一个 OSS Index 集成,用于检查 Python 环境中的漏洞
项目描述
Jake
jake 是一个用于检查您的 Python 环境和应用程序的工具,它能够
- 生成 CycloneDX 软件物料清单
- 报告已知漏洞
jake 由 Sonatype OSS Index 提供,也可以与 Sonatype 的 Nexus IQ Server 一起使用。
安装
像安装其他 Python 模块一样从 pypi.org 安装
pip install jake
或
poetry add jake
其他Python包管理器也可用。
用法
入门
jake 可以引导您...
> jake --help
usage: jake [-h] [-v] [-w] [-X] ...
Put your Python dependencies in a chokehold
optional arguments:
-h, --help show this help message and exit
-v, --version show which version of jake you are running
-w, --warn-only prevents exit with non-zero code when issues have been
detected
-X enable debug output
Jake sub-commands:
iq perform a scan backed by Nexus Lifecycle
ddt perform a scan backed by OSS Index
sbom generate a CycloneDX software-bill-of-materials (no
vulnerabilities)
jake 在正常操作下会以代码 0 退出,如果发现漏洞(OssIndex)或检测到策略违规(Nexus IQ),则退出代码为 1。除非您传递了 -w 标志,在这种情况下,jake 总是会以代码 0 退出...
生成SBOM
jake 可以从各种输入中获取数据(或者只需查看您的当前Python环境)并为您生成CycloneDX。
> jake sbom --help
usage: jake sbom [-h] [-f FILE_PATH] [-t TYPE] [-o PATH/TO/FILE]
[--output-format {json,xml}]
[--schema-version {1.0,1.1,1.2,1.3}]
optional arguments:
-h, --help show this help message and exit
-f FILE_PATH, --input FILE_PATH
Where to get input data from. If a path to a file is
not specified directly here,then we will attempt to
read data from STDIN. If there is no data on STDIN, we
will then fall back to looking for standard files in
the current directory that relate to the type of input
indicated by the -t flag.
-t TYPE, --type TYPE, -it TYPE, --input-type TYPE
how jake should find the packages from which to
generate your SBOM.ENV = Read from the current Python
Environment; CONDA = Read output from `conda list
--explicit`; CONDA_JSON = Read output from `conda list
--json`; PIP = read from a requirements.txt; PIPENV =
read from Pipfile.lock; POETRY = read from a
poetry.lock. (Default = ENV)
-o PATH/TO/FILE, --output-file PATH/TO/FILE
Specify a file to output the SBOM to
--output-format {json,xml}
SBOM output format (default = xml)
--schema-version {1.0,1.1,1.2,1.3}
CycloneDX schema version to use (default = 1.3)
查看这些使用STDIN的示例
conda list --explicit --md5 | jake sbom -t CONDA
conda list --json | jake sbom -t CONDA_JSON
cat /path/to/Pipfile.lock | python -m jake.app sbom -t PIPENV
查看这些指定清单的示例
jake sbom -t PIP -f /path/to/requirements.txt
jake sbom -t PIPENV -f /path/to/Pipfile.lock
使用OSS Index检查漏洞
jake 会查看您当前Python环境中安装的软件包,并为您对其进行OSS Index的检查。可选地,它还可以以适合您的格式同时创建CycloneDX软件物料清单。
> jake ddt --help
usage: jake ddt [-h] [-f FILE_PATH] [-t TYPE] [--clear-cache] [-o PATH/TO/FILE]
[--output-format {xml,json}]
[--schema-version {1.2,1.1,1.0,1.3}]
[--whitelist OSS_WHITELIST_JSON_FILE]
optional arguments:
-h, --help show this help message and exit
-f FILE_PATH, --input-file FILE_PATH
Where to get input data from. If a path to a file is
not specified directly here,then we will attempt to
read data from STDIN. If there is no data on STDIN, we
will then fall back to looking for standard files in
the current directory that relate to the type of input
indicated by the -t flag.
-t TYPE, --type TYPE, -it TYPE, --input-type TYPE
how jake should find the packages from which to
generate your SBOM.ENV = Read from the current Python
Environment; CONDA = Read output from `conda list
--explicit`; CONDA_JSON = Read output from `conda list
--json`; PIP = read from a requirements.txt; PIPENV =
read from Pipfile.lock; POETRY = read from a
poetry.lock. (Default = ENV)
--clear-cache Clears any local cached OSS Index data prior to execution
-o PATH/TO/FILE, --output-file PATH/TO/FILE
Specify a file to output the SBOM to. If not specified the report will be output to the console. STDOUT is not supported.
--output-format {xml,json}
SBOM output format (default = xml)
--schema-version {1.2,1.1,1.0,1.3}
CycloneDX schema version to use (default = 1.3)
--whitelist OSS_WHITELIST_JSON_FILE
Set path to whitelist json file
因此,您可以通过运行以下命令快速获得报告
> jake ddt
___ ___ ___
___ / /\ / /\ / /\
/__/\ / /::\ / /:/ / /::\
\__\:\ / /:/\:\ / /:/ / /:/\:\
___ / /::\ / /::\ \:\ / /::\____ / /::\ \:\
/__/\ /:/\/ /__/:/\:\_\:\ /__/:/\:::::\ /__/:/\:\ \:\
\ \:\/:/~~ \__\/ \:\/:/ \__\/~|:|~~~~ \ \:\ \:\_\/
\ \::/ \__\::/ | |:| \ \:\ \:\
\__\/ / /:/ | |:| \ \:\_\/
/__/:/ |__|:| \ \:\
\__\/ \__\| \__\/
/) /)
_/_(/ _ _ __ _ (/_ _
o o (__/ )__(/_ /_)_/ (_(_(_/(___(/_ o o
Jake Version: 1.1.0
Put your Python dependencies in a chokehold.
🐍 Collected 42 packages from your environment (0:00:00.10)
🐍 Successfully queried OSS Index for package and vulnerability info (0:00:00.59)
🐍 Sane number of results from OSS Index
╔Summary═══════════════╦════╗
║ Audited Dependencies ║ 42 ║
╠══════════════════════╬════╣
║ Vulnerablities Found ║ 0 ║
╚══════════════════════╩════╝
...如果发现任何问题,jake 将会输出以下内容
___ ___ ___
___ / /\ / /\ / /\
/__/\ / /::\ / /:/ / /::\
\__\:\ / /:/\:\ / /:/ / /:/\:\
___ / /::\ / /::\ \:\ / /::\____ / /::\ \:\
/__/\ /:/\/ /__/:/\:\_\:\ /__/:/\:::::\ /__/:/\:\ \:\
\ \:\/:/~~ \__\/ \:\/:/ \__\/~|:|~~~~ \ \:\ \:\_\/
\ \::/ \__\::/ | |:| \ \:\ \:\
\__\/ / /:/ | |:| \ \:\_\/
/__/:/ |__|:| \ \:\
\__\/ \__\| \__\/
/) /)
_/_(/ _ _ __ _ (/_ _
o o (__/ )__(/_ /_)_/ (_(_(_/(___(/_ o o
Jake Version: 1.1.5
Put your Python dependencies in a chokehold
🐍 Collected 69 packages from your environment ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% -:--:--
🐍 Successfully queried OSS Index for package and vulnerability info ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% -:--:--
🐍 Sane number of results from OSS Index ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% -:--:--
[59/69] - pkg:pypi/cryptography@2.2 [VULNERABLE]
Vulnerability Details for pkg:pypi/cryptography@2.2
├── ⚠ ID: 333aca51-7375-4a9d-be64-16d316ab9274
│ └── ╭─ CVE-2020-36242 ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ │ │
│ │ In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class. │
│ │ │
│ │ Details: │
│ │ - CVSS Score: 9.1 - Critical │
│ │ - CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H │
│ │ - CWE: Unknown │
│ │ │
│ │ References: │
│ │ - https://ossindex.sonatype.org/vulnerability/333aca51-7375-4a9d-be64-16d316ab9274?component-type=pypi&component-name=cryptography&utm_source=python-oss-index-lib%400.2.1&utm_medium=integration │
│ │ - https://nvd.nist.gov/vuln/detail/CVE-2020-36242 │
│ │ │
│ ╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
└── ⚠ ID: f19ff95c-cec5-4263-8d3b-e3e64698881e
└── ╭─ CVE-2018-10903 ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 │
│ byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage. │
│ │
│ Details: │
│ - CVSS Score: 7.5 - High │
│ - CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N │
│ - CWE: Unknown │
│ │
│ References: │
│ - https://ossindex.sonatype.org/vulnerability/f19ff95c-cec5-4263-8d3b-e3e64698881e?component-type=pypi&component-name=cryptography&utm_source=python-oss-index-lib%400.2.1&utm_medium=integration │
│ - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10903 │
│ - https://github.com/pyca/cryptography/pull/4342/commits/688e0f673bfbf43fa898994326c6877f00ab19ef │
│ - https://nvd.nist.gov/vuln/detail/CVE-2018-10903 │
│ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
Summary
┏━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Audited Dependencies ┃ Vulnerabilities Found ┃
┡━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━┩
│ 69 │ 2 │
└──────────────────────┴───────────────────────┘
查看这些使用STDIN的示例
conda list --explicit --md5 | jake ddt -t CONDA
conda list --json | jake ddt -t CONDA_JSON
cat /path/to/Pipfile.lock | python -m jake.app ddt -t PIPENV
查看这些指定清单的示例
jake ddt -t PIP -f /path/to/requirements.txt
jake ddt -t PIPENV -f /path/to/Pipfile.lock
还提供了预提交钩子以供使用
- repo: https://github.com/sonatype-nexus-community/jake
rev: "v1.3.0"
hooks:
- id: scan
白名单
可以执行漏洞的白名单操作!要白名单漏洞,请添加 --whitelist 参数并传递一个如下所示的json文件
> jake ddt --whitelist jake-whitelist.json
文件应如下所示
{"ignore": [{"id": "f19ff95c-cec5-4263-8d3b-e3e64698881e", "reason": "Insert reason here"}]}
唯一真正重要的字段是 id,这是您从OSS Index获得的漏洞 ID。您可以添加如原因等字段,这样您以后可以了解为什么白名单了一个漏洞。
任何被白名单的 ID 都将被静音,不会导致失败。
使用Sonatype Nexus Lifecycle检查漏洞
使用 jake 访问Sonatype的专有漏洞数据
> jake iq --help
usage: jake iq [-h] [-f FILE_PATH] [-t TYPE] -s https://:8070 -i APP_ID -u USER_ID -p PASSWORD [-st STAGE]
optional arguments:
-h, --help show this help message and exit
-f FILE_PATH, --input-file FILE_PATH
Where to get input data from. If a path to a file is
not specified directly here,then we will attempt to
read data from STDIN. If there is no data on STDIN, we
will then fall back to looking for standard files in
the current directory that relate to the type of input
indicated by the -t flag.
-t TYPE, --type TYPE, -it TYPE, --input-type TYPE
how jake should find the packages from which to
generate your SBOM.ENV = Read from the current Python
Environment; CONDA = Read output from `conda list
--explicit`; CONDA_JSON = Read output from `conda list
--json`; PIP = read from a requirements.txt; PIPENV =
read from Pipfile.lock; POETRY = read from a
poetry.lock. (Default = ENV)
-s https://:8070, --server-url https://:8070
Full http(s):// URL to your Nexus Lifecycle server
-i APP_ID, --application-id APP_ID
Public Application ID in Nexus Lifecycle
-u USER_ID, --username USER_ID
Username for authentication to Nexus Lifecycle
-p PASSWORD, --password PASSWORD
Password for authentication to Nexus Lifecycle
-st STAGE, --stage STAGE
The stage for the report
因此,通过传递适合您Nexus Lifecycle环境的参数,您可以获取报告
> jake iq -s https://my-nexus-lifecyle -i APP_ID -u USERNAME -p PASSWORD
___ ___ ___
___ / /\ / /\ / /\
/__/\ / /::\ / /:/ / /::\
\__\:\ / /:/\:\ / /:/ / /:/\:\
___ / /::\ / /::\ \:\ / /::\____ / /::\ \:\
/__/\ /:/\/ /__/:/\:\_\:\ /__/:/\:::::\ /__/:/\:\ \:\
\ \:\/:/~~ \__\/ \:\/:/ \__\/~|:|~~~~ \ \:\ \:\_\/
\ \::/ \__\::/ | |:| \ \:\ \:\
\__\/ / /:/ | |:| \ \:\_\/
/__/:/ |__|:| \ \:\
\__\/ \__\| \__\/
/) /)
_/_(/ _ _ __ _ (/_ _
o o (__/ )__(/_ /_)_/ (_(_(_/(___(/_ o o
Jake Version: 1.0.1
Put your Python dependencies in a chokehold
🐍 IQ Server at https://my-nexus-lifecyle is up and accessible (0:00:00.14)
🐍 Collected 42 packages from your environment (0:00:00.09)
🧨 Something slithers around your ankle! There are policy warnings from Sonatype Nexus IQ. (0:00:11.50)
Your Sonatype Nexus IQ Lifecycle Report is available here:
HTML: https://my-nexus-lifecyle/ui/links/application/APP_ID/report/4831bcb7fbaa45c3a2481048e446b598
PDF: https://my-nexus-lifecyle/ui/links/application/APP_ID/report/4831bcb7fbaa45c3a2481048e446b598/pdf
为什么选择 Jake?
Jake The Snake 害怕蛇。终结技是DDT。他用DDT结束了蛇的生命。
谁更适合在虚拟或真实环境中整理那些滑不留手的依赖项。
Python 支持
我们致力于支持所有 当前积极支持的Python版本 的所有功能。然而,由于旧版Python版本缺乏支持,某些功能可能不可用/不存在。
变更日志
查看我们的 CHANGELOG。
发布
我们通过在CircleCI网页上点击“On Hold”按钮手动执行发布。
如果您在代码中看到我们尚未发布的特性,请提出意见,我们肯定会点击那个魔法按钮。
我们使用 python-semantic-release 从 main 分支的提交生成发布。
例如,要执行“补丁”发布,请向 main 添加一个如下所示的注释。fix: 前缀很重要。
fix: Resolve vulnerability: CVE-2020-27783 in lxml
(测试发布脚本更改)
细节说明
记住
请注意,这 不受Sonatype支持,这是我们向开源社区(即:您!)的贡献(阅读:您!)
- 使用此贡献的风险由您自行承担
- 请勿提交与
ossindex-lib相关的Sonatype支持工单 - 请在此处GitHub上提交问题,以便社区可以提供帮助
哇,这比我预想的要简单。最后但同样重要的是 - 尽情享受吧!
下载文件
下载适合您平台的文件。如果您不确定选择哪个,请了解更多关于安装包的信息。
源分发
jake-3.0.14.tar.gz (25.0 kB 查看哈希值)
构建分发
jake-3.0.14-py3-none-any.whl (30.7 kB 查看哈希值)
