search

safedep / vet

Tool to achieve policy driven vetting of open source dependencies
Apache License 2.0
202 stars 17 forks source link

Vet is not able to detect setup.py manifest given a directory as scan input #163

Open jchauhan opened 9 months ago

jchauhan commented 9 months ago

Current Result

setup.py manifest is not detected

vet  scan -D ../**/tmp/***/ 

 .----------------.  .----------------.  .----------------.
| .--------------. || .--------------. || .--------------. |
| | ____   ____  | || |  _________   | || |  _________   | |
| ||_  _| |_  _| | || | |_   ___  |  | || | |  _   _  |  | |
| |  \ \   / /   | || |   | |_  \_|  | || | |_/ | | \_|  | |
| |   \ \ / /    | || |   |  _|  _   | || |     | |      | |
| |    \ ' /     | || |  _| |___/ |  | || |    _| |_     | |
| |     \_/      | || | |_________|  | || |   |_____|    | |
| |              | || |              | || |              | |
| '--------------' || '--------------' || '--------------' |
 '----------------'  '----------------'  '----------------'

Running in Community Mode
Scanning packages    ... done! [0 in 2ms]
Scanning manifests   ... done! [0 in 2ms]
  **   Summary of Findings 

  ** 0 critical, 0 high and 0 other vulnerabilities were identified

  ** 0 potentially unpopular library identified as direct dependency

  ** 0 libraries are out of date with major version drift in direct dependencies

  ** across 0 libraries in 1 manifest(s)

Consider upgrading the following libraries for maximum impact:

┌───────────┬─────────┬───────────┬────────┐
│ ECOSYSTEM │ PACKAGE │ UPDATE TO │ IMPACT │
├───────────┼─────────┼───────────┼────────┤
└───────────┴─────────┴───────────┴────────┘

Run with `vet --filter="..."` for custom filters to identify risky libraries
For more details https://github.com/safedep/vet

Expected Result

❯ ./vet  scan -D ../***/tmp/***/

 .----------------.  .----------------.  .----------------.
| .--------------. || .--------------. || .--------------. |
| | ____   ____  | || |  _________   | || |  _________   | |
| ||_  _| |_  _| | || | |_   ___  |  | || | |  _   _  |  | |
| |  \ \   / /   | || |   | |_  \_|  | || | |_/ | | \_|  | |
| |   \ \ / /    | || |   |  _|  _   | || |     | |      | |
| |    \ ' /     | || |  _| |___/ |  | || |    _| |_     | |
| |     \_/      | || | |_________|  | || |   |_____|    | |
| |              | || |              | || |              | |
| '--------------' || '--------------' || '--------------' |
 '----------------'  '----------------'  '----------------'

Running in Community Mode
Scanning packages    ... done! [67 in 3.202s]
Scanning manifests   ... done! [1 in 3.202s]
  **   Summary of Findings 

  ** 0 critical, 0 high and 2 other vulnerabilities were identified

  ** 1 potentially unpopular library identified as direct dependency

  ** 27 libraries are out of date with major version drift in direct dependencies

  ** across 71 libraries in 2 manifest(s)

Consider upgrading the following libraries for maximum impact:

┌───────────┬───────────────────┬───────────┬────────┐
│ ECOSYSTEM │ PACKAGE           │ UPDATE TO │ IMPACT │
├───────────┼───────────────────┼───────────┼────────┤
│ PyPI      │ dnsdb@0.2.5       │ 0.2.5     │ 2      │
│           │  low popularity   │           │        │
├───────────┼───────────────────┼───────────┼────────┤
│ PyPI      │ tqdm@0.0.0        │ 4.66.1    │ 2      │
│           │  drift            │           │        │
├───────────┼───────────────────┼───────────┼────────┤
│ PyPI      │ censys@0.0.0      │ 2.2.9     │ 2      │
│           │  drift            │           │        │
├───────────┼───────────────────┼───────────┼────────┤
│ PyPI      │ gvm-tools@21.6.0  │ 23.11.0   │ 2      │
│           │  drift            │           │        │
├───────────┼───────────────────┼───────────┼────────┤
│ PyPI      │ packaging@19.2    │ 23.2.0    │ 2      │
│           │  drift            │           │        │
└───────────┴───────────────────┴───────────┴────────┘

There are 25 more libraries that should be upgraded to reduce risk
Run vet with `--report-markdown=/path/to/report.md` for details

Run with `vet --filter="..."` for custom filters to identify risky libraries
For more details https://github.com/safedep/vet
abhisek commented 9 months ago

@jchauhan This is by design currently i.e. setup.py manifest parser is not selected automatically due to it being a generic python code file and can cause high false positive if selected automatically. setup.py is available as an explicit manifest type --lockfile-as when the user is sure that they want vet to interpret setup.py as a manifest