网站首页 / 育儿 / 正文

漏洞扫描工具有哪些(常用web漏洞扫描工具推荐)

时间:2022-04-13 00:50:03 浏览:1943次 作者:用户投稿 【我要投诉/侵权/举报 删除信息】

对于pip-audit

pip-audit是一款功效宏大的安定缺点扫描东西,该东西重要对准Python情况,不妨扶助宏大接洽职员扫描和尝试Python包中的已知安定缺点。pip-audit运用了PythonPackagingAdvisory数据库PyPIJSONAPI动作缺点汇报源。

功效引见

1、扶助对当地情况和依附组件(requirements作风文献)举行安定审批;

2、扶助多种缺点效劳(PyPI、OSV);

3、扶助以CycloneDX XML或JSON方法发送SBOM;

4、供给生人和呆板均可读的输入方法(columnar、JSON);

5、无缝接入 / 重用当地pip缓存;

东西安置

pip-audit鉴于Python开拓,且诉求当地情况为Python 3.7或革新本子。安置并摆设好Python情况之后,就不妨运用下列吩咐并经过pip来安置pip-audit了:

python -m pip install pip-audit第三方包

pip-audit的平常运转须要运用到多个第三方包,简直组件包称呼和本子如次图所示:

除此除外,咱们还不妨经过conda来安置pip-audit:

conda install -c conda-forge pip-audit

东西运用

咱们不妨径直将pip-audit以独力步调运转,或经过“python -m”运转:

pip-audit --helppython -m pip_audit --helpusage: pip-audit [-h] [-V] [-l] [-r REQUIREMENTS] [-f FORMAT] [-s SERVICE] [-d] [-S] [--desc [{on,off,auto}]] [--cache-dir CACHE_DIR] [--progress-spinner {on,off}] [--timeout TIMEOUT] [--path PATHS] [-v] [--fix] [--require-hashes]audit the Python environment for dependencies with known vulnerabilitiesoptional arguments: -h, --help show this help message and exit -V, --version show program's version number and exit -l, --local show only results for dependencies in the local environment (default: False) -r REQUIREMENTS, --requirement REQUIREMENTS audit the given requirements file; this option can be used multiple times (default: None) -f FORMAT, --format FORMAT the format to emit audit results in (choices: columns, json, cyclonedx-json, cyclonedx-xml) (default: columns) -s SERVICE, --vulnerability-service SERVICE the vulnerability service to audit dependencies against (choices: osv, pypi) (default: pypi) -d, --dry-run without `--fix`: collect all dependencies but do not perform the auditing step; with `--fix`: perform the auditing step but do not perform any fixes (default: False) -S, --strict fail the entire audit if dependency collection fails on any dependency (default: False) --desc [{on,off,auto}] include a description for each vulnerability; `auto` defaults to `on` for the `json` format. This flag has no effect on the `cyclonedx-json` or `cyclonedx-xml` formats. (default: auto) --cache-dir CACHE_DIR the directory to use as an HTTP cache for PyPI; uses the `pip` HTTP cache by default (default: None) --progress-spinner {on,off} display a progress spinner (default: on) --timeout TIMEOUT set the socket timeout (default: 15) --path PATHS restrict to the specified installation path for auditing packages; this option can be used multiple times (default: []) -v, --verbose give more output; this setting overrides the `PIP_AUDIT_LOGLEVEL` variable and is equivalent to setting it to `debug` (default: False) --fix automatically upgrade dependencies with known vulnerabilities (default: False) --require-hashes require a hash to check each requirement against, for repeatable audits; this option is implied when any package in a requirements file has a `--hash` option. (default: False)退出代码

工作实行后, pip-audit将会退出运转,并归来一个代码以表露其状况,个中:

0:未检验和测定到已知缺点;

1:检验和测定到了一个或多个已知缺点;

东西运用样例

审批暂时Python情况中的依附:

$ pip-auditNo known vulnerabilities found审批给定requirements文献的依附:

$ pip-audit -r ./requirements.txtNo known vulnerabilities found审批一个requirements文献,并废除体例包:

$ pip-audit -r ./requirements.txt -lNo known vulnerabilities found审批依附中创造的安定缺点:

$ pip-auditFound 2 known vulnerabilities in 1 packageName Version ID Fix Versions---- ------- -------------- ------------Flask 0.5 PYSEC-2019-179 1.0Flask 0.5 PYSEC-2018-66 0.12.3审批依附(包括刻画):

$ pip-audit --descFound 2 known vulnerabilities in 1 packageName Version ID Fix Versions Description---- ------- -------------- ------------ --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Flask 0.5 PYSEC-2019-179 1.0 The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656.Flask 0.5 PYSEC-2018-66 0.12.3 The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083.审批JSON方法依附:

$ pip-audit -f json | jqFound 2 known vulnerabilities in 1 package[ { "name": "flask", "version": "0.5", "vulns": [ { "id": "PYSEC-2019-179", "fix_versions": [ "1.0" ], "description": "The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656." }, { "id": "PYSEC-2018-66", "fix_versions": [ "0.12.3" ], "description": "The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083." } ] }, { "name": "jinja2", "version": "3.0.2", "vulns": [] }, { "name": "pip", "version": "21.3.1", "vulns": [] }, { "name": "setuptools", "version": "57.4.0", "vulns": [] }, { "name": "werkzeug", "version": "2.0.2", "vulns": [] }, { "name": "markupsafe", "version": "2.0.1", "vulns": [] }]【一>一切资源关心我,私信恢复“材料”获得<一】1、搜集安定进修道路2、电子书本(白帽子)3、安定大厂里面视频4、100份src文书档案5、罕见安定口试题6、ctf大赛典范标题领会7、全套东西包8、救急相应条记

审批并试验机动审批生存缺点的依附:

$ pip-audit --fixFound 2 known vulnerabilities in 1 package and fixed 2 vulnerabilities in 1 packageName Version ID Fix Versions Applied Fix----- ------- -------------- ------------ ----------------------------------------flask 0.5 PYSEC-2019-179 1.0 Successfully upgraded flask (0.5 => 1.0)flask 0.5 PYSEC-2018-66 0.12.3 Successfully upgraded flask (0.5 => 1.0)承诺证和议

内项手段开拓与颁布按照 Apache 2.0开源承诺证和议。

版权声明:
本文内容由互联网用户自发贡献,该文观点仅代表作者本人,因此内容不代表本站观点、本站不对文章中的任何观点负责,内容版权归原作者所有、内容只用于提供信息阅读,无任何商业用途。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站(文章、内容、图片、音频、视频)有涉嫌抄袭侵权/违法违规的内容, 请发送邮件至353049283@qq.com举报,一经查实,本站将立刻删除、维护您的正当权益。