Giter Club home page Giter Club logo

mosec-pip-plugin's Introduction

MOSEC-PIP-PLUGIN

用于检测python项目的第三方依赖组件是否存在安全漏洞。

该项目是基于 snyk-python-plugin 的二次开发。

关于我们

Website:https://security.immomo.com

WeChat:


版本要求

Python 3.x

安装

pip install git+https://github.com/momosecurity/mosec-pip-plugin.git

使用

首先运行 MOSEC-X-PLUGIN Backend

> cd your_python_project_dir/
> mosec requirements.txt --endpoint http://127.0.0.1:9000/api/plugin --only-provenance

// 或
> mosec setup.py --endpoint http://127.0.0.1:9000/api/plugin --only-provenance

卸载

> pip uninstall mosec-pip-plugin

帮助

> mosec --help

usage: mosec [-h] --endpoint ENDPOINT [--allow-missing] [--only-provenance]
             [--level LEVEL] [--debug]
             requirements

positional arguments:
  requirements         依赖文件 (requirements.txt 或 Pipfile)

optional arguments:
  -h, --help           show this help message and exit
  --endpoint ENDPOINT  上报API
  --allow-missing      忽略未安装的依赖
  --only-provenance    仅检查直接依赖
  --level LEVEL        威胁等级 [High|Medium|Low]. default: High
  --debug

使用效果

以 test/vuln-project 项目为例。

红色部分给出漏洞警告,from: 为漏洞依赖链,Fix version 为组件安全版本。

程序返回值为1,表示发现漏洞。返回值为0,即为未发现问题。

usage

检测原理

MOSEC-PIP-PLUGIN 核心使用pkg_resources内置库来提取当前python环境所安装的依赖。

并将环境依赖与传入的requirements.txt等文件中所声明的项目需要的依赖进行比对,从而构造当前项目所需的依赖的依赖树。

最终依赖树会交由 MOSEC-X-PLUGIN-BACKEND 检测服务进行检测,并返回结果。

相关数据结构请参考 MOSEC-X-PLUGIN-BACKEND README.md.

开发

Pycharm 调试 mosec-pip-plugin

程序入口位于mosec/pip_resolve.py文件的main()函数

mosec-pip-plugin's People

Contributors

retanoj avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.