vulnerablecode
vulnerablecode copied to clipboard
nexB
Add Vulntotal CLI
❯ python vulntotal/vulntotal_cli.py --help
Usage: vulntotal_cli.py [OPTIONS] [PURL]
Runs the PURL through all the available DataSources and group vulnerability
by CVEs. Use the special '-' file name to print JSON or YAML results on
screen/stdout.
Options:
-l, --list Lists all the available DataSources.
--json FILE Write output as pretty-printed JSON to FILE.
--yaml FILE Write output as YAML to FILE.
-h, --help Show this message and exit.
Options:
-e, --enable Enable these datasource/s only.
-d, --disable Disable these datasource/s.
--ecosystem Lists ecosystem supported by active DataSources
--raw List of all the raw response from DataSources.
--no-threading Run DataSources sequentially.
-p, --pagination Enable default pagination.
--no-group Don't group by CVE.
❯ python vulntotal/vulntotal_cli.py 'pkg:pypi/[email protected]'
PURL: pkg:pypi/[email protected]
Active DataSources: DEPS, GITHUB, GITLAB, OSS, OSV, SNYK, VULNERABLECODE
+----------------+----------------+----------------+----------------+---------------+
| CVE | DATASOURCE | ALIASES | AFFECTED | FIXED |
+================+================+================+================+===============+
| CVE-2020-28493 | SNYK | CVE-2020-28493 | (,2.11.3) | 2.11.3 |
| | | SNYK-PYTHON- | | |
| | | JINJA2-1012994 | | |
+----------------+----------------+----------------+----------------+---------------+
| CVE-2020-28493 | VULNERABLECODE | CVE-2020-28493 | 2.10.1-3 | 1.11.3-r0 |
| | | GHSA-g3rq-g295 | 2.10.3-6 | 1.11.3-r0 |
| | | -4j3m | 2.7.0-12 | 1.11.3-r0 |
| | | | 2.7.18-3 | 1.11.3-r0 |
| | | | 2.8-5 4.4.1-7 | 1.11.3-r0 |
| | | | 0.9.6-10 | 1.11.3-r0 |
| | | | 1.5-5 | 1.11.3-r0 |
| | | | 19.3.1-2 | 1.11.3-r0 |
| | | | 2.6-16 | 1.11.3-r0 |
| | | | 1.25.7-7 | 1.11.3-r0 |
| | | | 3.8.11-2 | 1.11.3-r0 |
| | | | 2.0rc1 2.0 | 1.11.3-r0 |
| | | | 2.1 2.1.1 | 1.11.3-r0 |
| | | | 2.2 2.2.1 | 1.11.3-r0 |
| | | | 2.3 2.3.1 | 1.11.3-r0 |
| | | | 2.4 2.4.1 | 1.11.3-r0 |
| | | | 2.5 2.5.1 | 1.11.3-r0 |
| | | | 2.5.2 2.5.3 | 1.11.3-r0 |
| | | | 2.5.4 2.5.5 | 1.11.3-r0 |
| | | | 2.6 2.7 | 1.11.3-r0 |
| | | | 2.7.1 2.7.2 | 1.11.3-r0 |
| | | | 2.7.3 2.8 | 1.11.3-r0 |
| | | | 2.8.1 2.9 | 1.11.3-r0 |
| | | | 2.9.1 2.9.2 | 1.11.3-r0 |
| | | | 2.9.3 2.9.4 | 1.11.3-r0 |
| | | | 2.9.5 2.9.6 | 1.11.3-r0 |
| | | | 2.10 2.10.1 | 1.11.3-r0 |
| | | | 2.10.2 2.10.3 | 1.11.3-r0 |
| | | | 2.11.0 2.11.1 | 2.11.3 |
| | | | 2.11.2 | |
+----------------+----------------+----------------+----------------+---------------+
| CVE-2020-28493 | DEPS | CVE-2020-28493 | 2.0.0 | 2.11.3 3.0.0 |
| | | | 2.0.0rc1 | 3.0.0a1 |
| | | | 2.1.0 2.1.1 | 3.0.0rc1 |
| | | | 2.10.0 2.10.1 | 3.0.0rc2 |
| | | | 2.10.2 2.10.3 | 3.0.1 3.0.2 |
| | | | 2.11.0 2.11.1 | 3.0.3 3.1.0 |
| | | | 2.11.2 2.2.0 | 3.1.1 3.1.2 |
| | | | 2.2.1 2.3.0 | |
| | | | 2.3.1 2.4.0 | |
| | | | 2.4.1 2.5.0 | |
| | | | 2.5.1 2.5.2 | |
| | | | 2.5.3 2.5.4 | |
| | | | 2.5.5 2.6.0 | |
| | | | 2.7.0 2.7.1 | |
| | | | 2.7.2 2.7.3 | |
| | | | 2.8.0 2.8.1 | |
| | | | 2.9.0 2.9.1 | |
| | | | 2.9.2 2.9.3 | |
| | | | 2.9.4 2.9.5 | |
| | | | 2.9.6 | |
+----------------+----------------+----------------+----------------+---------------+
| CVE-2020-28493 | GITHUB | CVE-2020-28493 | <2.11.3 | 2.11.3 |
| | | GHSA-g3rq-g295 | | |
| | | -4j3m | | |
+----------------+----------------+----------------+----------------+---------------+
| CVE-2020-28493 | GITLAB | CVE-2020-28493 | <2.11.3 | 2.11.3 |
+----------------+----------------+----------------+----------------+---------------+
| CVE-2020-28493 | OSV | CVE-2020-28493 | 0 2.0 2.0rc1 | 2.11.3 |
| | | GHSA-g3rq-g295 | 2.1 2.1.1 | |
| | | -4j3m | 2.10 2.10.1 | |
| | | | 2.10.2 2.10.3 | |
| | | | 2.11.0 2.11.1 | |
| | | | 2.11.2 2.2 | |
| | | | 2.2.1 2.3 | |
| | | | 2.3.1 2.4 | |
| | | | 2.4.1 2.5 | |
| | | | 2.5.1 2.5.2 | |
| | | | 2.5.3 2.5.4 | |
| | | | 2.5.5 2.6 | |
| | | | 2.7 2.7.1 | |
| | | | 2.7.2 2.7.3 | |
| | | | 2.8 2.8.1 | |
| | | | 2.9 2.9.1 | |
| | | | 2.9.2 2.9.3 | |
| | | | 2.9.4 2.9.5 | |
| | | | 2.9.6 | |
+----------------+----------------+----------------+----------------+---------------+
| CVE-2020-28493 | OSV | CVE-2020-28493 | 0 2.0 2.0rc1 | 2.11.3 |
| | | GHSA-g3rq-g295 | 2.1 2.1.1 | |
| | | -4j3m | 2.10 2.10.1 | |
| | | PYSEC-2021-66 | 2.10.2 2.10.3 | |
| | | SNYK-PYTHON- | 2.11.0 2.11.1 | |
| | | JINJA2-1012994 | 2.11.2 2.2 | |
| | | | 2.2.1 2.3 | |
| | | | 2.3.1 2.4 | |
| | | | 2.4.1 2.5 | |
| | | | 2.5.1 2.5.2 | |
| | | | 2.5.3 2.5.4 | |
| | | | 2.5.5 2.6 | |
| | | | 2.7 2.7.1 | |
| | | | 2.7.2 2.7.3 | |
| | | | 2.8 2.8.1 | |
| | | | 2.9 2.9.1 | |
| | | | 2.9.2 2.9.3 | |
| | | | 2.9.4 2.9.5 | |
| | | | 2.9.6 | |
+----------------+----------------+----------------+----------------+---------------+
| CVE-2020-28493 | OSS | CVE-2020-28493 | | |
+----------------+----------------+----------------+----------------+---------------+
| CVE-2019-10906 | SNYK | CVE-2019-10906 | (,2.10.1) | 2.10.1 |
| | | SNYK-PYTHON- | | |
| | | JINJA2-174126 | | |
+----------------+----------------+----------------+----------------+---------------+
| CVE-2019-10906 | VULNERABLECODE | CVE-2019-10906 | 2.0rc1 2.0 | 2.10.1 |
| | | GHSA-462w-v97r | 2.1 2.1.1 | |
| | | -4m45 | 2.2 2.2.1 | |
| | | | 2.3 2.3.1 | |
| | | | 2.4 2.4.1 | |
| | | | 2.5 2.5.1 | |
| | | | 2.5.2 2.5.3 | |
| | | | 2.5.4 2.5.5 | |
| | | | 2.6 2.7 | |
| | | | 2.7.1 2.7.2 | |
| | | | 2.7.3 2.8 | |
| | | | 2.8.1 2.9 | |
| | | | 2.9.1 2.9.2 | |
| | | | 2.9.3 2.9.4 | |
| | | | 2.9.5 2.9.6 | |
| | | | 2.10 | |
+----------------+----------------+----------------+----------------+---------------+
| CVE-2019-10906 | GITHUB | CVE-2019-10906 | <2.10.1 | 2.10.1 |
| | | GHSA-462w-v97r | | |
| | | -4m45 | | |
+----------------+----------------+----------------+----------------+---------------+
| CVE-2019-10906 | GITLAB | CVE-2019-10906 | <2.10.1 | 2.10.1 |
+----------------+----------------+----------------+----------------+---------------+
| CVE-2019-10906 | OSV | CVE-2019-10906 | 0 2.0 2.0rc1 | 2.10.1 |
| | | GHSA-462w-v97r | 2.1 2.1.1 | |
| | | -4m45 | 2.10 2.2 | |
| | | | 2.2.1 2.3 | |
| | | | 2.3.1 2.4 | |
| | | | 2.4.1 2.5 | |
| | | | 2.5.1 2.5.2 | |
| | | | 2.5.3 2.5.4 | |
| | | | 2.5.5 2.6 | |
| | | | 2.7 2.7.1 | |
| | | | 2.7.2 2.7.3 | |
| | | | 2.8 2.8.1 | |
| | | | 2.9 2.9.1 | |
| | | | 2.9.2 2.9.3 | |
| | | | 2.9.4 2.9.5 | |
| | | | 2.9.6 | |
+----------------+----------------+----------------+----------------+---------------+
| CVE-2019-10906 | OSV | CVE-2019-10906 | 0 2.0 2.0rc1 | 2.10.1 |
| | | GHSA-462w-v97r | 2.1 2.1.1 | |
| | | -4m45 | 2.10 2.2 | |
| | | PYSEC-2019-217 | 2.2.1 2.3 | |
| | | | 2.3.1 2.4 | |
| | | | 2.4.1 2.5 | |
| | | | 2.5.1 2.5.2 | |
| | | | 2.5.3 2.5.4 | |
| | | | 2.5.5 2.6 | |
| | | | 2.7 2.7.1 | |
| | | | 2.7.2 2.7.3 | |
| | | | 2.8 2.8.1 | |
| | | | 2.9 2.9.1 | |
| | | | 2.9.2 2.9.3 | |
| | | | 2.9.4 2.9.5 | |
| | | | 2.9.6 | |
+----------------+----------------+----------------+----------------+---------------+
| CVE-2014-1402 | SNYK | CVE-2014-1402 | (,2.7.2) | 2.7.2 |
| | | SNYK-PYTHON- | | |
| | | JINJA2-40028 | | |
+----------------+----------------+----------------+----------------+---------------+
| CVE-2014-1402 | VULNERABLECODE | CVE-2014-1402 | 2.0rc1 2.0 | 2.7.2 |
| | | GHSA-8r7q-cvjq | 2.1 2.1.1 | |
| | | -x353 | 2.2 2.2.1 | |
| | | | 2.3 2.3.1 | |
| | | | 2.4 2.4.1 | |
| | | | 2.5 2.5.1 | |
| | | | 2.5.2 2.5.3 | |
| | | | 2.5.4 2.5.5 | |
| | | | 2.6 2.7 | |
| | | | 2.7.1 | |
+----------------+----------------+----------------+----------------+---------------+
| CVE-2014-1402 | GITHUB | CVE-2014-1402 | <2.7.2 | 2.7.2 |
| | | GHSA-8r7q-cvjq | | |
| | | -x353 | | |
+----------------+----------------+----------------+----------------+---------------+
| CVE-2014-1402 | GITLAB | CVE-2014-1402 | <=2.7.1 | 2.7.2 |
+----------------+----------------+----------------+----------------+---------------+
| CVE-2014-1402 | OSV | CVE-2014-1402 | 0 2.0 2.0rc1 | 2.7.2 |
| | | GHSA-8r7q-cvjq | 2.1 2.1.1 | |
| | | -x353 | 2.2 2.2.1 | |
| | | | 2.3 2.3.1 | |
| | | | 2.4 2.4.1 | |
| | | | 2.5 2.5.1 | |
| | | | 2.5.2 2.5.3 | |
| | | | 2.5.4 2.5.5 | |
| | | | 2.6 2.7 | |
| | | | 2.7.1 | |
+----------------+----------------+----------------+----------------+---------------+
| CVE-2014-1402 | OSV | CVE-2014-1402 | 0 2.0 2.0rc1 | 2.7.2 |
| | | PYSEC-2014-8 | 2.1 2.1.1 | |
| | | | 2.2 2.2.1 | |
| | | | 2.3 2.3.1 | |
| | | | 2.4 2.4.1 | |
| | | | 2.5 2.5.1 | |
| | | | 2.5.2 2.5.3 | |
| | | | 2.5.4 2.5.5 | |
| | | | 2.6 2.7 | |
| | | | 2.7.1 | |
+----------------+----------------+----------------+----------------+---------------+
| CVE-2014-1402 | OSS | CVE-2014-1402 | | |
+----------------+----------------+----------------+----------------+---------------+
| CVE-2016-10745 | VULNERABLECODE | GHSA- | 2.0rc1 2.0 | 2.8.1 |
| | | hj2j-77xm-mc5v | 2.1 2.1.1 | |
| | | CVE-2016-10745 | 2.2 2.2.1 | |
| | | | 2.3 2.3.1 | |
| | | | 2.4 2.4.1 | |
| | | | 2.5 2.5.1 | |
| | | | 2.5.2 2.5.3 | |
| | | | 2.5.4 2.5.5 | |
| | | | 2.6 2.7 | |
| | | | 2.7.1 2.7.2 | |
| | | | 2.7.3 2.8 | |
+----------------+----------------+----------------+----------------+---------------+
| CVE-2016-10745 | GITHUB | CVE-2016-10745 | <2.8.1 | 2.8.1 |
| | | GHSA- | | |
| | | hj2j-77xm-mc5v | | |
+----------------+----------------+----------------+----------------+---------------+
| CVE-2016-10745 | GITLAB | GHSA- | <2.8.1 | 2.8.1 |
| | | hj2j-77xm-mc5v | | |
| | | CVE-2016-10745 | | |
+----------------+----------------+----------------+----------------+---------------+
| CVE-2016-10745 | OSV | CVE-2016-10745 | 0 2.0 2.0rc1 | 2.8.1 |
| | | GHSA- | 2.1 2.1.1 | |
| | | hj2j-77xm-mc5v | 2.2 2.2.1 | |
| | | | 2.3 2.3.1 | |
| | | | 2.4 2.4.1 | |
| | | | 2.5 2.5.1 | |
| | | | 2.5.2 2.5.3 | |
| | | | 2.5.4 2.5.5 | |
| | | | 2.6 2.7 | |
| | | | 2.7.1 2.7.2 | |
| | | | 2.7.3 2.8 | |
+----------------+----------------+----------------+----------------+---------------+
| CVE-2016-10745 | OSV | CVE-2016-10745 | 0 2.0 2.0rc1 | 9b53045c34e61 |
| | | GHSA- | 2.1 2.1.1 | 013dc8f09b7e5 |
| | | hj2j-77xm-mc5v | 2.2 2.2.1 | 2a555fa16bed1 |
| | | PYSEC-2019-220 | 2.3 2.3.1 | 6 |
| | | | 2.4 2.4.1 | |
| | | | 2.5 2.5.1 | |
| | | | 2.5.2 2.5.3 | |
| | | | 2.5.4 2.5.5 | |
| | | | 2.6 2.7 | |
| | | | 2.7.1 2.7.2 | |
| | | | 2.7.3 2.8 | |
+----------------+----------------+----------------+----------------+---------------+
| CVE-2016-10745 | OSS | CVE-2016-10745 | | |
+----------------+----------------+----------------+----------------+---------------+
Now CLI also supports the listing of supported ecosystems
❯ python vulntotal/vulntotal_cli.py --ecosystem
Active DataSources: DEPS, GITHUB, GITLAB, OSS, OSV, SNYK, VULNERABLECODE
Ecosystem supported by active datasources
ALPINE
ANDROID
CARGO
COCOAPODS
COMPOSER
CONAN
CONDA
CRAN
CRATES.IO
DEB
DEBIAN
ERLANG
GEM
GOLANG
HEX
LINUX
MAVEN
NGINX
NPM
NUGET
OPENSSL
OSS-FUZZ
PYPI
RPM
RUBYGEMS
RUST
SWIFT
UNMANAGED
Some example of CLI could be https://github.com/nexB/python-inspector/blob/main/src/python_inspector/resolve_cli.py
Add doctsrings for all the functions and also add doctests/ unit tests for functions which have not been tested at all
| CVE-2020-28493 | VULNERABLECODE | CVE-2020-28493 | 2.10.1-3 | 1.11.3-r0 | | | | GHSA-g3rq-g295 | 2.10.3-6 | 1.11.3-r0 | | | | -4j3m | 2.7.0-12 | 1.11.3-r0 | | | | | 2.7.18-3 | 1.11.3-r0 |
That looks like an odd result as I don't think that version 1.11.3-r0 actually exists. Maybe a bug in the VulnerableCode data? I would have expected to see 2.11.3-r0
| CVE-2020-28493 | VULNERABLECODE | CVE-2020-28493 | 2.10.1-3 | 1.11.3-r0 | | | | GHSA-g3rq-g295 | 2.10.3-6 | 1.11.3-r0 | | | | -4j3m | 2.7.0-12 | 1.11.3-r0 | | | | | 2.7.18-3 | 1.11.3-r0 |That looks like an odd result as I don't think that version
1.11.3-r0actually exists. Maybe a bug in the VulnerableCode data? I would have expected to see2.11.3-r0
@armijnhemel it's not a bug in Vulnerablecode, the version 1.11.3-r0 is not from pypi ecosystem but from apline ecosystem pkg:alpine/[email protected]?arch=aarch64&distroversion=edge&reponame=main vulntotal needs some sort of filtering to filter out the purls that are related to the ecosystem of the requested purl.
cc @keshav-space
| CVE-2020-28493 | VULNERABLECODE | CVE-2020-28493 | 2.10.1-3 | 1.11.3-r0 | | | | GHSA-g3rq-g295 | 2.10.3-6 | 1.11.3-r0 | | | | -4j3m | 2.7.0-12 | 1.11.3-r0 | | | | | 2.7.18-3 | 1.11.3-r0 |That looks like an odd result as I don't think that version
1.11.3-r0actually exists. Maybe a bug in the VulnerableCode data? I would have expected to see2.11.3-r0@armijnhemel it's not a bug in Vulnerablecode, the version
1.11.3-r0is not from pypi ecosystem but from apline ecosystempkg:alpine/[email protected]?arch=aarch64&distroversion=edge&reponame=mainvulntotal needs some sort of filtering to filter out the purls that are related to the ecosystem of the requested purl.cc @keshav-space
I will open a different issue, as I have found what the bug is.
@armijnhemel it's not a bug in Vulnerablecode, the version
1.11.3-r0is not from pypi ecosystem but from apline ecosystempkg:alpine/[email protected]?arch=aarch64&distroversion=edge&reponame=mainvulntotal needs some sort of filtering to filter out the purls that are related to the ecosystem of the requested purl.cc @keshav-space
VulnTotal is making this request.
response = requests.post(
"http://localhost:8001/api/packages/bulk_search/",
json={"purls": ["pkg:pypi/[email protected]"]},
)
The point here is that if I'm making an explicit request for pypi ecosystem, why should I be getting anything from the alpine?
@armijnhemel it's not a bug in Vulnerablecode, the version
1.11.3-r0is not from pypi ecosystem but from apline ecosystempkg:alpine/[email protected]?arch=aarch64&distroversion=edge&reponame=mainvulntotal needs some sort of filtering to filter out the purls that are related to the ecosystem of the requested purl. cc @keshav-spaceVulnTotal is making this request.
response = requests.post( "http://localhost:8001/api/packages/bulk_search/", json={"purls": ["pkg:pypi/[email protected]"]}, )The point here is that if I'm making an explicit request for
pypiecosystem, why should I be getting anything from the alpine?
@keshav-space which branch of vulnerablecode are you using in your local checkout? if you use the latest branch you will only get purls of pypi ecosystem
| CVE-2020-28493 | VULNERABLECODE | CVE-2020-28493 | 2.10.1-3 | 1.11.3-r0 | | | | GHSA-g3rq-g295 | 2.10.3-6 | 1.11.3-r0 | | | | -4j3m | 2.7.0-12 | 1.11.3-r0 | | | | | 2.7.18-3 | 1.11.3-r0 |That looks like an odd result as I don't think that version
1.11.3-r0actually exists. Maybe a bug in the VulnerableCode data? I would have expected to see2.11.3-r0@armijnhemel it's not a bug in Vulnerablecode, the version
1.11.3-r0is not from pypi ecosystem but from apline ecosystempkg:alpine/[email protected]?arch=aarch64&distroversion=edge&reponame=mainvulntotal needs some sort of filtering to filter out the purls that are related to the ecosystem of the requested purl. cc @keshav-spaceI will open a different issue, as I have found what the bug is.
It seems that what I found is indeed a different issue than what is currently being discussed ;-)
I have opened a separate bug report in #915
@keshav-space which branch of vulnerablecode are you using in your local checkout? if you use the latest branch you will only get purls of
pypiecosystem
Okay, let me try the latest branch.