
datetime.datetime.now
uuid.uuid4
psycopg2.connect
self.mysql_attack
self.generate_filename
fields.append
version.VERSION.replace
core.parser.ConfParser.get_cfg_frequency
core.parser.ConfParser.get_cfg_domains
nmap.PortScanner
flask.send_from_directory
flask.Flask.run
socket.socket.recv
p.get_product.lower
resp.headers.startswith
flask.make_response.set_cookie
core.redis.rds.store_inv
core.redis.rds.get_slack_settings
socket.socket
self.utils.is_string_safe
float
flask.redirect
rules.append
core.redis.rds.get_ips_to_scan
core.parser.ScanParser.get_product
core.redis.rds.get_scan_config
logging.Formatter
core.redis.rds.get_scan_count
self.psql_attack
flask.request.form.get
core.redis.rds.get_scan_progress
socket.socket.connect
psutil.net_if_addrs
xml.etree.ElementTree.tostring
generate
core.parser.ScanParser.get_domain
requests.auth.HTTPBasicAuth
self.utils.get_datetime
email.header.Header
resp.headers.items
core.reports.generate_html
data.items
flask.session.pop
flask.request.values.get
header.startswith
smtplib.SMTP.starttls
a.has_attr
socket.socket.getsockname
self.netutils.is_network_in_denylist
core.mailer.send_email
ftplib.FTP
char.isdigit
core.parser.SchemaParser.verify
core.redis.rds.store_sca
core.redis.rds.delete
random.choices
value.items
core.utils.Charts.make_doughnut
time.sleep
threading.Thread
jinja2.Environment
format
self.rule_match_string.items
core.register.Register.scan
core.redis.rds.log_attempt
self.r.incr
key.decode.split
sorted
resp.text.split.replace
a.contents.split
port.ip.MongoClient.list_database_names
logging.getLogger.addHandler
logging.StreamHandler
i.name.startswith
core.redis.rds.get_session_state
core.redis.rds.get_email_settings
logging.FileHandler
flask.Blueprint.route
core.parser.ConfParser.get_raw_cfg
email.mime.text.MIMEText
core.parser.SchemaParser
core.parser.Helper.portTranslate
csv.writer
core.logging.logger.error
mysql.connector.connect.close
logging.getLogger
core.triage.Triage
self.utils.clear_log
core.triage.Triage.string_in_headers
flask.request.get_json.route
self.netutils.is_network
text.encode.hashlib.sha1.hexdigest
get_rules
re.search
set
bs4.BeautifulSoup
self.rds.create_session
threading.active_count
self.ftp_attack
k.decode
schedule_ips
templateEnv.get_template.render
werkzeug.security.check_password_hash
self.r.exists
core.redis.rds.get_scan_data
paramiko.SSHClient.set_missing_host_key_policy
self.r.get.decode
urllib.parse.urlparse
subprocess.Popen.communicate
resp.text.split
smtplib.SMTP_SSL
open.close
os.path.exists
core.logging.logger.info
self.redis_attack
xml.etree.ElementTree.Element.append
core.redis.rds.get_vuln_by_id
xml.etree.ElementTree.tostring.decode
int
core.triage.Triage.has_cves
uuid.uuid4.str.split
req.headers.get
socket.getservbyport
logging.FileHandler.setFormatter
flask.Response
email.utils.formataddr
smtplib.SMTP.quit
core.port_scanner.Scanner.scan
r.split
config.WEB_LOG.open.close
self.utils.is_user_root
res.items
jinja2.Environment.get_template
core.utils.Utils.is_version_latest
core.utils.Utils.get_date
self.r.set
self.store_json
self.nmap.scan
core.redis.rds.is_session_active

@developer Could please help me check this issue? May I pull a request to fix it? Thank you very much.