diff --git a/CHANGELOG.md b/CHANGELOG.md index 1b54973..d7188fd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,91 +1,91 @@ -# Changelog - -## 0.1.1 - -- added package subcommand, here's a quick usage: - -```bash -pyscan package -n jinja2 -v 2.4.1 -``` - -- slight logic improvments -- notes for next release: -- - if it detects toml but it doesnt find the dependencies table it panics, no idea how to err handle that for now -- - I should probably start using the `anyhow` crate. -- - `get_latest_package_version` should become its own function and be moved to `utils.rs` in the next version - -That's all for this release! - -## 0.1.2 - -- added docker subcommand, usage: -```bash -> pyscan docker -n my-docker-image -p /path/inside/container/to/source -``` - -by "source" I mean `requirements.txt`, `pyproject.toml` or your python files. - -- pyscan will not be using [deps.dev](https://deps.dev) API anymore to retrive latest stable versions. Will be using `pip` instead to get the installed package version from the user. Should've thought of that sooner. [credits to @anotherbridge for [#1](https://github.com/aswinnnn/pyscan/issues/1)] - -- better error messages, though panics are the main way of displaying them. - -- This release was pretty rushed to fix that issue and get the docker feature on. I will be taking my sweet time with the next release to get: - -- - github actions integration -- - make it easier for other tools to interact with pyscan -- - code complexity analyzer (not doing a linter cuz any respectable python dev already has one) -- - finally get to do tests, and lots of more ideas in my head. Thanks for the awesome support so far! - -## 0.1.3 - -- Fixed a grave error where docker command left remnants and did not perform a complete cleanup. -- This release was made right after the previous release to fix this feature, however, the release page will contain both this message and the previous one so no one will miss out on the new stuff. - -## 0.1.4 (the "big" update) - -### Changes and New - -- BATCHED API! Pyscan is actually fast enough now. [#5] -- Less panics and more user friendly errors. -- Perfomance optimizations by some &s and better logic. -- Support for constraints.txt [#4] -- Introduced PipCache, which caches your pip package names and versions before the execution of the scanner to quickly lookup incase of a fallback -- also, fallbacks! [#3] the order is: source > pip > pypi.org -- it can be disabled with only sticking to `--pip` or `--pypi` or `--source` -- exit non-zeros at vulns found and other important errors - -### Notes -- I actually wanted to include multi-threaded batched requests to increase perfomance even more -- but had to rush the update because everyone was installing the pathetic previous one. It's like hiding a golden apple that you can't show anyone. (except people who noticed the alpha branch) -- I will try not to rush updates and actually take things slow but thats hard when its recieving so much attention -- [RealPython](realpython.com) featured this project on their podcast which was just amazing, and something that has never happened to me before. -- Twitter and imageboards (the good ones) are giving pyscan so much love. -- All the issue makers have led to some very awesome improvements, I fucking love open source. - -That's about it, check TODO for whats coming in the future. - -## v0.1.6 - -*v0.1.5 had a bugfix to fix a critical bug accidently deployed in v0.1.4, immediately. Thus, i dont think it deserves its own thingy.* - -### New Features - -- implement parsing dependencies from `setup.py`,`setuptools`,`poetry`,`hatch`,`filt`, `pdm` -- multithreaded requests for `> 100` dependencies -- output options - -### Fixes - -This version was focused on: - -- #13 [fixed] -- #14 [fixed] -- #11 - This will took some time as parsing of pyproject.toml is hard-coded to only support PEP 621, which means redesigning how pyproject.toml should be scanned entirely. [fixed] - -### Notes - -Pyscan has some **very interesting developments** planned in the future. Checkout the PR. - -- [ ] the crate `pep-508` seems to be having trouble parsing embedded hash values in `requirements.txt` ( #16 ), which may or may not have a fix depending on the author of the lib. -- [ ] (maybe) support for parsing SBOMs and KBOMs -- [ ] (maybe) introduce displaying severity, along with a filter for known vuln IDs. \ No newline at end of file +# Changelog + +## 0.1.1 + +- added package subcommand, here's a quick usage: + +```bash +pyscan package -n jinja2 -v 2.4.1 +``` + +- slight logic improvments +- notes for next release: +- - if it detects toml but it doesnt find the dependencies table it panics, no idea how to err handle that for now +- - I should probably start using the `anyhow` crate. +- - `get_latest_package_version` should become its own function and be moved to `utils.rs` in the next version + +That's all for this release! + +## 0.1.2 + +- added docker subcommand, usage: +```bash +> pyscan docker -n my-docker-image -p /path/inside/container/to/source +``` + +by "source" I mean `requirements.txt`, `pyproject.toml` or your python files. + +- pyscan will not be using [deps.dev](https://deps.dev) API anymore to retrive latest stable versions. Will be using `pip` instead to get the installed package version from the user. Should've thought of that sooner. [credits to @anotherbridge for [#1](https://github.com/aswinnnn/pyscan/issues/1)] + +- better error messages, though panics are the main way of displaying them. + +- This release was pretty rushed to fix that issue and get the docker feature on. I will be taking my sweet time with the next release to get: + +- - github actions integration +- - make it easier for other tools to interact with pyscan +- - code complexity analyzer (not doing a linter cuz any respectable python dev already has one) +- - finally get to do tests, and lots of more ideas in my head. Thanks for the awesome support so far! + +## 0.1.3 + +- Fixed a grave error where docker command left remnants and did not perform a complete cleanup. +- This release was made right after the previous release to fix this feature, however, the release page will contain both this message and the previous one so no one will miss out on the new stuff. + +## 0.1.4 (the "big" update) + +### Changes and New + +- BATCHED API! Pyscan is actually fast enough now. [#5] +- Less panics and more user friendly errors. +- Perfomance optimizations by some &s and better logic. +- Support for constraints.txt [#4] +- Introduced PipCache, which caches your pip package names and versions before the execution of the scanner to quickly lookup incase of a fallback +- also, fallbacks! [#3] the order is: source > pip > pypi.org +- it can be disabled with only sticking to `--pip` or `--pypi` or `--source` +- exit non-zeros at vulns found and other important errors + +### Notes +- I actually wanted to include multi-threaded batched requests to increase perfomance even more +- but had to rush the update because everyone was installing the pathetic previous one. It's like hiding a golden apple that you can't show anyone. (except people who noticed the alpha branch) +- I will try not to rush updates and actually take things slow but thats hard when its recieving so much attention +- [RealPython](realpython.com) featured this project on their podcast which was just amazing, and something that has never happened to me before. +- Twitter and imageboards (the good ones) are giving pyscan so much love. +- All the issue makers have led to some very awesome improvements, I fucking love open source. + +That's about it, check TODO for whats coming in the future. + +## v0.1.6 (October 15, 2023) + +*v0.1.5 had a bugfix to fix a critical bug accidently deployed in v0.1.4, immediately. Thus, i dont think it deserves its own thingy.* + +### New Features + +- implement parsing dependencies from `setup.py`,`setuptools`,`poetry`,`hatch`,`filt`, `pdm` +- multithreaded requests for `> 100` dependencies +- output options + +### Fixes + +This version was focused on: + +- #13 [fixed] +- #14 [fixed] +- #11 - This will took some time as parsing of pyproject.toml is hard-coded to only support PEP 621, which means redesigning how pyproject.toml should be scanned entirely. [fixed] + +### Notes + +Pyscan has some **very interesting developments** planned in the future. Checkout the PR. + +- [ ] the crate `pep-508` seems to be having trouble parsing embedded hash values in `requirements.txt` ( #16 ), which may or may not have a fix depending on the author of the lib. +- [ ] (maybe) support for parsing SBOMs and KBOMs +- [ ] (maybe) introduce displaying severity, along with a filter for known vuln IDs. diff --git a/README.md b/README.md index 267215b..4646d06 100644 --- a/README.md +++ b/README.md @@ -1,89 +1,89 @@ -

🐍 Pyscan

- -![CI](https://github.com/aswinnnn/pyscan/actions/workflows/CI.yml/badge.svg) ![Liscense](https://img.shields.io/github/license/aswinnnn/pyscan?color=ff64b4) [![PyPI](https://img.shields.io/pypi/v/pyscan-rs?color=ff69b4)](https://pypi.org/project/pyscan-rs) [![](https://img.shields.io/crates/v/pyscan?color=ff64b4)](https://crates.io/crates/pyscan) [![GitHub issues](https://img.shields.io/github/issues/aswinnnn/pyscan.svg?color=ff69b4)](https://GitHub.com/aswinnnn/pyscan/issues/) [![Top Language](https://img.shields.io/github/languages/top/aswinnnn/pyscan?color=ff69b4)](https://img.shields.io/github/languages/top/aswinnnn/pyscan) - -

- - - - - -

- -
A dependency vulnerability scanner for your python projects, straight from the terminal.
- -+ can be used within large projects. (see [benchmarks](BENCHMARKS.md)) -+ automatically finds dependencies either from configuration files or within source code. -+ support for poetry,hatch,filt,pdm and can be integrated into existing build processes. -+ hasn't been battle-hardened yet. PRs and issue makers welcome. - -## 🕊️ Install - -```bash -pip install pyscan-rs -``` -**look out for the "-rs"** part -or - -```bash -cargo install pyscan -``` - -check out the [releases](https://github.com/aswinnnn/pyscan/releases). - -## 🐇 Usage - -Go to your python source directory (or wherever you keep your `requirements.txt`/`pyproject.toml`) and run: - -```bash -> pyscan -``` -or -```bash -> pyscan -d path/to/src -``` - - - -
-Pyscan will find any dependencies added through poetry, hatch, filt, pdm, etc. -Here's the order of precedence for a source/config file: - -+ `requirements.txt` -+ `pyproject.toml` -+ your source code (`.py`) - -Pyscan will use your `pip` to find unknown versions, otherwise [pypi.org](https://pypi.org) for the latest version. Still, **Make sure you version-ize your requirements** and use proper [pep-508 syntax](https://peps.python.org/pep-0508/). - -## Building - -pyscan requires a rust version of `< v1.70`, and might be unstable on previous releases. -There's an overview of the codebase at [architecture](./architecture/). Grateful for all the contributions so far. - -## 🦀 Note - -pyscan doesn't make sure your code is safe from everything. Use all resources available to you like [safety](https://pypi.org/project/safety/) Dependabot, [`pip-audit`](https://pypi.org/project/pip-audit/), trivy and the likes. - -## 🐰 Todo - -As of October 15, 2023: - -- [ ] Gather time to work on it (incredible task as a high schooler) -- [ ] Persistent state representation of a project's security. -- [ ] Graphical analysis of dependencies and their dependencies, and so on. -- [ ] Better display, search, filter of vulns - -## 🐹 Donate - -While not coding, I am a broke high school student with nothing else to do. I appreciate all the help I can get. +

🐍 Pyscan

+ +![CI](https://github.com/aswinnnn/pyscan/actions/workflows/CI.yml/badge.svg) ![Liscense](https://img.shields.io/github/license/aswinnnn/pyscan?color=ff64b4) [![PyPI](https://img.shields.io/pypi/v/pyscan-rs?color=ff69b4)](https://pypi.org/project/pyscan-rs) [![](https://img.shields.io/crates/v/pyscan?color=ff64b4)](https://crates.io/crates/pyscan) [![GitHub issues](https://img.shields.io/github/issues/aswinnnn/pyscan.svg?color=ff69b4)](https://GitHub.com/aswinnnn/pyscan/issues/) [![Top Language](https://img.shields.io/github/languages/top/aswinnnn/pyscan?color=ff69b4)](https://img.shields.io/github/languages/top/aswinnnn/pyscan) + +

+ + + + + +

+ +
A dependency vulnerability scanner for your python projects, straight from the terminal.
+ ++ can be used within large projects. (see [benchmarks](BENCHMARKS.md)) ++ automatically finds dependencies either from configuration files or within source code. ++ support for poetry,hatch,filt,pdm and can be integrated into existing build processes. ++ hasn't been battle-hardened yet. PRs and issue makers welcome. + +## 🕊️ Install + +```bash +pip install pyscan-rs +``` +**look out for the "-rs"** part +or + +```bash +cargo install pyscan +``` + + + +## 🐇 Usage + +Go to your python source directory (or wherever you keep your `requirements.txt`/`pyproject.toml`) and run: + +```bash +> pyscan +``` +or +```bash +> pyscan -d path/to/src +``` + + + +
+Pyscan will find any dependencies added through poetry, hatch, filt, pdm, etc. +Here's the order of precedence for a source/config file: + ++ `requirements.txt` ++ `pyproject.toml` ++ your source code (`.py`) + +Pyscan will use your `pip` to find unknown versions, otherwise [pypi.org](https://pypi.org) for the latest version. Still, **Make sure you version-ize your requirements** and use proper [pep-508 syntax](https://peps.python.org/pep-0508/). + +## Building + +pyscan requires a rust version of `< v1.70`, and might be unstable on previous releases. +There's an overview of the codebase at [architecture](./architecture/). Grateful for all the contributions so far. + +## 🦀 Note + +pyscan doesn't make sure your code is safe from everything. Use all resources available to you like [safety](https://pypi.org/project/safety/) Dependabot, [`pip-audit`](https://pypi.org/project/pip-audit/), trivy and the likes. + +## 🐰 Todo + +As of October 15, 2023: + +- [ ] Gather time to work on it (incredible task as a high schooler) +- [ ] Persistent state representation of a project's security. +- [ ] Graphical analysis of dependencies and their dependencies, and so on. +- [ ] Better display, search, filter of vulns + +## 🐹 Donate + +While not coding, I am a broke high school student with nothing else to do. I appreciate all the help I can get.