Skip to content

Commit

Permalink
Merge pull request #324 from nicholasks/feature/premium-insecure-db
Browse files Browse the repository at this point in the history 
Provide CVSS information when available.
  • Loading branch information
@rafaelpivato
rafaelpivato committed Jan 11, 2021
2 parents b289752 + 23b234f commit c60643b
Show file tree
Hide file tree
Showing 5 changed files with 67 additions and 4 deletions.
7 changes: 6 additions & 1 deletion HISTORY.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,12 @@
History
=======

1.10.1 (2020-12-03)
1.10.2 (master)
-------------------

* Provide CVSS scores on full report, when available

1.10.1 (2021-01-03)
-------------------

* Reduced Docker image and Binary size
Expand Down
4 changes: 3 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -250,7 +250,7 @@ ___

### `--full-report`

*Full reports include a security advisory (if available).*
*Full reports include a security advisory and CVSS scores (if available).*

**Example**
```bash
Expand All @@ -277,6 +277,8 @@ safety check --full-report
+============================+===========+==========================+==========+
| package | installed | affected | ID |
+============================+===========+==========================+==========+
| CVSS v2 | BASE SCORE: 6.5 | IMPACT SCORE: 6.4 |
+============================+===========+==========================+==========+
| django | 1.2 | <1.2.2 | 25701 |
+==============================================================================+
| Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows |
Expand Down
46 changes: 46 additions & 0 deletions safety/formatter.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,32 @@ def render(vulns, full, checked_packages, used_db):
if full:
table.append(SheetReport.REPORT_SECTION)

if vuln.cvssv2 is not None:
base_score = vuln.cvssv2.get("base_score", "None")
impact_score = vuln.cvssv2.get("impact_score", "None")

table.append("| {:76} |".format(
"CVSS v2 | BASE SCORE: {} | IMPACT SCORE: {}".format(
base_score,
impact_score,
)
))
table.append(SheetReport.REPORT_SECTION)

if vuln.cvssv3 is not None:
base_score = vuln.cvssv3.get("base_score", "None")
impact_score = vuln.cvssv3.get("impact_score", "None")
base_severity = vuln.cvssv3.get("base_severity", "None")

table.append("| {:76} |".format(
"CVSS v3 | BASE SCORE: {} | IMPACT SCORE: {} | BASE SEVERITY: {}".format(
base_score,
impact_score,
base_severity,
)
))
table.append(SheetReport.REPORT_SECTION)

descr = get_advisory(vuln)

for pn, paragraph in enumerate(descr.replace('\r', '').split('\n\n')):
Expand Down Expand Up @@ -203,6 +229,26 @@ def render(vulns, full, checked_packages, used_db):
vuln.vuln_id
))
if full:
if vuln.cvssv2 is not None:
base_score = vuln.cvssv2.get("base_score", "None")
impact_score = vuln.cvssv2.get("impact_score", "None")

table.append("CVSS v2 -- BASE SCORE: {}, IMPACT SCORE: {}".format(
base_score,
impact_score,
))

if vuln.cvssv3 is not None:
base_score = vuln.cvssv3.get("base_score", "None")
impact_score = vuln.cvssv3.get("impact_score", "None")
base_severity = vuln.cvssv3.get("base_severity", "None")

table.append("CVSS v3 -- BASE SCORE: {}, IMPACT SCORE: {}, BASE SEVERITY: {}".format(
base_score,
impact_score,
base_severity,
))

table.append(get_advisory(vuln))
table.append("--")
else:
Expand Down
12 changes: 10 additions & 2 deletions safety/safety.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@


class Vulnerability(namedtuple("Vulnerability",
["name", "spec", "version", "advisory", "vuln_id"])):
["name", "spec", "version", "advisory", "vuln_id", "cvssv2", "cvssv3"])):
pass


Expand Down Expand Up @@ -157,14 +157,20 @@ def check(packages, key, db_mirror, cached, ignore_ids, proxy):
db_full = fetch_database(full=True, key=key, db=db_mirror, cached=cached, proxy=proxy)
for data in get_vulnerabilities(pkg=name, spec=specifier, db=db_full):
vuln_id = data.get("id").replace("pyup.io-", "")
cve_id = data.get("cve")
if cve_id:
cve_id = cve_id.split(",")[0].strip()
if vuln_id and vuln_id not in ignore_ids:
cve_meta = db_full.get("$meta", {}).get("cve", {}).get(cve_id, {})
vulnerable.append(
Vulnerability(
name=name,
spec=specifier,
version=pkg.version,
advisory=data.get("advisory"),
vuln_id=vuln_id
vuln_id=vuln_id,
cvssv2=cve_meta.get("cvssv2", None),
cvssv3=cve_meta.get("cvssv3", None),
)
)
return vulnerable
Expand All @@ -179,6 +185,8 @@ def review(vulnerabilities):
"version": vuln[2],
"advisory": vuln[3],
"vuln_id": vuln[4],
"cvssv2": None,
"cvssv3": None
}
vulnerable.append(
Vulnerability(**current_vuln)
Expand Down
2 changes: 2 additions & 0 deletions tests/test_safety.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,8 @@ def test_full_report(self):
+ ' blah' * 15 + '.\r\n\r\n'
+ 'All users are urged to upgrade please.\r\n',
vuln_id=1234,
cvssv2=None,
cvssv3=None,
),
]
full_report = formatter.SheetReport.render(
Expand Down

0 comments on commit c60643b

Please sign in to comment.