Commit 1b56afdc authored by Jérome Perrin's avatar Jérome Perrin

testing/testcase: check eggs for known vulnerabilities

scan installed eggs and check if they have known vulnerabilities listed on
https://github.com/pyupio/safety-db
parent c2d7c494
Pipeline #11921 passed with stage
...@@ -34,6 +34,9 @@ import glob ...@@ -34,6 +34,9 @@ import glob
import logging import logging
import shutil import shutil
import warnings import warnings
import pkg_resources
import requests
from six.moves.urllib.parse import urlparse from six.moves.urllib.parse import urlparse
try: try:
...@@ -222,6 +225,7 @@ def checkSoftware(slap, software_url): ...@@ -222,6 +225,7 @@ def checkSoftware(slap, software_url):
software_hash = md5digest(software_url) software_hash = md5digest(software_url)
error_list = [] error_list = []
warning_list = []
ldd_so_resolved_re = re.compile( ldd_so_resolved_re = re.compile(
r'\t(?P<library_name>.*) => (?P<library_path>.*) \(0x') r'\t(?P<library_name>.*) => (?P<library_path>.*) \(0x')
...@@ -332,6 +336,49 @@ def checkSoftware(slap, software_url): ...@@ -332,6 +336,49 @@ def checkSoftware(slap, software_url):
"Software hash present in signature {}\n{}\n".format( "Software hash present in signature {}\n{}\n".format(
signature_file, signature_content)) signature_file, signature_content))
def checkEggsVersionsKnownVulnerabilities(
egg_directories,
safety_db=requests.get(
'https://raw.githubusercontent.com/pyupio/safety-db/master/data/insecure_full.json'
).json()):
# type: (List[str], Dict) -> Iterable[str]
"""Check eggs against known vulnerabilities database from https://github.com/pyupio/safety-db
"""
env = pkg_resources.Environment(egg_directories)
for egg in env:
known_vulnerabilities = safety_db.get(egg)
if known_vulnerabilities:
for distribution in env[egg]:
for known_vulnerability in known_vulnerabilities:
for vulnerable_spec in known_vulnerability['specs']:
for req in pkg_resources.parse_requirements(egg +
vulnerable_spec):
vulnerability_description = "\n".join(
u"{}: {}".format(*item)
for item in known_vulnerability.items())
if distribution in req:
yield (
u"{egg} use vulnerable version {distribution.version} because {vulnerable_spec}.\n"
"{vulnerability_description}\n".format(**locals()))
warning_list.extend(
checkEggsVersionsKnownVulnerabilities(
glob.glob(
os.path.join(
slap.software_directory,
software_hash,
'eggs',
'*',
)) + glob.glob(
os.path.join(
slap.software_directory,
software_hash,
'develop-eggs',
'*',
))))
if warning_list:
warnings.warn('\n'.join(warning_list))
if error_list: if error_list:
raise RuntimeError('\n'.join(error_list)) raise RuntimeError('\n'.join(error_list))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment