This repository was archived by the owner on Nov 28, 2023. It is now read-only.
This repository was archived by the owner on Nov 28, 2023. It is now read-only.
Project dependencies have API risk issues #1408
Description
Hi, In Cobra, inappropriate dependency versioning constraints can cause risks.
Below are the dependencies and version constraints that the project is using
Flask==1.0.0
Flask-RESTful==0.3.6
rarfile==2.7
prettytable==0.7.2
requests==2.20.0
pytest==3.0.6
pip==9.0.1
phply==1.0.0
Werkzeug==0.15.3
ConcurrentLogHandler==0.9.1
The version constraint == will introduce the risk of dependency conflicts because the scope of dependencies is too strict.
The version constraint No Upper Bound and * will introduce the risk of the missing API Error because the latest version of the dependencies may remove some APIs.
After further analysis, in this project,
The version constraint of dependency pip can be changed to >=22.0.4,<=22.1.2.
The above modification suggestions can reduce the dependency conflicts as much as possible,
and introduce the latest version as much as possible without calling Error in the projects.
The invocation of the current project includes all the following methods.
The calling methods from the requests
The calling methods from the pytest
The calling methods from the pip
shutil.rmtree
The calling methods from the all methods
vulnerability_name.lower score2level module_.split url_unquote simple_version_str.strip content.encode version_str.strip rar_file.close quote filename.normalize.encode urlretrieve csv_writer.writerows pusher.push re.sub self._result.keys code.dedent make_parser requests.post n.split self.cve_parse simple_version_str.isdigit parse_requirements origin_results.strip.split cve.get_scan_result f.readlines reqparse.RequestParser cve_path.lower.split exec self.output_colorized pull_out.decode result.split json.loads vul.get scan_status.get.get is_update rar_file.extractall encoding.ret.get_unicode.strip os.getcwd resp.json const.fpc_multi.replace targets.append clone_err.strip case.text.strip self.clone send_mail os.path.dirname code.strip s_sid_data.get key_verify result.update self.cve_info get_all_params x.add_row self.parse_err language.get reload self._syntax_error queue.Queue exit self.rule_match.strip analysis_if_else language.len.self.file_path.lower msg.attach f.endswith Config download_rule_gz self.get_dict rule.get f.seek pool.close fh.setFormatter config.set members.append re.split file_line.endswith self.code.append getattr self.__decompress_zip _filename_utf8_strip_re.sub clean_dir file_type.append CAST cobra.set clone_out.decode running.init_list module_.self._result.get deps.get Dependencies isatty res.group self.result.append self.stream.write self.files r_data.items json.load fn.split.split self._read_xml index.r.text.strip entry.find file_line.count f.json.load.get tarfile.open self.countnum lexer.clone i.setDaemon flush_output random.choice dict.fromkeys back_node.append running.is_file md5 self.count_php_line urllib.quote pull_err.strip lang.get.lower self._expr_code Rule ColorizingStreamHandler os.walk re.json self.notification mimetypes.guess_type dict_to_json logger.addHandler self.file_path.split simple_version_str.replace r.insert s_sid.Running.is_file cve_vuls.append code.get_globals argparse.ArgumentParser os.path.split vul.items self.parse_match l.split.strip diff.setdefault self.ansi_esc.split os.path.isfile index.is_test.self.sr.vulnerability.self.target_directory.Core.scan comparator.compare file_line.startswith res_err.decode range fi.read g_file.close line.split scan_data.get.get quote_plus adict.items p.communicate self.rule_repair.strip multiprocessing.Pool multiprocessing.Process producer err.strip cve_file.append operator_re.match q.get analysis_arrayoffset_node vulnerability.get result.decode origin_results.strip self.find_python_pip nodes.append analysis class_name.replace file_line.find self.find_nodejs_npm html.escape cpe_list.append self.functions time_start.strftime search_data.append sh.setFormatter self.post_data.append self.config.read ast.match urllib.parse.quote f.readline ctypes.windll.kernel32.GetStdHandle removed.append path.decode MIMEApplication self.repo_address.split.replace r_data.get time.time Git params.split const.fpc_single.replace languages.items files.append filename.decode pro_info.lower message.as_string int os.path.splitext self.is_pickup_whitelist package.get scan_parser time.clock self.format self.is_special_file normalize self._check_rule_name t.join self.set_scan_result re.compile config_extension.split json.dumps req.name.strip.lower f.truncate data.get ops_stack.append self.dependency_scan cvi_file.startswith push_rules.append analysis_variable_node request_target platform.platform.lower render_template Core smtplib.SMTP_SSL urlparse self.pretty self.result.items base64.b64encode AuthFailedException server.login pull_err.replace scan_data.get module_.results.items content.hashlib.md5.hexdigest get_pages still_running.items traceback.format_exc resource.add_resource rule_info.append pa.target_directory single_time_warn_message tree.getroot sid.lower target_directory.rstrip set g_file.read zip_file.close t_end.timetuple datetime.datetime.now len result.strip.split parser_group_server.add_argument self.code.extend l_name.language_extensions.append self.get_real_directory Running allowed_file fi.write PushToThird r.text.find match.group words.startswith time.strptime version_str.split pool.apply_async copyfile self.__decompress_rar Config.value.split line.diff.setdefault.append re.escape rule.get.lower results.insert issue_url.group value.str.lower sorted self.find_java_mvn pull_out.lower callable self.simple_parse single_match.split item.generic self.get_cve_file start get_sid self.config.write os.listdir list os.path.isdir clone_err.decode log_out.decode push_to_api max git_urls.append os.path.join self.__decompress_tar_gz result.get traceback.print_exc analysis_file_inclusion sum self.__check_exist rule_version.strip self.colorize checkout_err.decode pipes.quote write random_generator added.append cobra.append os.path.abspath f.writelines self.types.get name.strip target_str.split time.strftime self.context.update sid.Running.list diff_out.split path.replace f_name.f_lang.frameworks_rules.append PickupException stream.write x.get special_rules.split hash_list.append year.target_directory.CveParse.rule_xml logging.StreamHandler file_path.replace vul_list.keys Decompress self.rule_info get_binaryop_deep_params ast.is_controllable_param target_directory.Directory.collect_files vars_set.add msg.as_string Config.set self.dependency_framework open sys.setdefaultencoding l.split path.split os.remove t_start.timetuple issues.append dep_version.strip language_name.language_data.setdefault datetime.datetime.today.strftime search_result.values is_list file_path.split smtp.login self.repo_address.split q_pages.empty origin_vulnerability.strip dict_to_xml q_pages.put res_out.decode child.getchildren logging.StreamHandler.format product.text.lower.split secure_filename fi.close code.add_section self.block_code datetime.timedelta versions.append self.get_path logger.warning self.rule_repair.strip.split server.sendmail app.route fi.tell self.language.self.regex.format CveParse language_info.lower self.checkout f_name.open.write buffer_.append logger.critical Comparator data.append self.special_rules.append type_num.setdefault block create_github_issue self.rule logger.debug f.json.load.get.get self.count_data_line ctypes.windll.kernel32.SetConsoleTextAttribute datetime.datetime.today x.code_content.strip os.path.exists results.append vulnerability_result.file_path.strip logger.error self.get_rule result.append vars_code.add_line split_branch p.join self.count_total_num target_info.update file_handler.read os.path.getctime buffered.append subprocess.PIPE.subprocess.PIPE.self.filename.self.svn.subprocess.Popen.communicate running.list filter changed.append parser.parse_args module_version.get i.start data_results.get file_extension.lower.self.type_nums.setdefault.append self.count_py_line case.get.lower thread.join fn.split x.get.lower params.append entry.findall sys.stdout.flush diff_out.decode response.headers.split r.rules PrettyTable Tool framework.get.lower scan_list.get.items get_config_hash config.Config base64.b64decode filename.secure_filename.split ParseArgs attachment.add_header file_line.lstrip scan_list.get.keys Report value expr.split VulnerabilityResult pusher.add_data header.api_url.requests.get.json re.match search_rule MIMEMultipart x.code_content.decode tmp_filename.result.append afile_name.split error.decode self.file_info LooseVersion.__init__ set_config_hash self.count_html_line s_sid.Running.data param_name.strip print requests.packages.urllib3.disable_warnings framework.get project_info.get parser.print_help cve_child.set get_safe_ex_string tar_file.extractall cve_files.append _.encode thread.start self.is_annotation time.mktime write_to_file rarfile.RarFile dict_to_pretty_table product.text.split code.add_line output.startswith self.config.set code.indent frame_name.frame_data.append main is_text Report.run root.findall self._result.update api.start os.makedirs shutil.rmtree json_data.update _.hashlib.md5.hexdigest NotExistException q.task_done ConfigParser r.json Directory self.origin_results message.lstrip find_vulnerabilities.append data.encode MIMEText vulnerabilities.append clone_err.replace x.split analysis_echo_print min app.register_blueprint self.file_path.File.lines os.chdir checkout_out.decode vulnerability_result.code_content.strip dict get_expr_name csv_writer.writeheader blocks.items set_scan_results subprocess.Popen message.decode cli.start message.attach scan_cve custom_ext.get self._render_function req.name.strip self.get_member config.read cve_child.append un_gz checkout_err.strip get_function_params parsed.append q.put os.path.basename Exception.__init__ render_context.update header.insert ver.strip.split x.code_content.decode.strip product.text.lower threads.append smtplib.SMTP f.split parser_group_scan.add_argument r.status repo.startswith File diff_err.decode cve_path.lower gz_file.replace time_end.encode self._variable config.write header.remove m.get a_sid.Running.list csv.DictWriter logging.getLogger create_projects_hash properties.update vulnerability_name.replace fh.setLevel content.split enumerate Blueprint clone_out.strip unhandled_exception_message file_line.strip r.init_list token.strip self.__check_filename_dir self.config.get os.mkdir parser.add_argument_group platform.platform self.find_file get_node_name trigger_rules.append error.strip version_str.replace parse_match requests.get line_arr.strip sys.exit a_sid.Running.status v_path.lower.split r.list pro_info.project_info.get.get self.capture export_list self.type_nums.items args.rules.split q_pages.get sys.stdout.write self.project_information res.file_path.replace cve_child.findall row_list.add_row request.args.get self.handleError self.target.Decompress.decompress Exception pull_err.decode is_sink_function rule.replace TempliteSyntaxError scan ver.strip self.target.split to_bool case.get time.localtime join filename.rsplit CodeBuilder isinstance filename.split.upper tree.write eT.ElementTree module_.str.startswith extension.self.result.append access_token.base64.b64decode.decode eT.Element unhandled_exception_unicode_message export_params.append ElementTree.parse pool.join data_lists.append f.read PushBase.__init__ Api time_start.encode self._framework.append fcntl.flock gzip.GzipFile self.file_path.lower parts.pop re.search self.rule_parse self.parse_xml p.start guess_type scan_list.get.get analysis_functioncall_node dict_to_csv _dict.update extension.strip x.get.encode ops_stack.pop t_start.strftime image_file.read v_path.lower float self.parser.parse_args f.write datetime.datetime.strptime fi.readline get_unicode filters.append pull_out.strip self.file_path.open.read zipfile.ZipFile tar_file.close hashlib.md5 message.re.search.group filename.split get_binaryop_params fd SingleRule args.target.split Flask get_silence_params self.dependencies self.flush data_content.get self.file.append language_data.setdefault is_controllable str os.path.getsize frame_data.keys pull_err.strip.replace target_directorys.append vul.get.strip type allfiles.append x.text.strip line.strip cloghandler.ConcurrentRotatingFileHandler version_match.group analysis_eval extension.lower running.status file_instance.save anlysis_function lang.get self.rule_vulnerabilities.append single_rule.target_directory.SingleRule.process table.add_row parameters_back threading.Thread scan_status.get logger.setLevel cve.scan_cve NotExistError Detection param.append language.get.lower sorted_dict vul.get.replace map hasattr self.__parse_diff_result start.strftime sys.version.split properties.get case_ret.rule_info.append is_repair self.count_java_line format extension.replace v.get token.strip.split analysis_binaryop_node stdout_encode self.is_match_only_rule Version gg.clone self.type_nums.setdefault self.rule_match.strip.split logging.Formatter parser.add_argument msg.decode self.parse_version value.encode _check_rule_name frame_data.setdefault get_cast_params parser.parse q_pages.task_done server.quit self.component_re.split result_list.append smtp.sendmail file_path.append logger.info re.findall self.is_white_list subprocess.PIPE.fn.subprocess.Popen.communicate eT.parse vulnerability.get.upper result.strip self.file_path.replace scan_list.get token.startswith functions.items self.is_test_file app.run file_extension.lower self.pull zip_file.extractall self.log_result repr
Could please help me check this issue?
May I pull a request to fix it?
Thank you very much.