Closed manuel-cohere closed 5 days ago
@manuel-cohere https://osv.dev/vulnerability/MAL-2024-4924
python depscan/cli.py --purl "pkg:pypi/coloramas@0.4.6" --reports-dir /tmp/reports
██████╗ ███████╗██████╗ ███████╗ ██████╗ █████╗ ███╗ ██╗
██╔══██╗██╔════╝██╔══██╗██╔════╝██╔════╝██╔══██╗████╗ ██║
██║ ██║█████╗ ██████╔╝███████╗██║ ███████║██╔██╗ ██║
██║ ██║██╔══╝ ██╔═══╝ ╚════██║██║ ██╔══██║██║╚██╗██║
██████╔╝███████╗██║ ███████║╚██████╗██║ ██║██║ ╚████║
╚═════╝ ╚══════╝╚═╝ ╚══════╝ ╚═════╝╚═╝ ╚═╝╚═╝ ╚═══╝
DEBUG [2024-09-09 19:05:28,689] Retrieved package metadata for 0/1 packages. Failures count 0
DEBUG [2024-09-09 19:06:07,393] Vulnerability database loaded from /mnt/work/vdb/data.vdb5
DEBUG [2024-09-09 19:06:07,393] Scanning 1 oss dependencies for issues
Dependency Scan Results (PYPI)
╔══════════════════════════════════════════════════════════════╤═══════════════════════════╤════════════════════════╤═══════════════════╤════════════╗
║ CVE │ Insights │ Fix Version │ Severity │ Score ║
╟──────────────────────────────────────────────────────────────┼───────────────────────────┼────────────────────────┼───────────────────┼────────────╢
║ coloramas@0.4.6 ⬅ MAL-2024-4924 │ 🛑 Malicious │ │ CRITICAL │ 10.0 ║
╚══════════════════════════════════════════════════════════════╧═══════════════════════════╧════════════════════════╧═══════════════════╧════════════╝
╭────────────────────────────────────────────────────────────────────── Action Required ───────────────────────────────────────────────────────────────────────╮
│ 🛑 Malicious package found! Treat this as a security incident and follow your organization's playbook to remove this package from all affected applications. │
╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
I apologise for the incomplete report.
This is what I'm getting:
{
"bom-ref": "MAL-2024-4924/pkg:pypi/colorama@0.4.6",
"id": "MAL-2024-4924",
"source": {},
"ratings": [
{
"score": 10.0,
"severity": "critical",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"method": "CVSSv31"
}
],
"cwes": [],
"description": "# Malicious code in coloramas (PyPI)\n\n---\n_-= Per source details. Do not edit below this line.=-_",
"recommendation": "",
"advisories": [],
"analysis": {
"state": "in_triage",
"detail": "Dependency Tree: [\"pkg:pypi/ariadne-codegen@0.12.0\", \"pkg:pypi/click@8.1.7\", \"pkg:pypi/colorama@0.4.6\"]"
},
It is flagging pypi/ariadne-codegen@0.12.0
, but that package depends on colorama
not coloramas
Thank you! This is fixed by #346
PURL of wrongly matched component
pypi:coloramas
Depscan findings
I don't get the same output with that command.