aswinnnn / pyscan

python dependency vulnerability scanner, written in Rust.
MIT License
184 stars 6 forks source link

Incorrect version detection of requests package #1

Closed anotherbridge closed 1 year ago

anotherbridge commented 1 year ago

Describe the bug When running pyscan does tell me there is a vulnerability in my requests dependency, although the version that is specified is not the version that is installed. In the installed version this vulnerability has been patched.

I am getting the following result back after running pyscan:

pyscan v0.1.1 | by Aswin (github.com/aswinnnn)
Found 6 dependencies...
|-| netaddr [0.8.0] -> No vulnerabilities found.
|-| defusedxml [0.7.1] -> No vulnerabilities found.
|-| dnspython [2.3.0rc1] -> No vulnerabilities found.
|-| pandas [2.0.1] -> No vulnerabilities found.
|-| requests [2.9.2] -> Found vulnerabilities!
|-| python-evtx [0.7.4] -> No vulnerabilities found.
SUMMARY

Dependency: requests
ID: GHSA-x84v-xcm2-53pg
Details: The Requests package through 2.19.1 before 2018-09-14 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.
Versions affected: 0.0.1 to 2.9.2

Dependency: requests
ID: PYSEC-2018-28
Details: The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.
Versions affected: 0.0.1 to 2.9.2

Running a pip3 freeze yields:

defusedxml==0.7.1
dnspython==2.3.0
netaddr==0.8.0
pandas==2.0.1
pyscan-rs==0.1.1
python-evtx==0.7.4
requests==2.30.0

Yet when running pyscan package -n requests -v 2.30.0 I am getting the expected response:

Found 1 dependencies...
|-| requests [2.30.0] -> No vulnerabilities found.

To Reproduce Steps to reproduce the behavior:

  1. Create a vritual environment
  2. Install the following requirements.txt:
    netaddr
    defusedxml
    dnspython
    pandas
    requests
    python-evtx
  3. Run pip3 install pyscan-rs
  4. Scanning the project: pyscan

Expected behavior It is expected that the version number of the currently installed package is identified correctly.

Desktop (please complete the following information):

aswinnnn commented 1 year ago

Thanks for reporting this error. This seems to be a problem due to the https://deps.dev API returning the incorrect latest package version which is indication enough to stop using it I suppose. I'm working on the fix right now and will be released with the next version, appreciate for reporting.

aswinnnn commented 1 year ago

Pyscan will be using pip to report the correct version from now on.

anotherbridge commented 1 year ago

Thanks @aswinnnn for the fast response. Looking forward to the next release.

aswinnnn commented 1 year ago

The fix has been released with v0.1.3, Thanks for the input.