Skip to content

Commit

Permalink
Merge branch 'master' of github/pyscan
Browse files Browse the repository at this point in the history
  • Loading branch information
@aswinnnn
aswinnnn committed Oct 18, 2023
2 parents 5b421ea + 2fc29cd commit a4d2bee
Show file tree
Hide file tree
Showing 2 changed files with 180 additions and 180 deletions.
182 changes: 91 additions & 91 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,91 +1,91 @@
# Changelog

## 0.1.1

- added package subcommand, here's a quick usage:

```bash
pyscan package -n jinja2 -v 2.4.1
```

- slight logic improvments
- notes for next release:
- - if it detects toml but it doesnt find the dependencies table it panics, no idea how to err handle that for now
- - I should probably start using the `anyhow` crate.
- - `get_latest_package_version` should become its own function and be moved to `utils.rs` in the next version

That's all for this release!

## 0.1.2

- added docker subcommand, usage:
```bash
> pyscan docker -n my-docker-image -p /path/inside/container/to/source
```

by <i>"source"</i> I mean `requirements.txt`, `pyproject.toml` or your python files.

- pyscan will not be using [deps.dev](https://deps.dev) API anymore to retrive latest stable versions. Will be using `pip` instead to get the installed package version from the user. Should've thought of that sooner. [credits to @anotherbridge for [#1](https://github.com/aswinnnn/pyscan/issues/1)]

- better error messages, though panics are the main way of displaying them.

- This release was pretty rushed to fix that issue and get the docker feature on. I will be taking my sweet time with the next release to get:

- - github actions integration
- - make it easier for other tools to interact with pyscan
- - code complexity analyzer (not doing a linter cuz any respectable python dev already has one)
- - finally get to do tests, and lots of more ideas in my head. Thanks for the awesome support so far!

## 0.1.3

- Fixed a grave error where docker command left remnants and did not perform a complete cleanup.
- This release was made right after the previous release to fix this feature, however, the release page will contain both this message and the previous one so no one will miss out on the new stuff.

## 0.1.4 (the "big" update)

### Changes and New

- BATCHED API! Pyscan is actually fast enough now. [#5]
- Less panics and more user friendly errors.
- Perfomance optimizations by some &s and better logic.
- Support for constraints.txt [#4]
- Introduced PipCache, which caches your pip package names and versions before the execution of the scanner to quickly lookup incase of a fallback
- also, fallbacks! [#3] the order is: source > pip > pypi.org
- it can be disabled with only sticking to `--pip` or `--pypi` or `--source`
- exit non-zeros at vulns found and other important errors

### Notes
- I actually wanted to include multi-threaded batched requests to increase perfomance even more
- but had to rush the update because everyone was installing the pathetic previous one. It's like hiding a golden apple that you can't show anyone. (except people who noticed the alpha branch)
- I will try not to rush updates and actually take things slow but thats hard when its recieving so much attention
- [RealPython](realpython.com) featured this project on their podcast which was just amazing, and something that has never happened to me before.
- Twitter and imageboards (the good ones) are giving pyscan so much love.
- All the issue makers have led to some very awesome improvements, I fucking love open source.

That's about it, check TODO for whats coming in the future.

## v0.1.6

*v0.1.5 had a bugfix to fix a critical bug accidently deployed in v0.1.4, immediately. Thus, i dont think it deserves its own thingy.*

### New Features

- implement parsing dependencies from `setup.py`,`setuptools`,`poetry`,`hatch`,`filt`, `pdm`
- multithreaded requests for `> 100` dependencies
- output options

### Fixes

This version was focused on:

- #13 [fixed]
- #14 [fixed]
- #11 - This will took some time as parsing of pyproject.toml is hard-coded to only support PEP 621, which means redesigning how pyproject.toml should be scanned entirely. [fixed]

### Notes

Pyscan has some **very interesting developments** planned in the future. Checkout the PR.

- [ ] the crate `pep-508` seems to be having trouble parsing embedded hash values in `requirements.txt` ( #16 ), which may or may not have a fix depending on the author of the lib.
- [ ] (maybe) support for parsing SBOMs and KBOMs
- [ ] (maybe) introduce displaying severity, along with a filter for known vuln IDs.
# Changelog

## 0.1.1

- added package subcommand, here's a quick usage:

```bash
pyscan package -n jinja2 -v 2.4.1
```

- slight logic improvments
- notes for next release:
- - if it detects toml but it doesnt find the dependencies table it panics, no idea how to err handle that for now
- - I should probably start using the `anyhow` crate.
- - `get_latest_package_version` should become its own function and be moved to `utils.rs` in the next version

That's all for this release!

## 0.1.2

- added docker subcommand, usage:
```bash
> pyscan docker -n my-docker-image -p /path/inside/container/to/source
```

by <i>"source"</i> I mean `requirements.txt`, `pyproject.toml` or your python files.

- pyscan will not be using [deps.dev](https://deps.dev) API anymore to retrive latest stable versions. Will be using `pip` instead to get the installed package version from the user. Should've thought of that sooner. [credits to @anotherbridge for [#1](https://github.com/aswinnnn/pyscan/issues/1)]

- better error messages, though panics are the main way of displaying them.

- This release was pretty rushed to fix that issue and get the docker feature on. I will be taking my sweet time with the next release to get:

- - github actions integration
- - make it easier for other tools to interact with pyscan
- - code complexity analyzer (not doing a linter cuz any respectable python dev already has one)
- - finally get to do tests, and lots of more ideas in my head. Thanks for the awesome support so far!

## 0.1.3

- Fixed a grave error where docker command left remnants and did not perform a complete cleanup.
- This release was made right after the previous release to fix this feature, however, the release page will contain both this message and the previous one so no one will miss out on the new stuff.

## 0.1.4 (the "big" update)

### Changes and New

- BATCHED API! Pyscan is actually fast enough now. [#5]
- Less panics and more user friendly errors.
- Perfomance optimizations by some &s and better logic.
- Support for constraints.txt [#4]
- Introduced PipCache, which caches your pip package names and versions before the execution of the scanner to quickly lookup incase of a fallback
- also, fallbacks! [#3] the order is: source > pip > pypi.org
- it can be disabled with only sticking to `--pip` or `--pypi` or `--source`
- exit non-zeros at vulns found and other important errors

### Notes
- I actually wanted to include multi-threaded batched requests to increase perfomance even more
- but had to rush the update because everyone was installing the pathetic previous one. It's like hiding a golden apple that you can't show anyone. (except people who noticed the alpha branch)
- I will try not to rush updates and actually take things slow but thats hard when its recieving so much attention
- [RealPython](realpython.com) featured this project on their podcast which was just amazing, and something that has never happened to me before.
- Twitter and imageboards (the good ones) are giving pyscan so much love.
- All the issue makers have led to some very awesome improvements, I fucking love open source.

That's about it, check TODO for whats coming in the future.

## v0.1.6 (October 15, 2023)

*v0.1.5 had a bugfix to fix a critical bug accidently deployed in v0.1.4, immediately. Thus, i dont think it deserves its own thingy.*

### New Features

- implement parsing dependencies from `setup.py`,`setuptools`,`poetry`,`hatch`,`filt`, `pdm`
- multithreaded requests for `> 100` dependencies
- output options

### Fixes

This version was focused on:

- #13 [fixed]
- #14 [fixed]
- #11 - This will took some time as parsing of pyproject.toml is hard-coded to only support PEP 621, which means redesigning how pyproject.toml should be scanned entirely. [fixed]

### Notes

Pyscan has some **very interesting developments** planned in the future. Checkout the PR.

- [ ] the crate `pep-508` seems to be having trouble parsing embedded hash values in `requirements.txt` ( #16 ), which may or may not have a fix depending on the author of the lib.
- [ ] (maybe) support for parsing SBOMs and KBOMs
- [ ] (maybe) introduce displaying severity, along with a filter for known vuln IDs.
178 changes: 89 additions & 89 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,89 +1,89 @@
<h1 align="center"> 🐍 Pyscan </h1>

![CI](https://github.com/aswinnnn/pyscan/actions/workflows/CI.yml/badge.svg) ![Liscense](https://img.shields.io/github/license/aswinnnn/pyscan?color=ff64b4) [![PyPI](https://img.shields.io/pypi/v/pyscan-rs?color=ff69b4)](https://pypi.org/project/pyscan-rs) [![](https://img.shields.io/crates/v/pyscan?color=ff64b4)](https://crates.io/crates/pyscan) [![GitHub issues](https://img.shields.io/github/issues/aswinnnn/pyscan.svg?color=ff69b4)](https://GitHub.com/aswinnnn/pyscan/issues/) [![Top Language](https://img.shields.io/github/languages/top/aswinnnn/pyscan?color=ff69b4)](https://img.shields.io/github/languages/top/aswinnnn/pyscan)

<h4 align="center">

<!-- <img src="https://media.discordapp.net/attachments/1002212458502557718/1107648562004758538/pyscan.png?width=779&height=206"> -->

<img src="./assets/pyscan-repository.png">

</h4>

<h5 align="center"> <i>A dependency vulnerability scanner for your python projects, straight from the terminal.</i> </h5>

+ can be used within large projects. (see [benchmarks](BENCHMARKS.md))
+ automatically finds dependencies either from configuration files or within source code.
+ support for poetry,hatch,filt,pdm and can be integrated into existing build processes.
+ hasn't been battle-hardened yet. PRs and issue makers welcome.

## 🕊️ Install

```bash
pip install pyscan-rs
```
**look out for the "-rs"** part
or

```bash
cargo install pyscan
```

check out the [releases](https://github.com/aswinnnn/pyscan/releases).

## 🐇 Usage

Go to your python source directory (or wherever you keep your `requirements.txt`/`pyproject.toml`) and run:

```bash
> pyscan
```
or
```bash
> pyscan -d path/to/src
```

<!-- ## Docker
[WARNING: docker subcommand currently does not work, if you are installing pyscan solely for that purpose. It will be fixed and released in the next version. Thanks for the patience, people with actual jobs (i dont know anyone else who actually uses docker)]
Pyscan can scan inside docker images given you provide the correct path inside. This is still in its early stage and may break easily.
```bash
> pyscan docker -n my-docker-image -p /path/inside/container/to/source
```
by <i>"source"</i> I mean `requirements.txt`, `pyproject.toml` or your python files.
Note: Your docker engine/daemon should be running as pyscan utilizes the `docker create` command. -->

<br>
Pyscan will find any dependencies added through poetry, hatch, filt, pdm, etc.
Here's the order of precedence for a source/config file:

+ `requirements.txt`
+ `pyproject.toml`
+ your source code (`.py`)

Pyscan will use your `pip` to find unknown versions, otherwise [pypi.org](https://pypi.org) for the latest version. Still, **Make sure you version-ize your requirements** and use proper [pep-508 syntax](https://peps.python.org/pep-0508/).

## Building

pyscan requires a rust version of `< v1.70`, and might be unstable on previous releases.
There's an overview of the codebase at [architecture](./architecture/). Grateful for all the contributions so far.

## 🦀 Note

pyscan doesn't make sure your code is safe from everything. Use all resources available to you like [safety](https://pypi.org/project/safety/) Dependabot, [`pip-audit`](https://pypi.org/project/pip-audit/), trivy and the likes.

## 🐰 Todo

As of October 15, 2023:

- [ ] Gather time to work on it (incredible task as a high schooler)
- [ ] Persistent state representation of a project's security.
- [ ] Graphical analysis of dependencies and their dependencies, and so on.
- [ ] Better display, search, filter of vulns

## 🐹 Donate

While not coding, I am a broke high school student with nothing else to do. I appreciate all the help I can get.
<h1 align="center"> 🐍 Pyscan </h1>

![CI](https://github.com/aswinnnn/pyscan/actions/workflows/CI.yml/badge.svg) ![Liscense](https://img.shields.io/github/license/aswinnnn/pyscan?color=ff64b4) [![PyPI](https://img.shields.io/pypi/v/pyscan-rs?color=ff69b4)](https://pypi.org/project/pyscan-rs) [![](https://img.shields.io/crates/v/pyscan?color=ff64b4)](https://crates.io/crates/pyscan) [![GitHub issues](https://img.shields.io/github/issues/aswinnnn/pyscan.svg?color=ff69b4)](https://GitHub.com/aswinnnn/pyscan/issues/) [![Top Language](https://img.shields.io/github/languages/top/aswinnnn/pyscan?color=ff69b4)](https://img.shields.io/github/languages/top/aswinnnn/pyscan)

<h4 align="center">

<!-- <img src="https://media.discordapp.net/attachments/1002212458502557718/1107648562004758538/pyscan.png?width=779&height=206"> -->

<img src="./assets/pyscan-repository.png">

</h4>

<h5 align="center"> <i>A dependency vulnerability scanner for your python projects, straight from the terminal.</i> </h5>

+ can be used within large projects. (see [benchmarks](BENCHMARKS.md))
+ automatically finds dependencies either from configuration files or within source code.
+ support for poetry,hatch,filt,pdm and can be integrated into existing build processes.
+ hasn't been battle-hardened yet. PRs and issue makers welcome.

## 🕊️ Install

```bash
pip install pyscan-rs
```
**look out for the "-rs"** part
or

```bash
cargo install pyscan
```



## 🐇 Usage

Go to your python source directory (or wherever you keep your `requirements.txt`/`pyproject.toml`) and run:

```bash
> pyscan
```
or
```bash
> pyscan -d path/to/src
```

<!-- ## Docker
[WARNING: docker subcommand currently does not work, if you are installing pyscan solely for that purpose. It will be fixed and released in the next version. Thanks for the patience, people with actual jobs (i dont know anyone else who actually uses docker)]
Pyscan can scan inside docker images given you provide the correct path inside. This is still in its early stage and may break easily.
```bash
> pyscan docker -n my-docker-image -p /path/inside/container/to/source
```
by <i>"source"</i> I mean `requirements.txt`, `pyproject.toml` or your python files.
Note: Your docker engine/daemon should be running as pyscan utilizes the `docker create` command. -->

<br>
Pyscan will find any dependencies added through poetry, hatch, filt, pdm, etc.
Here's the order of precedence for a source/config file:

+ `requirements.txt`
+ `pyproject.toml`
+ your source code (`.py`)

Pyscan will use your `pip` to find unknown versions, otherwise [pypi.org](https://pypi.org) for the latest version. Still, **Make sure you version-ize your requirements** and use proper [pep-508 syntax](https://peps.python.org/pep-0508/).

## Building

pyscan requires a rust version of `< v1.70`, and might be unstable on previous releases.
There's an overview of the codebase at [architecture](./architecture/). Grateful for all the contributions so far.

## 🦀 Note

pyscan doesn't make sure your code is safe from everything. Use all resources available to you like [safety](https://pypi.org/project/safety/) Dependabot, [`pip-audit`](https://pypi.org/project/pip-audit/), trivy and the likes.

## 🐰 Todo

As of October 15, 2023:

- [ ] Gather time to work on it (incredible task as a high schooler)
- [ ] Persistent state representation of a project's security.
- [ ] Graphical analysis of dependencies and their dependencies, and so on.
- [ ] Better display, search, filter of vulns

## 🐹 Donate

While not coding, I am a broke high school student with nothing else to do. I appreciate all the help I can get.

0 comments on commit a4d2bee

Please sign in to comment.