1. 首頁 > 生活百科 > >

常用web漏洞掃描工具推薦 漏洞掃描工具有哪些

生活百科

對于pip-audit
pip-audit是一款功效宏大的安定缺點掃描東西,該東西重要對準Python情況,不妨扶助宏大接洽職員掃描和嘗試Python包中的已知安定缺點 。pip-audit運用了PythonPackagingAdvisory數據庫PyPI *** ONAPI動作缺點匯報源 。
功效引見
1、扶助對當地情況和依附組件(requirements作風文獻)舉行安定審批;
2、扶助多種缺點效勞(PyPI、OSV);
3、扶助以CycloneDX XML或 *** ON *** 發送SBOM;
4、供給生人和呆板均可讀的輸入 *** (columnar、 *** ON);
5、無縫接入 / 重用當地pip緩存;
東西安置
pip-audit鑒于Python開拓,且訴求當地情況為Python 3.7或革新本子 。安置并擺設好Python情況之后,就不妨運用下列吩咐并經過pip來安置pip-audit了:
python -m pip install pip-audit第三方包
pip-audit的平常運轉須要運用到多個第三方包,簡直組件包稱呼和本子如次圖所示:
除此除外,咱們還不妨經過conda來安置pip-audit:
conda install -c conda-forge pip-audit
【常用web漏洞掃描工具推薦漏洞掃描工具有哪些】東西運用
咱們不妨徑直將pip-audit以獨力步調運轉,或經過“python -m”運轉:
pip-audit --helppython -m pip_audit --helpusage: pip-audit [-h] [-V] [-l] [-r REQUIREMENTS] [-f FORMAT] [-s SERVICE][-d] [-S] [--desc [{on,off,auto}]] [--cache-dir CACHE_DIR][--progress-spinner {on,off}] [--timeout TIMEOUT][--path PATHS] [-v] [--fix] [--require-hashes]audit the Python environment for dependencies with known vulnerabilitiesoptional arguments:-h, --helpshow this help message and exit-V, --versionshow program's version number and exit-l, --localshow only results for dependencies in the localenvironment (default: False)-r REQUIREMENTS, --requirement REQUIREMENTSaudit the given requirements file; this option can beused multiple times (default: None)-f FORMAT, --format FORMATthe format to emit audit results in (choices: columns,json, cyclonedx-json, cyclonedx-xml) (default:columns)-s SERVICE, --vulnerability-service SERVICEthe vulnerability service to audit dependenciesagainst (choices: osv, pypi) (default: pypi)-d, --dry-runwithout `--fix`: collect all dependencies but do notperform the auditing step; with `--fix`: perform theauditing step but do not perform any fixes (default:False)-S, --strictfail the entire audit if dependency collection failson any dependency (default: False)--desc [{on,off,auto}]include a description for each vulnerability; `auto`defaults to `on` for the `json` format. This flag hasno effect on the `cyclonedx-json` or `cyclonedx-xml`formats. (default: auto)--cache-dir CACHE_DIRthe directory to use as an HTTP cache for PyPI; usesthe `pip` HTTP cache by default (default: None)--progress-spinner {on,off}display a progress spinner (default: on)--timeout TIMEOUTset the socket timeout (default: 15)--path PATHSrestrict to the specified installation path forauditing packages; this option can be used multipletimes (default: [])-v, --verbosegive more output; this setting overrides the`PIP_AUDIT_LOGLEVEL` variable and is equivalent tosetting it to `debug` (default: False)--fixautomatically upgrade dependencies with knownvulnerabilities (default: False)--require-hashesrequire a hash to check each requirement against, forrepeatable audits; this option is implied when anypackage in a requirements file has a `--hash` option.(default: False)退出代碼
工作實行后,pip-audit將會退出運轉,并歸來一個代碼以表露其狀況,個中:
0:未檢驗和測定到已知缺點;
1:檢驗和測定到了一個或多個已知缺點;
東西運用樣例
審批暫時Python情況中的依附:
$ pip-auditNo known vulnerabilities found審批給定requirements文獻的依附:
$ pip-audit -r ./requirements.txtNo known vulnerabilities found審批一個requirements文獻,并廢除體例包:
$ pip-audit -r ./requirements.txt -lNo known vulnerabilities found審批依附中創造的安定缺點:
$ pip-auditFound 2 known vulnerabilities in 1 packageNameVersion IDFix Versions----------- -------------- ------------Flask 0.5PYSEC-2019-179 1.0Flask 0.5PYSEC-2018-660.12.3審批依附(包括刻畫):
$ pip-audit --descFound 2 known vulnerabilities in 1 packageNameVersion IDFix Versions Description----------- -------------- ------------ --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Flask 0.5PYSEC-2019-179 1.0The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded*** ON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656.Flask 0.5PYSEC-2018-660.12.3The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides*** ON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083.審批 *** ON *** 依附:

推薦閱讀