Coder Social home page Coder Social logo

mosec-pip-plugin's Introduction

MOSEC-PIP-PLUGIN

用于检测python项目的第三方依赖组件是否存在安全漏洞。

该项目是基于 snyk-python-plugin 的二次开发。

关于我们

Website:https://security.immomo.com

WeChat:


版本要求

Python 3.x

安装

pip install git+https://github.com/momosecurity/mosec-pip-plugin.git

使用

首先运行 MOSEC-X-PLUGIN Backend

> cd your_python_project_dir/
> mosec requirements.txt --endpoint http://127.0.0.1:9000/api/plugin --only-provenance

// 或
> mosec setup.py --endpoint http://127.0.0.1:9000/api/plugin --only-provenance

卸载

> pip uninstall mosec-pip-plugin

帮助

> mosec --help

usage: mosec [-h] --endpoint ENDPOINT [--allow-missing] [--only-provenance]
             [--level LEVEL] [--debug]
             requirements

positional arguments:
  requirements         依赖文件 (requirements.txt 或 Pipfile)

optional arguments:
  -h, --help           show this help message and exit
  --endpoint ENDPOINT  上报API
  --allow-missing      忽略未安装的依赖
  --only-provenance    仅检查直接依赖
  --level LEVEL        威胁等级 [High|Medium|Low]. default: High
  --debug

使用效果

以 test/vuln-project 项目为例。

红色部分给出漏洞警告,from: 为漏洞依赖链,Fix version 为组件安全版本。

程序返回值为1,表示发现漏洞。返回值为0,即为未发现问题。

usage

检测原理

MOSEC-PIP-PLUGIN 核心使用pkg_resources内置库来提取当前python环境所安装的依赖。

并将环境依赖与传入的requirements.txt等文件中所声明的项目需要的依赖进行比对,从而构造当前项目所需的依赖的依赖树。

最终依赖树会交由 MOSEC-X-PLUGIN-BACKEND 检测服务进行检测,并返回结果。

相关数据结构请参考 MOSEC-X-PLUGIN-BACKEND README.md.

开发

Pycharm 调试 mosec-pip-plugin

程序入口位于mosec/pip_resolve.py文件的main()函数

mosec-pip-plugin's People

Contributors

retanoj avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar

Forkers

haoirui kenuoseclab sdgdsffdsfff crackercat rebortboss jimersylee zougang npc7 ivybao0628 oldmuster gitwk86 testivy

mosec-pip-plugin's Issues

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.