Security audit Python project dependencies against security advisory databases.

Overview

Test Coverage

        .         .    .      Skjold /skjɔl/
    ,-. | , . ,-. |  ,-|
    `-. |<  | | | |  | |      Security audit python project dependencies
    `-' ' ` | `-' `' `-´      against several security advisory databases.
           `'

Introduction

It currently supports fetching advisories from the following sources:

Source Name Notes
GitHub Advisory Database github
PyUP.io safety-db pyup
GitLab gemnasium-db gemnasium
PYPA Advisory Database pypa Experimental! Only supports ECOSYSTEM and SEMVER!
OSV.dev Database osv Experimental! Only supports ECOSYSTEM and SEMVER!
Sends package information to OSV.dev API.

No source is enabled by default! Individual sources can be enabled by setting sources list (see Configuration). There is (currently) no de-duplication meaning that using all of them could result in a lot of duplicates.

Motivation

Skjold was initially created for myself to replace safety. Which appears to no longer receive monthly updates (see pyupio/safety-db #2282). I wanted something I can run locally and use for my local or private projects/scripts.

I currently also use it during CI builds and before deploying/publishing containers or packages.

Installation

skjold can be installed from either PyPI or directly from Github using pip:

pip install skjold                                        # Install from PyPI
pip install git+https://github.com/twu/[email protected]  # Install from Github

This should provide a script named skjold that can then be invoked. See Usage.

Usage

$ pip list --format=freeze | skjold -v audit --sources gemnasium -

When running audit one can either provide a path to a frozen requirements.txt, a poetry.lock or a Pipfile.lock file. Alternatively, dependencies can also be passed in via stdin (formatted as package==version).

skjold will maintain a local cache (under cache_dir) that will expire automatically after cache_expires has passed. The cache_dir and cache_expires can be adjusted by setting them in tools.skjold section of the projects pyproject.toml (see Configuration for more details). The cache_dirwill be created automatically, and by default unless otherwise specified will be located under $HOME/.skjold/cache.

For further options please read skjold --help and/or skjold audit --help.

Examples

All examples involving github assume that SKJOLD_GITHUB_API_TOKEN is already set (see Github).

# Using pip list. Checking against GitHub only.
$ pip list --format=freeze | skjold audit -s github -

# Be verbose. Read directly from supported formats.
$ skjold -v audit requirements.txt
$ skjold -v audit poetry.lock
$ skjold -v audit Pipenv.lock

# Using poetry.
$ poetry export -f requirements.txt | skjold audit -s github -s gemnasium -s pyup -

# Using poetry, format output as json and pass it on to jq for additional filtering.
$ poetry export -f requirements.txt | skjold audit -o json -s github - | jq '.[0]'

# Using Pipenv, checking against Github
$ pipenv run pip list --format=freeze | skjold audit -s github -

# Checking a single package via stdin against Github and format findings as json.
$ echo "urllib3==1.23" | skjold audit -o json -r -s github -
[
  {
    "severity": "HIGH",
    "name": "urllib3",
    "version": "1.23",
    "versions": "<1.24.2",
    "source": "github",
    "summary": "High severity vulnerability that affects urllib3",
    "references": [
      "https://nvd.nist.gov/vuln/detail/CVE-2019-11324"
    ],
    "url": "https://github.com/advisories/GHSA-mh33-7rrq-662w"
  }
]

# Checking a single package via stdin against Gemnasium and report findings (`-o cli`).
$ echo "urllib3==1.23" | skjold audit -o cli -r -s gemnasium -

urllib3==1.23 (<=1.24.2) via gemnasium

CRLF injection. In the urllib3 library for Python, CRLF injection is possible
if the attacker controls the request parameter.
https://nvd.nist.gov/vuln/detail/CVE-2019-11236
--

urllib3==1.23 (<1.24.2) via gemnasium

Weak Authentication Caused By Improper Certificate Validation. The urllib3
library for Python mishandles certain cases where the desired set of CA
certificates is different from the OS store of CA certificates, which results
in SSL connections succeeding in situations where a verification failure is the
correct outcome. This is related to use of the `ssl_context`, `ca_certs`, or
`ca_certs_dir` argument.
https://nvd.nist.gov/vuln/detail/CVE-2019-11324
--

urllib3==1.23 (<1.25.9) via gemnasium

Injection Vulnerability. urllib3 allows CRLF injection if the attacker controls
the HTTP request method, as demonstrated by inserting `CR` and `LF` control
characters in the first argument of `putrequest()`. NOTE: this is similar to
CVE-2020-26116.
https://nvd.nist.gov/vuln/detail/CVE-2020-26137
--

Ignore Findings

Findings can be ignored either by manually adding an entry using the sources identifier to a file named .skjoldignore (See Example) or by using in the CLI. Below are a few possible usage examples.

skjold audit -s pyup poetry.lock # ... or using -i/--ignore-file $ skjold audit -s pyup -i poetry.lock">
# Ignore PYSEC-2020-148 finding from PyPA source until a certain date with a specific reason.
$ skjold ignore urllib3 PYSEC-2020-148 --reason "Very good reason." --expires "2021-01-01T00:00:00+00:00"
Ignore urllib3 in PYSEC-2020-148 until 2021-01-01 00:00:00+00:00?
Very good reason.
--
Add to '.skjoldignore'? [y/N]: y

# Ignore PYSEC-2020-148 finding from PyPA source for 7 days with "No immediate remediation." reason.
$ skjold ignore urllib3 PYSEC-2020-148
Ignore urllib3 in PYSEC-2020-148 until ...?
No immediate remediation.
--
Add to '.skjoldignore'? [y/N]: y

# Audit `poetry.lock` using a custom `.skjoldignore` file location via `ENV`...
$ SKJOLD_IGNORE_FILE=
    
      skjold audit -s pyup poetry.lock

# ... or using -i/--ignore-file
$ skjold audit -s pyup -i 
     
       poetry.lock

     
    

Configuration

skjold can read its configuration from the tools.skjold section of a projects pyproject.toml. Arguments specified via the command-line should take precedence over any configured or default value.

[tool.skjold]
sources = ["github", "pyup", "gemnasium"]  # Sources to check against.
report_only = true                         # Report only, always exit with zero.
report_format = 'json'                     # Output findings as `json`. Default is 'cli'.
cache_dir = '.skjold_cache'                # Cache location (default: `~/.skjold/cache`).
cache_expires = 86400                      # Cache max. age.
ignore_file = '.skjoldignore'              # Ignorefile location (default `.skjoldignore`).
verbose = true                             # Be verbose.

To take a look at the current configuration / defaults run:

$ skjold config
sources: ['pyup', 'github', 'gemnasium']
report_only: True
report_format: json
verbose: False
cache_dir: .skjold_cache
cache_expires: 86400
ignore_file = '.skjoldignore'

Github

For the github source to work you'll need to provide a Github API Token via an ENV variable named SKJOLD_GITHUB_API_TOKEN. You can create a new Github Access Token here. You do not have to give it any permissions as it is only required to query the GitHub GraphQL API v4 API.

Version Control Integration

To use skjold with the excellent pre-commit framework add the following to the projects .pre-commit-config.yaml after installation.

repos:
  - repo: https://github.com/twu/skjold
    rev: vX.X.X
    hooks:
    - id: skjold
      verbose: true  # Important if used with `report_only`, see below.

After running pre-commit install the hook should be good to go. To configure skjold in this scenario I recommend adding the entire configuration to the projects pyproject.toml instead of manipulating the hook args. See this projects pyproject.toml for an example.

Important!: When using skjold as a pre-commit-hook it only gets triggered if you want to commit changed dependency files (e.g. Pipenv.lock, poetry.lock, requirements.txt,...). It will not continuously check your dependencies on every commit!

You could run pre-commit run skjold --all-files manually in your workflow/scripts or run skjold manually. If you have a better solution please let me know!

Important!: If you use report_only in any way make sure that you add verbose: true to your hook configuration otherwise pre-commit won't show you any output since the hook is always returning with a zero exit code due to report_only being set!

Contributing

Pull requests are welcome! For major changes, please open an issue first to discuss what you would like to change.

Please make sure to update tests as appropriate.

Comments
  • Bump pytest-mock from 3.9.0 to 3.10.0

    Bump pytest-mock from 3.9.0 to 3.10.0

    Bumps pytest-mock from 3.9.0 to 3.10.0.

    Release notes

    Sourced from pytest-mock's releases.

    v3.10.0

    • Added new mocker.stop(m) method to stop specific mocker.patch or mocker.spy calls (#319).
    Changelog

    Sourced from pytest-mock's changelog.

    3.10.0 (2022-10-05)

    • Added new mocker.stop(m) method to stop specific mocker.patch or mocker.spy calls ([#319](https://github.com/pytest-dev/pytest-mock/issues/319)_).

    .. _#319: pytest-dev/pytest-mock#319

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies python 
    opened by dependabot[bot] 5
  • Pre-commit hook fails if multiple lock or requirements files are modified at same time

    Pre-commit hook fails if multiple lock or requirements files are modified at same time

    If you in your repo have multiple files that should be analyzed by skjold and use it as a pre-commit hook, the hook fails if you modify multiple lock/requirements files in the same commit.

    The reason to the problem is that pre-commit tries to invoke skjold audit with multiple files as arguments at once and the skjold audit command only accepts one file at a time.

    A minimal POC can be obtained by just creating an empty git repo (mkdir skjold-poc; cd skjold-poc; git init), enabling pre-commit (pre-commit install), adding a .pre-commit-config.yaml containing

    repos:
      - repo: https://github.com/twu/skjold
        rev: v0.4.1
        hooks:
        - id: skjold
          verbose: true
    

    and then creating two (or more) requirements files (touch requirements.txt requirements-dev.txt) and then running git add .

    If you then try to commit with git commit -m "Adding requirements files" you will be greeted with an error saying: Error: Got unexpected extra argument (requirements.txt). If you add even more different lock files or requirements-something.txt files the message will be expanded with more extra arguments.

    It's probably not that common people would have both poetry.lock and Pipfile.lock files, but possible people want to have multiple requirements.txt files (one for dev and one for prod) or multiple lock files in different directories of the same repo and get them all analyzed. It's of course possible to somewhat well avoid the problem by modifying only one lock file at a time, but the same issue also affects pre-commit run --all-files that will scan all the matched files regardless of if they've been changed or not.

    bug 
    opened by joakimnordling 4
  • More flexibility in requirements.txt format

    More flexibility in requirements.txt format

    If a requirements file has anything extra, this error is raised:

      File "/Users/brondsem/tmp/py3venv/lib/python3.6/site-packages/skjold/cli.py", line 169, in audit_
        packages = extract_package_list_from(config, file, file_format)
      File "/Users/brondsem/tmp/py3venv/lib/python3.6/site-packages/skjold/formats.py", line 80, in extract_package_list_from
        for package in reader_func(file):
      File "/Users/brondsem/tmp/py3venv/lib/python3.6/site-packages/skjold/formats.py", line 47, in read_requirements_txt_from
        package_name, package_version = line.strip().split(" ")[0].split("==")
    ValueError: not enough values to unpack (expected 2, got 1)
    

    The most common example that can cause this is # for comments.

    I also have requirements.txt files with hashes specified and spanning multiple lines, like this:

    beautifulsoup4==4.8.0 \
        --hash=sha256:05668158c7b85b791c5abde53e50265e16f98ad601c402ba44d70f96c4159612 \
        --hash=sha256:25288c9e176f354bf277c0a10aa96c782a6a18a17122dba2e8cec4a97e03343b \
        --hash=sha256:f040590be10520f2ea4c2ae8c3dae441c7cfff5308ec9d58a0ec0c1b8f81d469
    

    There are other things that can be in a valid requiremens.txt file too, like extra pip options. https://pip.pypa.io/en/latest/reference/pip_install/#requirements-file-format

    These can all be worked around by massaging the requirements file first and passing it as stdin something like: cat requirements.txt | sed 's/#.*//' | skjold audit -s gemnasium - But it would be very handy for skjold to handle any requirements.txt file that is valid for pip

    enhancement 
    opened by brondsem 4
  • Invalid specifier error

    Invalid specifier error

    Hi @twu !! I got the bellow error. Can I help to fix this?

    specifiers.SpecifierSet(f"=={x}", prereleases=True) File "/home/bernardo.abreu/.cache/pre-commit/repow4ikj4am/py_env-python3/lib/python3.10/site-packages/packaging/specifiers.py", line 700, in __init__ parsed.add(Specifier(specifier)) File "/home/bernardo.abreu/.cache/pre-commit/repow4ikj4am/py_env-python3/lib/python3.10/site-packages/packaging/specifiers.py", line 234, in __init__ raise InvalidSpecifier(f"Invalid specifier: '{spec}'") packaging.specifiers.InvalidSpecifier: Invalid specifier: '==0.7.1.fix1'

    opened by Bernardoow 3
  • Bump coverage from 7.0.0 to 7.0.1

    Bump coverage from 7.0.0 to 7.0.1

    Bumps coverage from 7.0.0 to 7.0.1.

    Changelog

    Sourced from coverage's changelog.

    Version 7.0.1 — 2022-12-23

    • When checking if a file mapping resolved to a file that exists, we weren't considering files in .whl files. This is now fixed, closing issue 1511_.

    • File pattern rules were too strict, forbidding plus signs and curly braces in directory and file names. This is now fixed, closing issue 1513_.

    • Unusual Unicode or control characters in source files could prevent reporting. This is now fixed, closing issue 1512_.

    • The PyPy wheel now installs on PyPy 3.7, 3.8, and 3.9, closing issue 1510_.

    .. _issue 1510: nedbat/coveragepy#1510 .. _issue 1511: nedbat/coveragepy#1511 .. _issue 1512: nedbat/coveragepy#1512 .. _issue 1513: nedbat/coveragepy#1513

    .. _changes_7-0-0:

    Commits
    • c5cda3a docs: releases take a little bit longer now
    • 9d4226e docs: latest sample HTML report
    • 8c77758 docs: prep for 7.0.1
    • da1b282 fix: also look into .whl files for source
    • d327a70 fix: more information when mapping rules aren't working right.
    • 35e249f fix: certain strange characters caused reporting to fail. #1512
    • 152cdc7 fix: don't forbid plus signs in file names. #1513
    • 31513b4 chore: make upgrade
    • 873b059 test: don't run tests on Windows PyPy-3.9
    • 5c5caa2 build: PyPy wheel now installs on 3.7, 3.8, and 3.9. #1510
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies python 
    opened by dependabot[bot] 3
  • Allow ignoring CVEs

    Allow ignoring CVEs

    Motivation: One might need a way to ignore a vulnerability

    • temporarily until a migration to a new library would take place so that safety check does not fail every day until you migrate
    • permanently for example, if you faced a CVE like this: https://nvd.nist.gov/vuln/detail/CVE-2020-28463
    enhancement 
    opened by micheller 3
  • report-only and report_format not implemented ?

    report-only and report_format not implemented ?

    Hello, Thanks for this program. I do tried the report_only mode with report_format as json but cannot make it work, it seems the program just ignore it. I check a bit into the code but i didn't found the part of the code that does make these parameter work, so i'm thinking that maybe an unimplemented feature ?

    bug 
    opened by inkhey 3
  • `Warning: No advisory sources configured!` must not be raised if advisory sources were passed via CLI

    `Warning: No advisory sources configured!` must not be raised if advisory sources were passed via CLI

    Reproducible sample

    SKJOLD_GITHUB_API_TOKEN=<YOUR_TOKEN> skjold -v audit poetry.lock -s pyup -s gemnasium -s pypa -s osv -s github
    

    Versions

    skjold, version 0.5.1

    Related source code

    https://github.com/twu/skjold/blob/1de5a6696d78b846a7eadbf8f7cf20f20ac31a2b/src/skjold/tasks.py#L60

    Possible fix

    Check CLI arguments before raising the warning.

    opened by AIGeneratedUsername 2
  • pypa audits raise ScannerError: mapping values are not allowed here

    pypa audits raise ScannerError: mapping values are not allowed here

    pypa audits started failing in the past day or so. Here's an example:

    $ rm -rf .skjold_cache/
    $ echo 'bottle==0.12.23' | skjold audit -s pypa -
    Warning: No 'pyproject.toml' found!
    Traceback (most recent call last):
      File "../env/bin/skjold", line 8, in <module>
        sys.exit(cli())
      File "../env/lib/python3.7/site-packages/click/core.py", line 1130, in __call__
        return self.main(*args, **kwargs)
      File "../env/lib/python3.7/site-packages/click/core.py", line 1055, in main
        rv = self.invoke(ctx)
      File "../env/lib/python3.7/site-packages/click/core.py", line 1657, in invoke
        return _process_result(sub_ctx.command.invoke(sub_ctx))
      File "../env/lib/python3.7/site-packages/click/core.py", line 1404, in invoke
        return ctx.invoke(self.callback, **ctx.params)
      File "../env/lib/python3.7/site-packages/click/core.py", line 760, in invoke
        return __callback(*args, **kwargs)
      File "../env/lib/python3.7/site-packages/click/decorators.py", line 84, in new_func
        return ctx.invoke(f, obj, *args, **kwargs)
      File "../env/lib/python3.7/site-packages/click/core.py", line 760, in invoke
        return __callback(*args, **kwargs)
      File "../env/lib/python3.7/site-packages/skjold/cli.py", line 184, in audit_
        findings = audit(config, packages, ignore=ignore)
      File "../env/lib/python3.7/site-packages/skjold/tasks.py", line 225, in audit
        if source.has_security_advisory_for(dependency):
      File "../env/lib/python3.7/site-packages/skjold/sources/pypa.py", line 65, in has_security_advisory_for
        return dependency.canonical_name in self.advisories.keys()
      File "../env/lib/python3.7/site-packages/skjold/core.py", line 123, in advisories
        self.populate_from_cache()
      File "../env/lib/python3.7/site-packages/skjold/sources/pypa.py", line 43, in populate_from_cache
        doc = yaml.load(obj_fh, Loader=yaml.SafeLoader)
      File "../env/lib/python3.7/site-packages/yaml/__init__.py", line 81, in load
        return loader.get_single_data()
      File "../env/lib/python3.7/site-packages/yaml/constructor.py", line 49, in get_single_data
        node = self.get_single_node()
      File "../env/lib/python3.7/site-packages/yaml/composer.py", line 36, in get_single_node
        document = self.compose_document()
      File "../env/lib/python3.7/site-packages/yaml/composer.py", line 55, in compose_document
        node = self.compose_node(None, None)
      File "../env/lib/python3.7/site-packages/yaml/composer.py", line 84, in compose_node
        node = self.compose_mapping_node(anchor)
      File "../env/lib/python3.7/site-packages/yaml/composer.py", line 127, in compose_mapping_node
        while not self.check_event(MappingEndEvent):
      File "../env/lib/python3.7/site-packages/yaml/parser.py", line 98, in check_event
        self.current_event = self.state()
      File "../env/lib/python3.7/site-packages/yaml/parser.py", line 428, in parse_block_mapping_key
        if self.check_token(KeyToken):
      File "../env/lib/python3.7/site-packages/yaml/scanner.py", line 116, in check_token
        self.fetch_more_tokens()
      File "../env/lib/python3.7/site-packages/yaml/scanner.py", line 223, in fetch_more_tokens
        return self.fetch_value()
      File "../env/lib/python3.7/site-packages/yaml/scanner.py", line 579, in fetch_value
        self.get_mark())
    yaml.scanner.ScannerError: mapping values are not allowed here
      in ".skjold_cache/pypa.cache", line 2, column 98
    
    source:osv 
    opened by brondsem 2
  • Links to pyup.io point to 404 page

    Links to pyup.io point to 404 page

    Here's an example of an issue reported by skjold:

    cryptography==38.0.1 (<39.0.0) via pyup as pyup.io-51159 found in poetry.lock
    
    Cryptography 39.0.0 drops support for C library "LibreSSL" < 3.4, as these
    versions are not receiving security support anymore.
    https://pyup.io/pyup.io-51159
    

    The link at the last line points to https://pyup.io/pyup.io-51159, however it should point to https://pyup.io/vulnerabilities/CVE-2021-41581/51159/

    It's likely appending the id instead of the more_info_path to the domain when constructing the link.

    bug source:pyup 
    opened by joakimnordling 2
  • Pre-commit hooks only checks files in root of repo

    Pre-commit hooks only checks files in root of repo

    The pattern for files in .pre-commit-hooks.yaml are set up to only check any poetry.lock, Pipfile.lock and requirements*.txt files in the root of the repo. However it's not really uncommon that you have such files elsewhere in the repo. I'd suggest changing the pattern so that it'll scan such files elsewhere as well.

    If you agree on the idea, I can create a PR, or you can just update the line to be: files: (^|/)(poetry\.lock|Pipfile\.lock|requirements.*\.txt)$

    bug 
    opened by joakimnordling 2
  • Bump actions/checkout from 3.2.0 to 3.3.0

    Bump actions/checkout from 3.2.0 to 3.3.0

    Bumps actions/checkout from 3.2.0 to 3.3.0.

    Release notes

    Sourced from actions/checkout's releases.

    v3.3.0

    What's Changed

    New Contributors

    Full Changelog: https://github.com/actions/checkout/compare/v3.2.0...v3.3.0

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies github_actions 
    opened by dependabot[bot] 0
Releases(v0.6.1)
  • v0.6.1(Dec 11, 2022)

    Bugfix/Maintenance release.

    What's Changed

    • CLI: Remove duplicate error/warning when sources are passed via CLI instead. (#163). Thanks @AIGeneratedUsername!
    • Dependencies: Support packaging >=21,<23.0. (#162). Thanks @whardier!
    • Dependencies: Bump types-toml from 0.10.8 to 0.10.8.1 (#156)
    • Dependencies: Bump mypy from 0.990 to 0.991 (#157)
    • Actions: Bump actions/setup-python from 4.3.0 to 4.3.1 (#160)

    Full Changelog: https://github.com/twu/skjold/compare/v0.6.0...v0.6.1

    Source code(tar.gz)
    Source code(zip)
  • v0.6.0(Nov 11, 2022)

    Feature release.

    This release breaks .skjoldignore files when containing PyUP identifiers (See #148). You might need to re-add them to the ignore file using the CVE or new PyUP identifier.

    Changes

    • PyUP: Use 'cve' field as 'pyup' identifier. (#149). Thanks @joakimnordling!
    • Dependencies: Bump mypy from 0.981 to 0.982 (#141)
    • Dependencies: Bump black from 22.8.0 to 22.10.0 (#144)
    • Dependencies: Bump pytest-mock from 3.9.0 to 3.10.0 (#143)
    • Dependencies: Bump pytest from 7.1.3 to 7.2.0 (#146)
    • Dependencies: Bump types-pyyaml from 6.0.12 to 6.0.12.1 (#147)
    • Dependencies: Bump pytest-sugar from 0.9.5 to 0.9.6 (#151)
    • Dependencies: Bump mypy from 0.982 to 0.990 (#152)
    • Dependencies: Bump types-pyyaml from 6.0.12.1 to 6.0.12.2 (#153)
    • Actions: Bump actions/checkout from 3.0.2 to 3.1.0 (#142)
    • Actions: Bump actions/setup-python from 4.2.0 to 4.3.0 (#145)

    Full Changelog: https://github.com/twu/skjold/compare/v0.5.1...v0.6.0

    Source code(tar.gz)
    Source code(zip)
  • v0.5.1(Oct 3, 2022)

    Hotfix release.

    Changes

    • PyUP: Use more_info_path to create correct pyup.io URLs (https://github.com/twu/skjold/pull/140). Thanks @joakimnordling!
    • Dependencies: Bump types-pyyaml from 6.0.9 to 6.0.12 (https://github.com/twu/skjold/pull/134).
    • Dependencies: Bump types-toml from 0.10.7 to 0.10.8 (https://github.com/twu/skjold/pull/124).
    • Actions: Bump coverage from 6.4.1 to 6.5.0 (https://github.com/twu/skjold/pull/138).
    • Actions: Bump actions/setup-python from 4.0.0 to 4.2.0 (https://github.com/twu/skjold/pull/128, https://github.com/twu/skjold/pull/122).

    Full Changelog: https://github.com/twu/skjold/compare/v0.5.0...v0.5.1

    Source code(tar.gz)
    Source code(zip)
  • v0.5.0(Jul 2, 2022)

    Feature / Hotfix release.

    Breaking: This version drops support for Python 3.6 (#117) and adds the filename to both output formats (#118).

    Changes

    • Packaging: Switch to poetry-core (#91). Thanks @fabaff!
    • Gemnasium: Properly handle false positives/withdrawn CVEs marked with (,0) (#90). Thanks @stesix!
    • OSV: Support latest OSV/PyPA schema (only using ECOSYSTEM + versions) (#115). Thanks @Kurt-von-Laven!
    • Feature: Support handling multiple input files (#118). Thanks @joakimnordling!
    • Actions: Bump actions/checkout from 2.3.4 to 2.4.0 (#82).
    • Actions: Bump actions/setup-python from 2.2.2 to 2.3.2 (#93).
    • Breaking: Drops support for Python 3.6 (#117)

    Full Changelog: https://github.com/twu/skjold/compare/v0.4.1...v0.5.0

    Source code(tar.gz)
    Source code(zip)
  • v0.4.1(Aug 9, 2021)

    Hotfix release.

    Changes

    • Github: Properly parse/handle github fixed version specifiers e.g. = 1.4.2. Fixes #61. Thanks @brondsem!
    • Github: Show correct environment variable name if Github API Token is not defined. See #62. Thanks @markus-k!
    Source code(tar.gz)
    Source code(zip)
  • v0.4.0(Aug 8, 2021)

    Feature/Maintenance release.

    Important!: From this release onwards skjold depends on/uses packaging instead of poetry-semver (See #52 for details).

    Changes

    • Use packaging for parsing versions instead of poetry-semver. See #52
    • Display helpful message if Github Token is not found/set when using the github source. See #56
    • Updated dependencies.
    Source code(tar.gz)
    Source code(zip)
  • v0.3.2(Jun 21, 2021)

    Bugfix release.

    Changes

    • Removing verbose flag from .pre-commit-hook.yaml as it is only supposed to be used during debugging. See Comment Thanks @asottile!
    • Bump types-pyyaml from 0.1.9 to 5.4.3 (#49)
    Source code(tar.gz)
    Source code(zip)
  • v0.3.1(Jun 20, 2021)

  • v0.3.0(Jun 20, 2021)

    Feature / Maintenance release.

    Important!: When using skjold as a pre-commit-hook it only gets triggered if you want to commit changed dependency files (e.g. Pipenv.lock, poetry.lock, requirements.txt,...). It will not continuously check your dependencies on every commit!

    Important!: If you use report_only in any way make sure that you add verbose: true to your hook configuration otherwise pre-commit won't show you any output since the hook is always returning with a zero exit code due to report_only being set!

    Breaking Changes

    • CLI: skjold will now always write the number of ignored findings and vulnerable packages to stderr. The rest of the output json or cli are still written to stdout for easier redirection.

    Changes

    • CLI: Temporarily or permanently ignore findings based on their source identifiers added to .skjoldignore. (See #47) Thanks @micheller!
    • CLI: skjold now outputs ignored findings when using cli or json output formats.
    • OSV/PyPA Advisory DB: Initial support for using either osv or pypa as sources. (See #45)
    • CLI: Advisories with additional references are added to the cli output if present.
    • Bumps mypy to 0.902
      • Moves mypy.ini to pyproject.toml.
      • Adds types-toml and types-PyYAML as dev dependencies.
    • Update README.md.
    Source code(tar.gz)
    Source code(zip)
  • v0.2.1(Feb 1, 2021)

    Bugfix / Maintenance release.

    Changes

    • Gemnasium: Assume all versions are affected if 'affected_versions' string is empty. (#30). Thanks @dermoumi!
    • Bump pyyaml from 5.3.1 to 5.4.1 (#24, #26)
    • Bump coverage from 5.3.1 to 5.4 (#29)
    • Bump pytest from 6.2.1 to 6.2.2 (#28)
    • Bump mypy from 0.790 to 0.800 (#27)
    • Bump pytest-cov from 2.10.1 to 2.11.1 (#23, #25)
    • Bump pytest-mock from 3.4.0 to 3.5.1 (#21, #22)
    • Update README.md.
    Source code(tar.gz)
    Source code(zip)
  • v0.2.0(Jan 2, 2021)

    Bugfix / Feature release.

    Changes

    • Refactored CLI.
    • Fix issue with CLI defaults overriding already set values. Fixes #11. Thanks @inkhey!
    • Add py.typed marker file (PEP 561).
    • Replaced tomlkit with the more commonly used toml.
    • Replaced requests with urllib from the standard library.
    • Remove pytest-env since it is unused.
    • Use latest actions/checkout and actions/setup-python in test workflow.
    • Dependencies are now updated by dependabot.
    • Updated dependencies.
    Source code(tar.gz)
    Source code(zip)
  • v0.1.6(Oct 5, 2020)

    Bugfix / Maintenance release.

    Changes

    • Update README.md. Fix for wrong option name in documentation. Thanks @endwaa ! (#7)
    • Properly handle PyUp $meta field when populating advisories from cache. (#8)
    • Set pre-commit default python interpreter from 3.7 to 3.8.
    • Start testing against 3.9.0-rc2.
    • Use latest actions/[email protected] and actions/[email protected] in test workflow.
    • Update pre-commit hook (v2.5.0 -> v3.2.0) and black hook (19.10b0 -> 20.8b1) repositories.
    • Updated dependencies.
    Source code(tar.gz)
    Source code(zip)
  • v0.1.5(Mar 4, 2020)

    Feature release.

    Changes

    • Determine severity (Base Score) using CVSS 2.0 / CVSS 3.x vectors from Gemnasium records.
    • Print Warning to stderr when failing to extract package and pinned version from a requirements.txt-formatted file. Thanks @brondsem! (#3)
    • Simplify pre-commit instructions. Thanks @asottile ! (#6)
    • Updated dependencies.
    Source code(tar.gz)
    Source code(zip)
  • v0.1.4(Mar 1, 2020)

    Bugfix release.

    Changes

    • Fix #4: CLI crashes when given unknown severity level. Thanks @brondsem! (PR #5)
    • Use red instead of yellow for results with UNKNOWN severity from PyUP and Gemnasium where skjold is (currently) not able to extract or calculate the severity of the item.
    • Colorize results with UNKNOWN severity red instead of yellow.
    • Extend CLI coloring dictionary to cover CVSS v2.0 and CVSS v3.0 severity levels.
    • Set returned severity of PyUP results to 'UNKNOWN' as severity is not present in safety-db.
    • Start handling comments in requirements.txt. Thanks @brondsem!
    • Add bug tracker and changelog URLs to pyproject.toml.
    • Update README.md. Thanks @brondsem!
    • Extended tests.
    Source code(tar.gz)
    Source code(zip)
  • v0.1.3(Feb 8, 2020)

    Bugfix release.

    Changes

    • Support for Python 3.6.
    • Type annotations for tests.

    Documentation

    • Fixed broken links in README.md. Thanks @ghtyrant!
    Source code(tar.gz)
    Source code(zip)
  • v0.1.2(Jan 29, 2020)

  • v0.1.1(Jan 26, 2020)

Burp Suite extension for encoding/decoding EVM calldata

unblocker Burp Suite extension for encoding/decoding EVM calldata 0x00_prerequisites Burp Suite Java 8+ Python 2.7 0x01_installation clone this reposi

Halborn 16 Aug 30, 2022
Having a weak password is not good for a system that demands high confidentiality and security of user credentials

Having a weak password is not good for a system that demands high confidentiality and security of user credentials. It turns out that people find it difficult to make up a strong password that is str

PyLaboratory 0 Feb 07, 2022
The Easiest Way To Gallery Hacking

The easiest way to HACK A GALLARY, Get every part of your friends' gallery ( 100% Working ) | Tool By John Kener 🇱🇰

John Kener 34 Nov 30, 2022
Searches for potentially vulnerable websites to local file inclusion, throughout the web and then exploits them for LFI

LFI-Hunter Searches for potentially vulnerable websites to local file inclusion, throughout the web and then exploits them for LFI A script written in

Anukul Pandey 6 Jan 30, 2022
Looks at Python code to search for things which look "dodgy" such as passwords or diffs

dodgy Dodgy is a very basic tool to run against your codebase to search for "dodgy" looking values. It is a series of simple regular expressions desig

Landscape 112 Nov 25, 2022
AttractionFinder - 2022 State Qualified FBLA Attraction Finder Application

Attraction Finder Developers: Riyon Praveen, Aaron Bijoy, & Yash Vora How It Wor

$ky 2 Feb 09, 2022
Denial Attacks by Various Methods

Denial Service Attack Denial Attacks by Various Methods IIIIIIIIIIIIIIIIIIII PPPPPPPPPPPPPPPPP VVVVVVVV VVVVVVVV I::

Baris Dincer 9 Nov 26, 2022
Grafana-POC(CVE-2021-43798)

Grafana-Poc 此工具请勿用于违法用途。 一、使用方法:python3 grafana_hole.py 在domain.txt中填入ip:port 二、漏洞影响范围 影响版本: Grafana 8.0.0 - 8.3.0 安全版本: Grafana 8.3.1, 8.2.7, 8.1.8,

8 Jan 03, 2023
Bypass 4xx HTTP response status codes.

Forbidden Bypass 4xx HTTP response status codes. To see all the test cases, check the source code - follow the NOTE comments. Script uses multithreadi

Ivan Šincek 165 Dec 28, 2022
Brainly-Scrambler - Brainly Scrambler With Python

Brainly-Scrambler Untuk admin brainly jangan lupa pasang captcha mu Note: Kamu

8 Feb 24, 2022
利用NTLM Hash读取Exchange邮件

GetMail 利用NTLM Hash读取Exchange邮件:在进行内网渗透时候,我们经常拿到的是账号的Hash凭据而不是明文口令。在这种情况下采用邮件客户端或者WEBMAIL的方式读取邮件就很麻烦,需要进行破解,NTLM的破解主要依靠字典强度,破解概率并不是很大。

<a href=[email protected]"> 388 Dec 27, 2022
Natural Language Processing - Sommer Semester 2022

Natural Language Processing (DIS25a/NLP) This course can be taken for the Bachelor Programm Data and Information Science (DIS25a) or the Master Progra

Classrooms of IR Group at Technische Hochschule Köln 19 Sep 07, 2022
The RDT protocol (RDT3.0,GBN,SR) implementation and performance evaluation code using socket

소켓을 이용한 RDT protocols (RDT3.0,GBN,SR) 구현 및 성능 평가 코드 입니다. 코드를 실행할때 리시버를 먼저 실행하세요. 성능 평가 코드는 패킷 전송 과정을 제외하고 시간당 전송률을 출력합니다. RDT3.0 GBN SR(버그 발견으로 구현중 입니

kimtaeyong98 0 Dec 20, 2021
RedlineSpam - Python tool to spam Redline Infostealer panels with legit looking data

RedlineSpam Python tool to spam Redline Infostealer panels with legit looking da

4 Jan 27, 2022
Separate handling of protected media in Django, with X-Sendfile support

Django Protected Media Django Protected Media is a Django app that manages media that are considered sensitive in a protected fashion. Not only does t

Cobus Carstens 46 Nov 12, 2022
Lite version of my Gatekeeper backdoor for public use.

Gatekeeper Lite Backdoor Fully functioning bind-type backdoor This backdoor is a fully functioning bind shell and lite version of my full functioning

Joe Helle 56 Mar 25, 2022
Open-source jailbreaking tool for many iOS devices

Open-source jailbreaking tool for many iOS devices *Read disclaimer before using this software. checkm8 permanent unpatchable bootrom exploit for hund

6.7k Jan 05, 2023
Compilation of resources and insights that helped me on my journey to data scientist

Compilation of resources and insights that helped me on my journey to data scientist

Conor Dewey 1.5k Jan 02, 2023
A Simple File Encryptor/Decryptor

Ec: A Simple File Encryptor/Decryptor This has been made for educational reasons only, any constructive criticism/advice/comments are welcome! Also, p

1 Dec 10, 2021
LinOTP - the open source solution for two factor authentication

LinOTP LinOTP - the Open Source solution for multi-factor authentication Copyright © 2010-2019 KeyIdentity GmbH Coypright © 2019- arxes-tolina GmbH In

LinOTP 462 Jan 02, 2023