Skip to content

Commit

Permalink
feat(python): add support for uv (#8080)
Browse files Browse the repository at this point in the history
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
  • Loading branch information
nikpivkin authored Dec 19, 2024
1 parent 49f3540 commit c4a4a5f
Show file tree
Hide file tree
Showing 21 changed files with 1,170 additions and 2 deletions.
2 changes: 2 additions & 0 deletions docs/docs/configuration/reporting.md
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@ The following languages are currently supported:
| | [yarn.lock][yarn-lock] |
| .NET | [packages.lock.json][dotnet-packages-lock] |
| Python | [poetry.lock][poetry-lock] |
| | [uv.lock][uv-lock] |
| Ruby | [Gemfile.lock][gemfile-lock] |
| Rust | [cargo-auditable binaries][cargo-binaries] |
| Go | [go.mod][go-mod] |
Expand Down Expand Up @@ -449,6 +450,7 @@ $ trivy convert --format table --severity CRITICAL result.json
[yarn-lock]: ../coverage/language/nodejs.md#yarn
[dotnet-packages-lock]: ../coverage/language/dotnet.md#packageslockjson
[poetry-lock]: ../coverage/language/python.md#poetry
[uv-lock]: ../coverage/language/python.md#uv
[gemfile-lock]: ../coverage/language/ruby.md#bundler
[go-mod]: ../coverage/language/golang.md#go-module
[composer-lock]: ../coverage/language/php.md#composerlock
Expand Down
1 change: 1 addition & 0 deletions docs/docs/coverage/language/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ On the other hand, when the target is a post-build artifact, like a container im
| | gemspec ||| - | - |
| [Python](python.md) | Pipfile.lock | - | - |||
| | poetry.lock | - | - |||
| | uv.lock | - | - |||
| | requirements.txt | - | - |||
| | egg package[^1] ||| - | - |
| | wheel package[^2] ||| - | - |
Expand Down
7 changes: 7 additions & 0 deletions docs/docs/coverage/language/python.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ The following scanners are supported for package managers.
| pip ||||
| Pipenv ||| - |
| Poetry ||| - |
| uv ||| - |

In addition, Trivy supports three formats of Python packages: `egg`, `wheel` and `conda`.
The following scanners are supported for Python packages.
Expand All @@ -26,6 +27,7 @@ The following table provides an outline of the features Trivy offers.
| pip | requirements.txt | - | Include | - |||
| Pipenv | Pipfile.lock || Include | - || Not needed |
| Poetry | poetry.lock || Exclude || - | Not needed |
| uv | uv.lock || Exclude || - | Not needed |


| Packaging | Dependency graph |
Expand Down Expand Up @@ -126,6 +128,11 @@ To build the correct dependency graph, `pyproject.toml` also needs to be present

License detection is not supported for `Poetry`.

### uv
Trivy uses `uv.lock` to identify dependencies and find vulnerabilities.

License detection is not supported for `uv`.

## Packaging
Trivy parses the manifest files of installed packages in container image scanning and so on.
See [here](https://packaging.python.org/en/latest/discussions/package-formats/) for the detail.
Expand Down
9 changes: 9 additions & 0 deletions integration/repo_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -159,6 +159,15 @@ func TestRepository(t *testing.T) {
},
golden: "testdata/poetry.json.golden",
},
{
name: "uv",
args: args{
scanner: types.VulnerabilityScanner,
listAllPkgs: true,
input: "testdata/fixtures/repo/uv",
},
golden: "testdata/uv.json.golden",
},
{
name: "pom",
args: args{
Expand Down
51 changes: 51 additions & 0 deletions integration/testdata/fixtures/repo/uv/uv.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

195 changes: 195 additions & 0 deletions integration/testdata/uv.json.golden
Original file line number Diff line number Diff line change
@@ -0,0 +1,195 @@
{
"SchemaVersion": 2,
"CreatedAt": "2021-08-25T12:20:30.000000005Z",
"ArtifactName": "testdata/fixtures/repo/uv",
"ArtifactType": "repository",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": "uv.lock",
"Class": "lang-pkgs",
"Type": "uv",
"Packages": [
{
"ID": "uv-test@0.1.0",
"Name": "uv-test",
"Identifier": {
"PURL": "pkg:pypi/uv-test@0.1.0",
"UID": "d8b4e0c0129124ef"
},
"Version": "0.1.0",
"Relationship": "root",
"DependsOn": [
"click@8.1.3",
"werkzeug@0.11.1"
],
"Layer": {}
},
{
"ID": "click@8.1.3",
"Name": "click",
"Identifier": {
"PURL": "pkg:pypi/click@8.1.3",
"UID": "76baa5f52f0c32da"
},
"Version": "8.1.3",
"Relationship": "direct",
"DependsOn": [
"colorama@0.4.6"
],
"Layer": {}
},
{
"ID": "werkzeug@0.11.1",
"Name": "werkzeug",
"Identifier": {
"PURL": "pkg:pypi/werkzeug@0.11.1",
"UID": "de1411a7bb678535"
},
"Version": "0.11.1",
"Relationship": "direct",
"Layer": {}
},
{
"ID": "colorama@0.4.6",
"Name": "colorama",
"Identifier": {
"PURL": "pkg:pypi/colorama@0.4.6",
"UID": "49acc401742db23d"
},
"Version": "0.4.6",
"Indirect": true,
"Relationship": "indirect",
"Layer": {}
}
],
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-14806",
"PkgID": "werkzeug@0.11.1",
"PkgName": "werkzeug",
"PkgIdentifier": {
"PURL": "pkg:pypi/werkzeug@0.11.1",
"UID": "de1411a7bb678535"
},
"InstalledVersion": "0.11.1",
"FixedVersion": "0.15.3",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14806",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory Pip",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
},
"Title": "python-werkzeug: insufficient debugger PIN randomness vulnerability",
"Description": "Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id.",
"Severity": "HIGH",
"CweIDs": [
"CWE-331"
],
"VendorSeverity": {
"ghsa": 3,
"nvd": 3,
"redhat": 2,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"V2Score": 5,
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 7.5
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00034.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00047.html",
"https://access.redhat.com/security/cve/CVE-2019-14806",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14806",
"https://github.com/advisories/GHSA-gq9m-qvpx-68hc",
"https://github.com/pallets/werkzeug/blob/7fef41b120327d3912fbe12fb64f1951496fcf3e/src/werkzeug/debug/__init__.py#L168",
"https://github.com/pallets/werkzeug/commit/00bc43b1672e662e5e3b8cecd79e67fc968fa246",
"https://nvd.nist.gov/vuln/detail/CVE-2019-14806",
"https://palletsprojects.com/blog/werkzeug-0-15-3-released/",
"https://ubuntu.com/security/notices/USN-4655-1"
],
"PublishedDate": "2019-08-09T15:15:00Z",
"LastModifiedDate": "2019-09-11T00:15:00Z"
},
{
"VulnerabilityID": "CVE-2020-28724",
"PkgID": "werkzeug@0.11.1",
"PkgName": "werkzeug",
"PkgIdentifier": {
"PURL": "pkg:pypi/werkzeug@0.11.1",
"UID": "de1411a7bb678535"
},
"InstalledVersion": "0.11.1",
"FixedVersion": "0.11.6",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-28724",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory Pip",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
},
"Title": "python-werkzeug: open redirect via double slash in the URL",
"Description": "Open redirect vulnerability in werkzeug before 0.11.6 via a double slash in the URL.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-601"
],
"VendorSeverity": {
"ghsa": 2,
"nvd": 2,
"redhat": 2,
"ubuntu": 2
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"V2Score": 5.8,
"V3Score": 6.1
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"V3Score": 5.4
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2020-28724",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28724",
"https://github.com/advisories/GHSA-3p3h-qghp-hvh2",
"https://github.com/pallets/flask/issues/1639",
"https://github.com/pallets/werkzeug/issues/822",
"https://github.com/pallets/werkzeug/pull/890/files",
"https://nvd.nist.gov/vuln/detail/CVE-2020-28724",
"https://ubuntu.com/security/notices/USN-4655-1"
],
"PublishedDate": "2020-11-18T15:15:00Z",
"LastModifiedDate": "2020-12-01T16:05:00Z"
}
]
}
]
}
Loading

0 comments on commit c4a4a5f

Please sign in to comment.