apiiro / combobulator Goto Github PK
View Code? Open in Web Editor NEWDependency Combobulator
License: Apache License 2.0
combobulator's People
Stargazers
Watchers
combobulator's Issues
installation failed using Python 3.10.4 at Ubuntu 22.04
System and Python versions
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04 LTS
Release: 22.04
Codename: jammy
$ python3 --version
Python 3.10.4
Installation: (steps for reproduce)
$ git clone https://github.com/apiiro/combobulator
Cloning into 'combobulator'...
remote: Enumerating objects: 85, done.
remote: Counting objects: 100% (85/85), done.
remote: Compressing objects: 100% (72/72), done.
remote: Total 85 (delta 34), reused 46 (delta 11), pack-reused 0
Receiving objects: 100% (85/85), 213.21 KiB | 2.11 MiB/s, done.
Resolving deltas: 100% (34/34), done.
$ cd combobulator/
$ virtualenv venv
created virtual environment CPython3.10.4.final.0-64 in 419ms
$ source venv/bin/activate
$ pip install -r requirements.txt
Collecting requests==2.12.1
Using cached requests-2.12.1-py2.py3-none-any.whl (574 kB)
Collecting gql==2.0.0
Using cached gql-2.0.0-py2.py3-none-any.whl (10 kB)
Collecting python-dotenv==0.19.2
Using cached python_dotenv-0.19.2-py2.py3-none-any.whl (17 kB)
Collecting six>=1.10.0
Using cached six-1.16.0-py2.py3-none-any.whl (11 kB)
Collecting promise<3,>=2.3
Using cached promise-2.3-py3-none-any.whl
Collecting graphql-core<3,>=2.3.2
Using cached graphql_core-2.3.2-py2.py3-none-any.whl (252 kB)
Collecting rx<2,>=1.6
Using cached Rx-1.6.1-py2.py3-none-any.whl (179 kB)
Installing collected packages: rx, requests, six, python-dotenv, promise, graphql-core, gql
Successfully installed gql-2.0.0 graphql-core-2.3.2 promise-2.3 python-dotenv-0.19.2 requests-2.12.1 rx-1.6.1 six-1.16.0
$ combobulator --help
combobulator: command not found
I can't run combobulator directly, I must search python file for this.
$ find ../combobulator/ -iname combobulato*
../combobulator/
../combobulator/src/combobulator.py
$ python src/combobulator.py --help
Traceback (most recent call last):
File "combobulator/venv/lib/python3.10/site-packages/requests/packages/urllib3/_collections.py", line 2, in <module>
from collections import Mapping, MutableMapping
ImportError: cannot import name 'Mapping' from 'collections' (/usr/lib/python3.10/collections/__init__.py)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "combobulator/venv/lib/python3.10/site-packages/requests/packages/__init__.py", line 29, in <module>
import urllib3
ModuleNotFoundError: No module named 'urllib3'
module urllib3 used, but missed at reqirements. So i install it manually
$ pip install urllib3
Successfully installed urllib3-1.26.9
try launch script again
$ python src/combobulator.py --help
Traceback (most recent call last):
File "temp_for_tool/combobulator/src/combobulator.py", line 7, in <module>
import registry.npm as npm
File "temp_for_tool/combobulator/src/registry/npm.py", line 2, in <module>
import requests
File "temp_for_tool/combobulator/venv/lib/python3.10/site-packages/requests/__init__.py", line 63, in <module>
from . import utils
File "temp_for_tool/combobulator/venv/lib/python3.10/site-packages/requests/utils.py", line 29, in <module>
from .cookies import RequestsCookieJar, cookiejar_from_dict
File "temp_for_tool/combobulator/venv/lib/python3.10/site-packages/requests/cookies.py", line 174, in <module>
class RequestsCookieJar(cookielib.CookieJar, collections.MutableMapping):
AttributeError: module 'collections' has no attribute 'MutableMapping'
GitHub Packages connector - fix behavior to align with modular design
Circular dependency conflict on installation
requirements.txt specifies a pinned version of requests as a dependency
requests==2.11.1
however it also calls for gql. gql 2.0.0 has it's own dependency on a higher version of requests
requests<3,>=2.12 
Support PyPI
Document HOWTO contribute and extend
Introduce a keyword list to mark internal only package scheme
For dependency confusion use case - a keyword list option for marking risky packages that should follow a scheme for internal-facing only.
That way - the user will be able to designate dependencies that are to be highlighted if found to be present on the public repo
cc @rotemreiss
failed when try launch scan
System and Python versions
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04 LTS
Release: 22.04
Codename: jammy
$ python3 --version
Python 3.10.4
steps to reproduse:
- download targets: vulnerable node.js app with package.json , vulnerable python app with requirements.txt , vulnerable java app with pom.xml
$ cd ~/Downloads
$ git clone https://github.com/clarkio/vulnerable-app.git
Cloning into 'vulnerable-app'...
[...]
Resolving deltas: 100% (237/237), done.
$ git clone https://github.com/stamparm/DSVW.git
Cloning into 'DSVW'...
[...]
Resolving deltas: 100% (68/68), done.
$ git clone https://github.com/rafaelrpinto/VulnerableJavaWebApplication
Cloning into 'VulnerableJavaWebApplication'...
[...]
Resolving deltas: 100% (66/66), done.- scan targets:
$ cd *path_to_combobulator_folder*
$ python src/combobulator.py --type npm --directory ~/Downloads/vulnerable-app/
____ _____ ____ _____ _ _ ____ _____ _ _ ______ __
| _ \| ____| _ \| ____| \ | | _ \| ____| \ | |/ ___\ \ / /
| | | | _| | |_) | _| | \| | | | | _| | \| | | \ V /
| |_| | |___| __/| |___| |\ | |_| | |___| |\ | |___ | |
|____/|_____|_| |_____|_| \_|____/|_____|_| \_|\____| |_|
____ ____ __ __ ____ ____ ____ _ _ _ _ _____ ____ ____
/ ___/ /\ \| \/ | __ ) / /\ \| __ )| | | | | / \|_ _/ /\ \| _ \
| | / / \ \ |\/| | _ \/ / \ \ _ \| | | | | / _ \ | |/ / \ \ |_) |
| |__\ \ / / | | | |_) \ \ / / |_) | |_| | |___ / ___ \| |\ \ / / _ <
\____\_\/_/|_| |_|____/ \_\/_/|____/ \___/|_____/_/ \_\_| \_\/_/|_| \_
[PROC] Arguments parsed.
[PROC] Package list imported.... ['body-parser', 'cookie-parser', 'express', 'morgan', 'serve-favicon', dict_keys(['browser-sync', 'chai', 'chai-as-promised', 'chalk', 'dateformat', 'debug', 'del', 'glob', 'gulp', 'gulp-angular-templatecache', 'gulp-autoprefixer', 'gulp-bump', 'gulp-bytediff', 'gulp-concat', 'gulp-filter', 'gulp-header', 'gulp-if', 'gulp-imagemin', 'gulp-inject', 'gulp-jscs', 'gulp-jshint', 'gulp-less', 'gulp-load-plugins', 'gulp-minify-css', 'gulp-minify-html', 'gulp-ng-annotate', 'gulp-nodemon', 'gulp-order', 'gulp-plumber', 'gulp-print', 'gulp-rev', 'gulp-rev-replace', 'gulp-sourcemaps', 'gulp-task-listing', 'gulp-uglify', 'gulp-useref', 'gulp-util', 'jshint-stylish', 'karma', 'karma-chai', 'karma-chai-sinon', 'karma-chrome-launcher', 'karma-coverage', 'karma-firefox-launcher', 'karma-growl-reporter', 'karma-mocha', 'karma-phantomjs-launcher', 'karma-safari-launcher', 'karma-sinon', 'lodash', 'method-override', 'minimist', 'mocha', 'node-notifier', 'phantomjs-prebuilt', 'plato', 'q', 'sinon', 'sinon-chai', 'wiredep', 'yargs'])]
Traceback (most recent call last):
File "combobulator/src/combobulator.py", line 195, in <module>
main()
File "combobulator/src/combobulator.py", line 173, in main
metapkg(x, args.package_type)
File "combobulator/src/metapackage.py", line 7, in __init__
if len(pkgname.split(':')) == 2:
AttributeError: 'dict_keys' object has no attribute 'split'
$ python src/combobulator.py --type pypi --directory ~/Downloads/DSVW/
____ _____ ____ _____ _ _ ____ _____ _ _ ______ __
| _ \| ____| _ \| ____| \ | | _ \| ____| \ | |/ ___\ \ / /
| | | | _| | |_) | _| | \| | | | | _| | \| | | \ V /
| |_| | |___| __/| |___| |\ | |_| | |___| |\ | |___ | |
|____/|_____|_| |_____|_| \_|____/|_____|_| \_|\____| |_|
____ ____ __ __ ____ ____ ____ _ _ _ _ _____ ____ ____
/ ___/ /\ \| \/ | __ ) / /\ \| __ )| | | | | / \|_ _/ /\ \| _ \
| | / / \ \ |\/| | _ \/ / \ \ _ \| | | | | / _ \ | |/ / \ \ |_) |
| |__\ \ / / | | | |_) \ \ / / |_) | |_| | |___ / ___ \| |\ \ / / _ <
\____\_\/_/|_| |_|____/ \_\/_/|____/ \___/|_____/_/ \_\_| \_\/_/|_| \_
[PROC] Arguments parsed.
[ERROR] Selected package type doesn't support import scan.
$ python src/combobulator.py --type maven --directory ~/Downloads/VulnerableJavaWebApplication/
____ _____ ____ _____ _ _ ____ _____ _ _ ______ __
| _ \| ____| _ \| ____| \ | | _ \| ____| \ | |/ ___\ \ / /
| | | | _| | |_) | _| | \| | | | | _| | \| | | \ V /
| |_| | |___| __/| |___| |\ | |_| | |___| |\ | |___ | |
|____/|_____|_| |_____|_| \_|____/|_____|_| \_|\____| |_|
____ ____ __ __ ____ ____ ____ _ _ _ _ _____ ____ ____
/ ___/ /\ \| \/ | __ ) / /\ \| __ )| | | | | / \|_ _/ /\ \| _ \
| | / / \ \ |\/| | _ \/ / \ \ _ \| | | | | / _ \ | |/ / \ \ |_) |
| |__\ \ / / | | | |_) \ \ / / |_) | |_| | |___ / ___ \| |\ \ / / _ <
\____\_\/_/|_| |_|____/ \_\/_/|____/ \___/|_____/_/ \_\_| \_\/_/|_| \_
[PROC] Arguments parsed.
[PROC] Package list imported.... ['org.springframework.boot:spring-boot-starter-web', 'org.apache.tomcat.embed:tomcat-embed-jasper', 'javax.servlet:jstl', 'org.springframework:spring-jdbc', 'com.h2database:h2']
[PROC] Maven checker engaged.
[ANALYSIS] Package: spring-boot-starter-web is present on public provider.
[ANALYSIS] Package: tomcat-embed-jasper is present on public provider.
[ANALYSIS] Package: jstl is present on public provider.
[ANALYSIS] Package: spring-jdbc is present on public provider.
[ANALYSIS] Package: h2 is present on public provider.
summary:
Only java scan are stable. Please, fix it. Also, please, update a readme.md
getting issue no module named dotenv in cli following cmds run in readme.md video
poop@spaceship:~/git/combobulator/src
04:29 PM (main=) $ python3 ./combobulator.py --help
Traceback (most recent call last):
File "/.../combobulator/src/./combobulator.py", line 3, in <module>
from dotenv import load_dotenv
ModuleNotFoundError: No module named 'dotenv'
Add JSON for output options
Support NuGet
Add repo scanning for python repositories
Add a native JFrog Artifactory source connector
add --silent option to cli
module urllib3 used, but missed at requirements ?
ref #19
Allow a pipenv support through a Pipfile
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.