Open cda2024 opened 6 months ago
Almost same problem when we use pdm :/
The current analyzer for pyproject.yml files are the PoetryAnalyzer or the requirements.txt Analyzer.
To fix this we must open a MR and create a new analyser and route the scan on pdm.lock
files. This is a directive on the toml file that specify the dependency tool (poetry or pdm).
/host # head pyproject.toml
[tool.pdm]
distribution = false
[tool.pdm.build]
includes = []
[tool.pdm.dev-dependencies]
dev = [
"pre-commit>=3.6.2",
"conventional-pre-commit>=3.1.0",
# chussenot @ t495 in /tmp/tmp.qsVWT4DAyh [17:44:18]
$ ag poetry.lock
DependencyCheck/core/src/test/java/org/owasp/dependencycheck/analyzer/PoetryAnalyzerTest.java
56: assertThat(analyzer.accept(new File("poetry.lock")), is(true));
61: final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "poetry.lock"));
DependencyCheck/core/src/main/java/org/owasp/dependencycheck/analyzer/PoetryAnalyzer.java
70: private static final String POETRY_LOCK = "poetry.lock";
76: * The file filter for poetry.lock
78: private static final FileFilter POETRY_LOCK_FILTER = FileFilterBuilder.newInstance()
79: .addFilenames(POETRY_LOCK, PYPROJECT_TOML)
119: return POETRY_LOCK_FILTER;
196: d.addEvidence(EvidenceType.PRODUCT, POETRY_LOCK, "product", name, Confidence.HIGHEST);
197: d.addEvidence(EvidenceType.VERSION, POETRY_LOCK, "version", version, Confidence.HIGHEST);
198: d.addEvidence(EvidenceType.VENDOR, POETRY_LOCK, "vendor", name, Confidence.HIGHEST);
204: final File lock = new File(parent, POETRY_LOCK);
210: + "is not a `poetry.lock` or `requirements.txt` - analysis will be incomplete");
$ ag requirements.txt
DependencyCheck/src/site/markdown/analyzers/index.md
41:| [Pip](./pip.html) | Python Pip requirements.txt files | Regex scan of requirements.txt. |
DependencyCheck/src/site/markdown/analyzers/pip.md
11:artifacts called `requirements.txt`, commonly generated with a command
14: pip freeze > requirements.txt
22:Files Scanned: files named exactly `requirements.txt`.
DependencyCheck/CHANGELOG.md
174:- fix: Support ~= version specifier in requirements.txt and pipfile (#5902)
DependencyCheck/core/src/test/java/org/owasp/dependencycheck/analyzer/PipAnalyzerTest.java
88: assertTrue(analyzer.accept(new File("requirements.txt")));
102: final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "requirements.txt"));
DependencyCheck/core/src/test/java/org/owasp/dependencycheck/analyzer/PipAnalyzerIT.java
72: final Dependency toScan = new Dependency(BaseTest.getResourceAsFile(this, "requirements.txt"));
DependencyCheck/core/src/main/java/org/owasp/dependencycheck/analyzer/PipAnalyzer.java
47: * Used to analyze pip dependency files named requirements.txt.
60: * "requirements.txt".
62: private static final String REQUIREMENTS = "requirements.txt";
DependencyCheck/core/src/main/java/org/owasp/dependencycheck/analyzer/PoetryAnalyzer.java
205: final File requirements = new File(parent, "requirements.txt");
210: + "is not a `poetry.lock` or `requirements.txt` - analysis will be incomplete");
DependencyCheck/core/src/main/java/org/owasp/dependencycheck/analyzer/PinnedMavenInstallAnalyzer.java
53: * Java Maven dependency lockfile like Python's {@code requirements.txt}.
@nerdinand @jeremylong Can you help us to work on it?
It's seems that the pyproject.toml
skip is no more working as you wrote in the CHANGELOG.
## [Version 9.0.7](https://github.com/jeremylong/DependencyCheck/releases/tag/v9.0.7) (2023-12-18)
- docs: document insecure configuration for GHSA-qqhq-8r2c-c3f5 (#6315)
- fix: improve memory usage on NVD update (#6321)
- fix: skip pyproject.toml unless it contains `tool.poetry` (#6316)
- fix: resolve build error that may cause an issue on some JDK versions (#6312)
I'm using https://pdm-project.org/latest/ which has lock file like poetry but named "pdm.lock" When I change the filename and run the scanner some vulnerabilities had been found. Generating a requirements.txt and using this one will fail.