Skip to main content

Shim to easily install OWASP dependency-check-cli into Python projects

Project description

Code:

https://github.com/jhermann/dependency-check-py#readme

Docs:

https://github.com/jeremylong/dependencycheck#readme

CI:

https://travis-ci.org/jhermann/dependency-check-py

Issues:

https://github.com/jhermann/dependency-check-py/issues

Overview

dependency-check scans application dependencies and checks whether they contain any published vulnerabilities (based on the NIST NVD). It runs in the JVM, so you need some form of java available in your PATH. The script should work on Linux, Mac OSX and Windows, but right now is only tested on Linux.

Usage

After installation, you’ll have the dependency-check command available that, on first use, will automatically download and install the OWASP release archive once for all projects. It’ll then redirect any calls to that installation, meaning the downloaded NVD data is shared amongst projects.

dependency-check --disableAssembly -s . -o build --project "$(python ./setup.py --name)" \
    --exclude ".git/**" --exclude ".venv/**" --exclude "**/__pycache__/**" --exclude ".tox/**" \
    && xdg-open build/dependency-check-report.html

Please see the DependencyCheck site for more configuration and usage details.

To install from PyPI, add dependency-check to your dev-requirements.txt or a similar file. For more installation options, see the “Installation” section below.

Installation Demo

Customization

Using environment variables, you can change the version and download location of the release archive, and the directory for the local installation.

Variable

Default

DEPENDENCY_CHECK_VERSION

6.2.2

DEPENDENCY_CHECK_URL

https://github.com/jeremylong/DependencyCheck/releases/download/v{version}/dependency-check-{version}-release.zip

DEPENDENCY_CHECK_HOME

~/.local/dependency-check

DEPENDENCY_CHECK_NVD_URL

Use NIST NVD URLs

To update to a new version of the OWASP software, delete ~/.local/dependency-check/bin/, set DEPENDENCY_CHECK_VERSION to the new version number, and call dependency-check.

The variable DEPENDENCY_CHECK_NVD_URL can be used to point to a local copy of the various NVD feeds, in a flat hierarchy with compressed JSON files.

export DEPENDENCY_CHECK_NVD_URL='https://repo.local/nvd/nvdcve-1.1-%d.json.gz'

If you set this, the options --cveUrlBase and --cveUrlModified will be added to each call. Note that the %d representing the year is replaced by modified for the latter.

Remove the ~/.local/dependency-check/data/ directory to force a full data reload.

Installation

To just get the dependency-check CLI tool installed into your home, independent of any project, call python3 -m pip install --user dependency-check as usual, see releases for an overview of available versions.

If you prefer an isolated and easily removable venv installation, consider using dephell jail install dependency-check instead.

To get a bleeding-edge version from source, use these commands:

repo="jhermann/dependency-check-py"
python3 -m pip install -r "https://raw.githubusercontent.com/$repo/master/requirements.txt"
python3 -m pip install "https://github.com/$repo/archive/master.zip#egg=dependency-check"

As a developer, to create a working directory for this project, call these commands:

git clone "https://github.com/jhermann/dependency-check-py.git"
cd "dependency-check-py"
command . .env --yes --develop
invoke build --docs test check

You might also need to follow some setup procedures to make the necessary basic commands available on Linux, Mac OS X, and Windows.

Other Python Security Tools

  • openstack/bandit – Security linter designed to find common security issues in Python code, by static AST analysis.

  • pyupio/safety – Safety checks your installed dependencies for known security vulnerabilities.

    • pyupio/safety-db – A curated database of security vulnerabilities in Python packages.

  • eliasgranderubio/dagda – Static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in Docker images, and runtime monitoring of containers for anomalous activities.

  • anchore/anchore-engine – A service for inspection, analysis and certification of container images, provided as a ready-to-deploy Docker container image.

  • vintasoftware/python-linters-and-code-analysis – Curated list of Python linters and code analysis tools.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

dependency-check-0.6.0.zip (138.7 kB view details)

Uploaded Source

Built Distribution

dependency_check-0.6.0-py2.py3-none-any.whl (10.2 kB view details)

Uploaded Python 2 Python 3

File details

Details for the file dependency-check-0.6.0.zip.

File metadata

  • Download URL: dependency-check-0.6.0.zip
  • Upload date:
  • Size: 138.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.1.1 pkginfo/1.5.0.1 requests/2.24.0 setuptools/50.3.0 requests-toolbelt/0.9.1 tqdm/4.50.0 CPython/3.6.9

File hashes

Hashes for dependency-check-0.6.0.zip
Algorithm Hash digest
SHA256 6fa00b63fbdba57210825675956467ea67693a47b6ef192046f9a51732f22c7f
MD5 1be036cf738a41e1eba75ba72b332b9e
BLAKE2b-256 1e87f52b894b93b1aec834c1d91ce3e818b880544af2de2c80f08780a1d73704

See more details on using hashes here.

File details

Details for the file dependency_check-0.6.0-py2.py3-none-any.whl.

File metadata

  • Download URL: dependency_check-0.6.0-py2.py3-none-any.whl
  • Upload date:
  • Size: 10.2 kB
  • Tags: Python 2, Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.1.1 pkginfo/1.5.0.1 requests/2.24.0 setuptools/50.3.0 requests-toolbelt/0.9.1 tqdm/4.50.0 CPython/3.6.9

File hashes

Hashes for dependency_check-0.6.0-py2.py3-none-any.whl
Algorithm Hash digest
SHA256 e237d12d038463b0b85d6ef89e6ccda512aaffd1c638904f1f28c5745fa9a56d
MD5 760ad31bacf68f057c0d092c43b50e22
BLAKE2b-256 6d1bce24ef6aff822fa8be8f424920ea04e0c4753320438aa0c6f82cc377de23

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page