Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

locally generate global depedency report #19

Draft
wants to merge 2 commits into
base: master
Choose a base branch
from
Draft

locally generate global depedency report #19

wants to merge 2 commits into from

Conversation

ldher
Copy link

@ldher ldher commented Apr 11, 2023
edited by chujimmy

THIS IS A WIP AND SHOULD NOT BE MERGED

You need to create a .env in project root directory file with

GITHUB_ACCESS_TOKEN=<A GITHUB ACCESS TOKEN>

This adds 3 scripts :

  • gather.py

It fetches all python repositories which uses pipenv from MeilleursAgents github organization and extracts Pipfile and Pipfile.lock for each of them

  • main.py

It fetches all dependencies report from all projects fetched with previous gather.py command

  • report.py

If extract deps-reports outputs into 3 csv files :

  • runtime_informations_export.csv : contains information about python version usage
  • version_results_export.csv : contains information about dependencies versions us_ages
  • vulnerabilities_results_export.csv : contains informations about dependencies vulnerabilities

It can then be used with https://docs.google.com/spreadsheets/d/1MLx50QxckzgMfJXV0oTt-PIliRG0FzRjCYyp7OaQ9EI/edit#gid=591357592 to create a global report

To update data in the spreadsheet:

Run

poetry run python deps-report/gather.py
poetry run python deps-report/main.py
poetry run python deps-report/report.py

For each result csv :

  • Open corresponding tab in spreadsheet (see corresponding *_export tab)
  • Use File > Import > Replace sheet

@github-actions
Copy link

github-actions bot commented Apr 11, 2023
edited

deps-report 🔍

Commit scanned: 7f0ade0

Vulnerable dependencies

4 dependencies have vulnerabilities 😱
Dependency Advisory Versions impacted
certifi (transitive) Certifi 2022.12.07 includes a fix for CVE-2022-23491: Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion. GHSA-43fp-rhv2-5gv8 https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ <2022.12.07
py (dev,transitive) Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. pytest-dev/py#287 <=1.11.0
pygments (dev,transitive) Pygments 2.15.0 includes a fix for CVE-2022-40896: In Pygments before 2.15.0 the lexers processing Smithy, SQL/SQL+Jinja or Java properties files from untrusted source are vulnerable to ReDoS. <2.15.0
requests (transitive) Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0. >=2.3.0,<2.31.0

Outdated dependencies

42 outdated dependencies found (including 12 outdated major versions)😢
Dependency Installed version Latest version
attrs (transitive) 22.1.0 23.1.0
black (dev) 22.8.0 23.7.0
certifi (transitive) 2022.6.15 2023.7.22
charset-normalizer (transitive) 2.1.1 3.2.0
flake8 (dev) 5.0.4 6.0.0
iniconfig (dev,transitive) 1.1.1 2.0.0
mypy (dev) 0.971 1.4.1
mypy-extensions (dev,transitive) 0.4.3 1.0.0
packaging 21.3 23.1
platformdirs (dev,transitive) 2.5.2 3.9.1
pyflakes (dev,transitive) 2.5.0 3.0.1
urllib3 1.26.12 2.0.4
Dependency Installed version Latest version
aiohttp 3.8.1 3.8.5
aiosignal (transitive) 1.2.0 1.3.1
beautifulsoup4 4.11.1 4.12.2
click 8.1.3 8.1.6
colorama 0.4.5 0.4.6
deprecated (transitive) 1.2.13 1.2.14
flake8-docstrings (dev) 1.6.0 1.7.0
flake8-pyproject (dev) 1.1.0.post0 1.2.3
frozenlist (transitive) 1.3.1 1.4.0
idna (transitive) 3.3 3.4
isort (dev) 5.10.1 5.12.0
multidict (transitive) 6.0.2 6.0.4
pathspec (dev,transitive) 0.10.0 0.11.1
pluggy (dev,transitive) 1.0.0 1.2.0
pycodestyle (dev,transitive) 2.9.1 2.10.0
pydocstyle (dev,transitive) 6.1.1 6.3.0
pygithub (transitive) 1.55 1.59.0
pygments (dev,transitive) 2.13.0 2.15.1
pyjwt (transitive) 2.4.0 2.8.0
pyparsing (transitive) 3.0.9 3.1.0
pytest (dev) 7.1.2 7.4.0
requests (transitive) 2.28.1 2.31.0
soupsieve (transitive) 2.3.2.post1 2.4.1
tabulate 0.8.10 0.9.0
types-python-dateutil (dev) 2.8.19 2.8.19.14
types-tabulate (dev) 0.8.11 0.9.0.3
types-toml (dev) 0.10.8 0.10.8.7
typing-extensions (dev,transitive) 4.3.0 4.7.1
wrapt (transitive) 1.14.1 1.15.0
yarl (transitive) 1.8.1 1.9.2

Logs

@erdnaxeli
Copy link
Contributor

should this be merged someday?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ldher @erdnaxeli @chujimmy