ochronasec / ochrona-cli Goto Github PK
View Code? Open in Web Editor NEWA command line tool for detecting vulnerabilities in Python dependencies and doing safe package installs
Home Page: https://ochrona.dev
License: MIT License
A command line tool for detecting vulnerabilities in Python dependencies and doing safe package installs
Home Page: https://ochrona.dev
License: MIT License
Describe the bug
Minor issue of README.md, which has some little format bugs that cause markdown parsing error.
Section via .ochrona.yml
at line 105, GitHub shows no error, but PyPi doc page cannot correctly render the table.
To Reproduce
Steps to reproduce the behavior:
PyPi doc page directly shows the markdown code of the table.
Expected behavior
What did you expected to happen.
Rendering the table.
Background (please complete the following information):
--debug
flagAdditional context
Add any other context about the issue here.
Feature Overview
What would you like to see changed/added?
It would be nice to be able to use Ochrona in a pre-commit routine (anytime requirements change then ochrona runs).
An alternative would be to have a GitHub action that has similar functionality.
Is your feature request related to a problem?
Having a way to automate the runs of Ochrona whenever the underlying requirements files change would be useful when maintaining a Python package.
Additional context
Documentation mentions CI/CD integration but doesn't provide any examples. It is possible this is straight-forward to accomplish, but not documented (or I couldn't find documentation).
Running the latest version of Ochrona v0.0.17 via pipenv run ochrona
I get the following message:
[DEBUG] Unexpected Response from https://api.ochrona.dev/python/analyze - {"message": "Internal server error"}
[!] Unexpected result from analysis, please try again later. If this persists, please report this at https://github.com/ochronasec/ochrona-cli/issues
make: *** [check] Error 1
MacOS Big Sur: 11.2.1
Python Version: 3.8.7
Pipfile
[[source]]
name = "pypi"
url = "https://pypi.org/simple"
verify_ssl = true
[dev-packages]
bandit = "*"
black = "20.8b1"
mypy = "*"
ochrona = "*"
[packages]
flask = "1.1.2"
[requires]
python_version = "3.8.6"
ochrona.yml
---
debug: true
silent: false
dir: .
report_type: JSON
report_location: ./output
include_dev: true
project_name: pythonsecuritytools
Full debug output
[DEBUG] Found matching requirements*.txt file at .venv/lib/python3.8/site-packages/pbr/tests/testpackage/test-requirements.txt
[DEBUG] Found matching pipfile.lock file at Pipfile.lock
[DEBUG] Found matching setup.py file at .venv/lib/python3.8/site-packages/mypyc/lib-rt/setup.py
[DEBUG] Found matching setup.py file at .venv/lib/python3.8/site-packages/pbr/tests/test_setup.py
[DEBUG] Found matching setup.py file at .venv/lib/python3.8/site-packages/pbr/tests/testpackage/setup.py
[DEBUG] Found matching setup.py file at .venv/lib/python3.8/site-packages/stevedore/example2/setup.py
[DEBUG] Found matching setup.py file at .venv/lib/python3.8/site-packages/stevedore/example/setup.py
[DEBUG] Discovered dependencies: ["ordereddictpython_version=='2.6'", 'requests-mock']
[DEBUG] Discovered dependencies: ['click==7.1.2', 'flask==1.1.2', 'itsdangerous==1.1.0', 'jinja2==2.11.3', 'markupsafe==1.1.1', 'werkzeug==1.0.1', 'appdirs==1.4.4', 'bandit==1.7.0', 'black==20.8b1', 'certifi==2020.12.5', 'chardet==4.0.0', 'click==7.1.2', 'gitdb==4.0.5', 'gitpython==3.1.13', 'idna==2.10', 'mypy==0.812', 'mypy-extensions==0.4.3', 'ochrona==0.0.17', 'pathspec==0.8.1', 'pbr==5.5.1', 'pyyaml==5.4.1', 'regex==2020.11.13', 'requests==2.25.1', 'six==1.15.0', 'smmap==3.0.5', 'stevedore==3.3.0', 'toml==0.10.2', 'typed-ast==1.4.2', 'typing-extensions==3.7.4.3', 'urllib3==1.26.3']
[DEBUG] Discovered dependencies: []
[DEBUG] Discovered dependencies: ['', 'from', '', 'import', '', 'try:', '', '', 'except', '', '', '', 'import', '', 'from', 'from', 'from', 'from', '', '', 'class', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '_changelog_content', '04316fe\\x00Make', '378261a\\x00Add', '3c373ac\\x00Merge', '182feb3\\x00Fix', 'fa4f46e\\x00Remove', 'd1c53dd\\x00Use', 'a793ea1\\x00Merge', '6c27ce7\\x00Skip', '451e513\\x00Bug', '4c8cfe4\\x00Improve', 'd7e6167\\x00Bug', 'c47ec15\\x00Consider', '8696fbd\\x00Improve', 'f0440f8\\x00Improve', '04984a5\\x00Refactor', 'a65e8ee\\x00Remove', '"""', '', '', 'def', '', '', '', '', '', '', '', '', '', '_old_git_changelog_content', '', '', '', '', 'class', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', 'class', '', '', '', 'class', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', 'class', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', 'class', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '']
[DEBUG] Unexpected Response from https://api.ochrona.dev/python/analyze - {"message": "Internal server error"}
On Windows 10 and in Powershell I ran ochrona --api_key hidden_key --dir directory_with_one_python_file
and received the following error.
,---. |
| |,---.|---.,---.,---.,---.,---.
| || | || | || |,---|
`---'`---'` '` `---'` '`---^
v. 0.0.17
https://ochrona.dev
Traceback (most recent call last):
File "c:\python39\lib\runpy.py", line 197, in _run_module_as_main
return _run_code(code, main_globals, None,
File "c:\python39\lib\runpy.py", line 87, in _run_code
exec(code, run_globals)
File "C:\Python39\Scripts\ochrona.exe\__main__.py", line 7, in <module>
File "c:\python39\lib\site-packages\click\core.py", line 829, in __call__
return self.main(*args, **kwargs)
File "c:\python39\lib\site-packages\click\core.py", line 782, in main
rv = self.invoke(ctx)
File "c:\python39\lib\site-packages\click\core.py", line 1066, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "c:\python39\lib\site-packages\click\core.py", line 610, in invoke
return callback(*args, **kwargs)
File "c:\python39\lib\site-packages\ochrona\cli.py", line 112, in run
files = rfind_all_dependencies_files(
File "c:\python39\lib\site-packages\ochrona\file_handler.py", line 107, in rfind_all_dependencies_files
raise OchronaFileException("No dependencies files found")
ochrona.exceptions.OchronaFileException: No dependencies files found
I ran into this error when running Ochrona in a venv:
Traceback (most recent call last): File "/home/user/project/.venv/bin/ochrona", line 8, in <module> sys.exit(run()) File "/home/user/project/.venv/lib/python3.8/site-packages/click/core.py", line 1128, in __call__ return self.main(*args, **kwargs) File "/home/user/project/.venv/lib/python3.8/site-packages/click/core.py", line 1053, in main rv = self.invoke(ctx) File "/home/user/project/.venv/lib/python3.8/site-packages/click/core.py", line 1395, in invoke return ctx.invoke(self.callback, **ctx.params) File "/home/user/project/.venv/lib/python3.8/site-packages/click/core.py", line 754, in invoke return __callback(*args, **kwargs) File "/home/user/project/.venv/lib/python3.8/site-packages/ochrona/cli/cli.py", line 144, in run results.append(resolve(**payload)) File "/home/user/project/.venv/lib/python3.8/site-packages/ochrona/eval/eval.py", line 23, in resolve vulns += db.lookup_by_name(_safe_query_name(dep)) File "/home/user/project/.venv/lib/python3.8/site-packages/ochrona/db/db.py", line 95, in lookup_by_name if re.match(VULN_PATTERN.format(name), vuln.name): File "/usr/lib/python3.8/re.py", line 191, in match return _compile(pattern, flags).match(string) File "/usr/lib/python3.8/re.py", line 304, in _compile p = sre_compile.compile(pattern, flags) File "/usr/lib/python3.8/sre_compile.py", line 764, in compile p = sre_parse.parse(p, flags) File "/usr/lib/python3.8/sre_parse.py", line 962, in parse raise source.error("unbalanced parenthesis") re.error: unbalanced parenthesis at position 13
Feature Overview
ochrona package should auto-publish to pypi and cut a new release on push to master.
Is your feature request related to a problem?
Reduces manual effort for new releases
Additional context
N/A
Feature Overview
A github action should be added to auto-publish to docker hub.
Is your feature request related to a problem?
Reduced manual release steps
Additional context
N/A
Describe the bug
exclude_dir
configuration property is ignored when specified as a list in the .ochrona.yml
. It works as expected if specified as a comma separated string, e.g.:
exclude_dir: exclude_dir1,exclude_dir2
To Reproduce
.ochrona.yml
configuration:---
dir: root_dir
exclude_dir:
- exclude_dir1
- exclude_dir2
debug: true
ochrona
Expected behavior
exclude_dir1
and exclude_dir2
should be excluded from the recursive search.
Background:
.ochrona.yml
insteadexclude_dir
Additional context
I thought the problem was with the yaml parsing, but it looks like ochrona.config.OchronaConfig
works as expected and correctly returns a list for exclude_dir
. Also ignore
configuration property works as list without any problems. So it is probably something else, but I didn't do a more detailed investigation. Thank you!
Feature Overview
Change the cache files (db_cache, pypi_cache) location into a temporary location, instead of the current working dir.
Is your feature request related to a problem?
If ochrona is called inside the project folder, cache files are created in the project and pollutes it.
Describe the bug
Looks like ochrona fails to run when there is the paramiko dependency defined in the python project.
To Reproduce
Steps to reproduce the behavior:
Use paramiko dependency in the python project and run poetry run ochrona --report_type XML --output .
Expected behavior
Exception
Background (please complete the following information):
$ poetry run ochrona --report_type XML --debug --output .
,---. |
| |,---.|---.,---.,---.,---.,---.
| || | || | || |,---|
`---'`---'` '` `---'` '`---^
v. 1.2.1
https://ochrona.dev
[DEBUG] Found matching poetry.lock file at /Users/ivanim/rbs/src/function-iam-uer-feed/poetry.lock
[DEBUG] Discovered dependencies: ['bcrypt==3.2.0', 'boto3==1.20.46', 'botocore==1.23.46', 'certifi==2021.10.8', 'cffi==1.15.0', 'charset-normalizer==2.0.11', 'cryptography==3.4.8', 'idna==3.3', 'jmespath==0.10.0', 'paramiko==2.9.2', 'pycparser==2.21', 'pynacl==1.5.0', 'python-dateutil==2.8.2', 'requests==2.27.1', 's3transfer==0.5.0', 'six==1.16.0', 'urllib3==1.25.10']
[DEBUG] DB instance found: 2022.01.25
[DEBUG] Found 0 vulnerabilities potentially affecting package: bcrypt
[DEBUG] Found 0 vulnerabilities potentially affecting package: boto3
[DEBUG] Found 0 vulnerabilities potentially affecting package: botocore
[DEBUG] Found 0 vulnerabilities potentially affecting package: certifi
[DEBUG] Found 0 vulnerabilities potentially affecting package: cffi
[DEBUG] Found 0 vulnerabilities potentially affecting package: charset-normalizer
[DEBUG] Found 4 vulnerabilities potentially affecting package: cryptography
[DEBUG] Found 0 vulnerabilities potentially affecting package: idna
[DEBUG] Found 0 vulnerabilities potentially affecting package: jmespath
[DEBUG] Found 3 vulnerabilities potentially affecting package: paramiko
[DEBUG] Found 0 vulnerabilities potentially affecting package: pycparser
[DEBUG] Found 0 vulnerabilities potentially affecting package: pynacl
[DEBUG] Found 0 vulnerabilities potentially affecting package: python-dateutil
[DEBUG] Found 5 vulnerabilities potentially affecting package: requests
[DEBUG] Found 0 vulnerabilities potentially affecting package: s3transfer
[DEBUG] Found 0 vulnerabilities potentially affecting package: six
[DEBUG] Found 8 vulnerabilities potentially affecting package: urllib3
Traceback (most recent call last):
File "/Users/ivanim/Library/Caches/pypoetry/virtualenvs/function-iam-uer-feed-BDK6hZgi-py3.7/lib/python3.7/site-packages/ochrona/eval/vuln/vuln_evaluator.py", line 37, in evaluate
for v in vulnerability["affected_versions"]
File "/Users/ivanim/Library/Caches/pypoetry/virtualenvs/function-iam-uer-feed-BDK6hZgi-py3.7/lib/python3.7/site-packages/ochrona/eval/vuln/vuln_evaluator.py", line 38, in <listcomp>
if v["operator"] == "="
KeyError: 'version_value'
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/Users/ivanim/Library/Caches/pypoetry/virtualenvs/function-iam-uer-feed-BDK6hZgi-py3.7/bin/ochrona", line 8, in <module>
sys.exit(run())
File "/Users/ivanim/Library/Caches/pypoetry/virtualenvs/function-iam-uer-feed-BDK6hZgi-py3.7/lib/python3.7/site-packages/click/core.py", line 1128, in __call__
return self.main(*args, **kwargs)
File "/Users/ivanim/Library/Caches/pypoetry/virtualenvs/function-iam-uer-feed-BDK6hZgi-py3.7/lib/python3.7/site-packages/click/core.py", line 1053, in main
rv = self.invoke(ctx)
File "/Users/ivanim/Library/Caches/pypoetry/virtualenvs/function-iam-uer-feed-BDK6hZgi-py3.7/lib/python3.7/site-packages/click/core.py", line 1395, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/Users/ivanim/Library/Caches/pypoetry/virtualenvs/function-iam-uer-feed-BDK6hZgi-py3.7/lib/python3.7/site-packages/click/core.py", line 754, in invoke
return __callback(*args, **kwargs)
File "/Users/ivanim/Library/Caches/pypoetry/virtualenvs/function-iam-uer-feed-BDK6hZgi-py3.7/lib/python3.7/site-packages/ochrona/cli/cli.py", line 144, in run
results.append(resolve(**payload))
File "/Users/ivanim/Library/Caches/pypoetry/virtualenvs/function-iam-uer-feed-BDK6hZgi-py3.7/lib/python3.7/site-packages/ochrona/eval/eval.py", line 26, in resolve
resp.confirmed_vulnerabilities = evaluate(vulns, resp.flat_list)
File "/Users/ivanim/Library/Caches/pypoetry/virtualenvs/function-iam-uer-feed-BDK6hZgi-py3.7/lib/python3.7/site-packages/ochrona/eval/vuln/vuln_evaluator.py", line 80, in evaluate
raise Exception("evauluate exception") from ex
Exception: evauluate exception
Describe the bug
Exception is thrown and dependencies are not checked.
To Reproduce
Run ochrona
with the provided poetry.lock file
Expected behavior
What did you expected to happen.
Background (please complete the following information):
,---. |
| |,---.|---.,---.,---.,---.,---.
| || | || | || |,---|
`---'`---'` '` `---'` '`---^
v. 2.0.0
https://ochrona.dev
(DEBUG) Found matching poetry.lock file at /home/username/repos/dwh/poetry.lock
(DEBUG) Discovered dependencies:
--- aiofiles==0.8.0
--- asyncpg==0.25.0
--- bcrypt==3.2.2
--- certifi==2022.6.15
--- cffi==1.15.1
--- charset-normalizer==2.1.0
--- click==8.1.3
--- colorama==0.4.5
--- cryptography==37.0.3
--- cx-oracle==8.3.0
--- fabric==2.7.0
--- greenlet==1.1.2
--- httptools==0.4.0
--- idna==3.3
--- invoke==1.7.1
--- multidict==6.0.2
--- orjson==3.7.6
--- paramiko==2.11.0
--- pathlib2==2.3.7.post1
--- psycopg2==2.9.3
--- pycparser==2.21
--- pynacl==1.5.0
--- python-json-logger==2.0.2
--- requests==2.28.1
--- sanic==22.6.0
--- sanic-routing==22.3.0
--- six==1.16.0
--- sqlalchemy==1.4.39
--- ujson==5.4.0
--- urllib3==1.26.9
--- uvloop==0.16.0
--- websockets==10.3
--- xlsxwriter==3.0.3
(DEBUG) DB instance found: 2022.06.30
(DEBUG) Found 0 vulnerabilities potentially affecting package: aiofiles
(DEBUG) Found 1 vulnerabilities potentially affecting package: asyncpg
(DEBUG) Found 0 vulnerabilities potentially affecting package: bcrypt
(DEBUG) Found 0 vulnerabilities potentially affecting package: certifi
(DEBUG) Found 0 vulnerabilities potentially affecting package: cffi
(DEBUG) Found 0 vulnerabilities potentially affecting package: charset-normalizer
(DEBUG) Found 0 vulnerabilities potentially affecting package: click
(DEBUG) Found 0 vulnerabilities potentially affecting package: colorama
(DEBUG) Found 4 vulnerabilities potentially affecting package: cryptography
(DEBUG) Found 0 vulnerabilities potentially affecting package: cx-oracle
(DEBUG) Found 0 vulnerabilities potentially affecting package: fabric
(DEBUG) Found 0 vulnerabilities potentially affecting package: greenlet
(DEBUG) Found 0 vulnerabilities potentially affecting package: httptools
(DEBUG) Found 0 vulnerabilities potentially affecting package: idna
(DEBUG) Found 0 vulnerabilities potentially affecting package: invoke
(DEBUG) Found 0 vulnerabilities potentially affecting package: multidict
(DEBUG) Found 0 vulnerabilities potentially affecting package: orjson
(DEBUG) Found 3 vulnerabilities potentially affecting package: paramiko
(DEBUG) Found 0 vulnerabilities potentially affecting package: pathlib2
(DEBUG) Found 0 vulnerabilities potentially affecting package: psycopg2
(DEBUG) Found 0 vulnerabilities potentially affecting package: pycparser
(DEBUG) Found 0 vulnerabilities potentially affecting package: pynacl
(DEBUG) Found 0 vulnerabilities potentially affecting package: python-json-logger
(DEBUG) Found 5 vulnerabilities potentially affecting package: requests
(DEBUG) Found 1 vulnerabilities potentially affecting package: sanic
(DEBUG) Found 0 vulnerabilities potentially affecting package: sanic-routing
(DEBUG) Found 0 vulnerabilities potentially affecting package: six
(DEBUG) Found 3 vulnerabilities potentially affecting package: sqlalchemy
(DEBUG) Found 1 vulnerabilities potentially affecting package: ujson
(DEBUG) Found 8 vulnerabilities potentially affecting package: urllib3
(DEBUG) Found 0 vulnerabilities potentially affecting package: uvloop
(DEBUG) Found 2 vulnerabilities potentially affecting package: websockets
(DEBUG) Found 0 vulnerabilities potentially affecting package: xlsxwriter
Processing 1 Files... ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 0% -:--:--
Traceback (most recent call last):
File "/home/username/.cache/pypoetry/virtualenvs/dwh-CmEpGaUJ-py3.10/lib/python3.10/site-packages/packaging/specifiers.py", line 634, in __init__
parsed.add(Specifier(specifier))
File "/home/username/.cache/pypoetry/virtualenvs/dwh-CmEpGaUJ-py3.10/lib/python3.10/site-packages/packaging/specifiers.py", line 98, in __init__
raise InvalidSpecifier(f"Invalid specifier: '{spec}'")
packaging.specifiers.InvalidSpecifier: Invalid specifier: '05.0.0'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/username/.cache/pypoetry/virtualenvs/dwh-CmEpGaUJ-py3.10/lib/python3.10/site-packages/ochrona/eval/vuln/evaluate.py", line 66, in evaluate
vuln_specifiers &= (
File "/home/username/.cache/pypoetry/virtualenvs/dwh-CmEpGaUJ-py3.10/lib/python3.10/site-packages/packaging/specifiers.py", line 662, in __and__
other = SpecifierSet(other)
File "/home/username/.cache/pypoetry/virtualenvs/dwh-CmEpGaUJ-py3.10/lib/python3.10/site-packages/packaging/specifiers.py", line 636, in __init__
parsed.add(LegacySpecifier(specifier))
File "/home/username/.cache/pypoetry/virtualenvs/dwh-CmEpGaUJ-py3.10/lib/python3.10/site-packages/packaging/specifiers.py", line 253, in __init__
super().__init__(spec, prereleases)
File "/home/username/.cache/pypoetry/virtualenvs/dwh-CmEpGaUJ-py3.10/lib/python3.10/site-packages/packaging/specifiers.py", line 98, in __init__
raise InvalidSpecifier(f"Invalid specifier: '{spec}'")
packaging.specifiers.InvalidSpecifier: Invalid specifier: '05.0.0'
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/home/username/.cache/pypoetry/virtualenvs/dwh-CmEpGaUJ-py3.10/bin/ochrona", line 8, in <module> [69/56080]
sys.exit(run())
File "/home/username/.cache/pypoetry/virtualenvs/dwh-CmEpGaUJ-py3.10/lib/python3.10/site-packages/click/core.py", line 1130, in __call__
return self.main(*args, **kwargs)
File "/home/username/.cache/pypoetry/virtualenvs/dwh-CmEpGaUJ-py3.10/lib/python3.10/site-packages/click/core.py", line 1055, in main
rv = self.invoke(ctx)
File "/home/username/.cache/pypoetry/virtualenvs/dwh-CmEpGaUJ-py3.10/lib/python3.10/site-packages/click/core.py", line 1404, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/home/username/.cache/pypoetry/virtualenvs/dwh-CmEpGaUJ-py3.10/lib/python3.10/site-packages/click/core.py", line 760, in invoke
return __callback(*args, **kwargs)
File "/home/username/.cache/pypoetry/virtualenvs/dwh-CmEpGaUJ-py3.10/lib/python3.10/site-packages/ochrona/cli/cli.py", line 162, in run
results.append(resolve(**payload))
File "/home/username/.cache/pypoetry/virtualenvs/dwh-CmEpGaUJ-py3.10/lib/python3.10/site-packages/ochrona/eval/eval.py", line 30, in resolve
resp.confirmed_vulnerabilities = evaluate(vulns, resp.flat_list)
File "/home/username/.cache/pypoetry/virtualenvs/dwh-CmEpGaUJ-py3.10/lib/python3.10/site-packages/ochrona/eval/vuln/evaluate.py", line 104, in evaluate
raise Exception("evaluate exception") from ex
Exception: evaluate exception
Additional context
poetry.lock
Describe the bug
I need to execute the ochrona validation using a .ochrona.yml with only ignore key, but if I don't define a policies configuration with some parameter or even though an empty police I receive this error.
File ".venv/bin/ochrona", line 8, in <module>
sys.exit(run())
File ".venv/lib/python3.8/site-packages/click/core.py", line 1130, in __call__
return self.main(*args, **kwargs)
File ".venv/lib/python3.8/site-packages/click/core.py", line 1055, in main
rv = self.invoke(ctx)
File ".venv/lib/python3.8/site-packages/click/core.py", line 1404, in invoke
return ctx.invoke(self.callback, **ctx.params)
File ".venv/lib/python3.8/site-packages/click/core.py", line 760, in invoke
return __callback(*args, **kwargs)
File ".venv/lib/python3.8/site-packages/ochrona/cli/cli.py", line 107, in run
config = OchronaConfig(
File ".venv/lib/python3.8/site-packages/ochrona/config/config.py", line 46, in __init__
valid = self._validate()
File ".venv/lib/python3.8/site-packages/ochrona/config/config.py", line 175, in _validate
if len(self._policies) > 0:
TypeError: object of type 'NoneType' has no len()
But, If I use the .ochrona.yml
with the follow content the ochrona validation work normally:
ignore:
- requests
policies: []
But, adding empty keys for a configuration that I won't use doesn't seem to be necessary.
Apparently the error can occur due to this line because if the polices
key does not exist in .ochrona.yml a None
value will be returned to self._policies
.
To Reproduce
Steps to reproduce the behavior:
.ochrona.yml
file..ochrona.yml
file: ignore:
- requests
ochrona
Expected behavior
Run the vulnerability validation using only ignore
key inside .ochrona.yml
.
Background (please complete the following information):
None
or -r requirements.txt --report_type FULL
Describe the bug
When evaluation tornado the line to get the vuln_specifiers
fails because the version value is "-". This raises an InvalidSpecifier
error from the packaging module.
To Reproduce
Running orchrona tornado
on version 2.0.2
Expected behavior
An error not to be raised and ochrona to detect potential vulnerabilities.
Background (please complete the following information):
ochrona tornado --debug
,---. |
| |,---.|---.,---.,---.,---.,---.
| || | || | || |,---|
`---'`---'` '` `---'` '`---^
v. 2.0.2
https://ochrona.dev
Processing 0 Files... ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 0% -:--:--
(DEBUG) Discovered dependencies:
--- tornado
(DEBUG) DB instance found: 2022.07.14
(DEBUG) Found 4 vulnerabilities potentially affecting package: tornado
Traceback (most recent call last):
File "/home/arichardson/experiments/ochrona-cli/ochrona/eval/vuln/evaluate.py", line 64, in evaluate
vuln_specifiers &= f"=={versions['version_value']}"
File "/home/arichardson/experiments/ochrona-cli/.venv/lib/python3.10/site-packages/packaging/specifiers.py", line 778, in __and__
other = SpecifierSet(other)
File "/home/arichardson/experiments/ochrona-cli/.venv/lib/python3.10/site-packages/packaging/specifiers.py", line 700, in __init__
parsed.add(Specifier(specifier))
File "/home/arichardson/experiments/ochrona-cli/.venv/lib/python3.10/site-packages/packaging/specifiers.py", line 234, in __init__
raise InvalidSpecifier(f"Invalid specifier: '{spec}'")
packaging.specifiers.InvalidSpecifier: Invalid specifier: '==-'
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/home/arichardson/experiments/ochrona-cli/.venv/bin/ochrona", line 33, in <module>
sys.exit(load_entry_point('ochrona', 'console_scripts', 'ochrona')())
File "/home/arichardson/experiments/ochrona-cli/.venv/lib/python3.10/site-packages/click/core.py", line 1130, in __call__
return self.main(*args, **kwargs)
File "/home/arichardson/experiments/ochrona-cli/.venv/lib/python3.10/site-packages/click/core.py", line 1055, in main
rv = self.invoke(ctx)
File "/home/arichardson/experiments/ochrona-cli/.venv/lib/python3.10/site-packages/click/core.py", line 1404, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/home/arichardson/experiments/ochrona-cli/.venv/lib/python3.10/site-packages/click/core.py", line 760, in invoke
return __callback(*args, **kwargs)
File "/home/arichardson/experiments/ochrona-cli/ochrona/cli/cli.py", line 177, in run
results.append(resolve(**payload))
File "/home/arichardson/experiments/ochrona-cli/ochrona/eval/eval.py", line 30, in resolve
resp.confirmed_vulnerabilities = evaluate(vulns, resp.flat_list)
File "/home/arichardson/experiments/ochrona-cli/ochrona/eval/vuln/evaluate.py", line 104, in evaluate
raise Exception("evaluate exception") from ex
Exception: evaluate exception
Describe the bug
A lot a test fail on Windows, most of them due to the absence of path normalization (slash/anti-slash problem) and line breaks normalization.
Background (please complete the following information):
Describe the bug
On Windows, the html report creation fails due to an enconding problem.
Traceback (most recent call last):
File "C:\Users\mathieu.bouzard\AppData\Local\Programs\Python\Python310\lib\runpy.py", line 196, in _run_module_as_main
return _run_code(code, main_globals, None,
File "C:\Users\mathieu.bouzard\AppData\Local\Programs\Python\Python310\lib\runpy.py", line 86, in _run_code
exec(code, run_globals)
File "C:\Users\mathieu.bouzard\Documents\pipx\bin\ochrona.exe\__main__.py", line 7, in <module>
sys.exit(run())
File "C:\Users\mathieu.bouzard\Documents\pipx\venvs\ochrona\lib\site-packages\click\core.py", line 1130, in __call__
return self.main(*args, **kwargs)
File "C:\Users\mathieu.bouzard\Documents\pipx\venvs\ochrona\lib\site-packages\click\core.py", line 1055, in main
rv = self.invoke(ctx)
File "C:\Users\mathieu.bouzard\Documents\pipx\venvs\ochrona\lib\site-packages\click\core.py", line 1404, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "C:\Users\mathieu.bouzard\Documents\pipx\venvs\ochrona\lib\site-packages\click\core.py", line 760, in invoke
return __callback(*args, **kwargs)
File "C:\Users\mathieu.bouzard\Documents\pipx\venvs\ochrona\lib\site-packages\ochrona\cli\cli.py", line 190, in run
reporter.report_collector(files, results)
File "C:\Users\mathieu.bouzard\Documents\pipx\venvs\ochrona\lib\site-packages\ochrona\reporter\reporter.py", line 54, in report_collector
reports.append(self.generate_report(source, result, index, len(sources)))
File "C:\Users\mathieu.bouzard\Documents\pipx\venvs\ochrona\lib\site-packages\ochrona\reporter\reporter.py", line 80, in generate_report
report_dict[self._report_type](
File "C:\Users\mathieu.bouzard\Documents\pipx\venvs\ochrona\lib\site-packages\ochrona\reporter\reports\html.py", line 41, in generate
HTMLReport.save_report_to_file(
File "C:\Users\mathieu.bouzard\Documents\pipx\venvs\ochrona\lib\site-packages\ochrona\reporter\reports\html.py", line 51, in save_report_to_file
f.write(HTMLReport.generate_report_body(result, source, index, total))
File "C:\Users\mathieu.bouzard\AppData\Local\Programs\Python\Python310\lib\encodings\cp1252.py", line 19, in encode
return codecs.charmap_encode(input,self.errors,encoding_table)[0]
UnicodeEncodeError: 'charmap' codec can't encode character '\U0001f517' in position 5496: character maps to <undefined>
To Reproduce
On Windows:
ochrona --report_type html --output .
Background (please complete the following information):
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.