add support for pip-audit

Author: righettod

docs/8-CODEREVIEW_UTILS.md

@@ -15,6 +15,7 @@
 | Node               | [npm audit](https://docs.npmjs.com/cli/v9/commands/npm-audit) when NPM is used as package manager      | ✅                         |
 | Node               | [yarn audit](https://classic.yarnpkg.com/lang/en/docs/cli/audit/) when YARN is used as package manager | ✅                         |
 | .NET               | [dotnet package list](https://learn.microsoft.com/en-us/dotnet/core/tools/dotnet-package-list) command | ✅                         |
+| Python             | [pip-audit](https://pypi.org/project/pip-audit/)                                                       | ✅                         |
 | Cross technologies | [OWASP Dependency Check](https://owasp.org/www-project-dependency-check/)                              | ❌                         |
 | Cross technologies | [osv-scanner](https://github.com/google/osv-scanner)                                                   | ❌                         |
 | JavaScript         | [retire.js](https://github.com/retirejs/retire.js/)                                                    | ❌                         |

scripts/generate-report-vulnerable-components.py

@@ -25,6 +25,7 @@
 - retire.js
 - npm audit
 - yarn audit
+- pip-audit
 
 [i] Identifiers mapping:
 
@@ -34,6 +35,7 @@
 - retire.js              => retirejs
 - npm audit              => npm-audit
 - yarn audit             => yarn-audit
+- pip-audit              => pip-audit 
 
 [i] Command lines to generate the data file used by this script:
 
@@ -56,12 +58,15 @@
 
 yarn audit
 => yarn audit --json > report.json
+
+pip-audit
+=> pip-audit --requirement requirements.txt --format json --output report.json
 """
 
 ENTRY_MAX_LENGTH_FOR_DISPLAY = 30
 DEFAULT_ENCODING = "utf-8"
 VULN_IDS_FILE = "global-cve-ghsa.txt"
-SCA_TOOLS_IDENTIFIERS = ["owasp-dependency-check", "dotnet-package-list", "osv-scanner", "retirejs", "npm-audit", "yarn-audit"]
+SCA_TOOLS_IDENTIFIERS = ["owasp-dependency-check", "dotnet-package-list", "osv-scanner", "retirejs", "npm-audit", "yarn-audit", "pip-audit"]
 USER_AGENT = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36"
 REQ_SESSION = requests.session()
 # Needed for ENISA API otherwise an HTTP 403 is received
@@ -77,6 +82,8 @@
 # https://deps.dev/_/s/maven/p/com.thoughtworks.xstream%3Axstream/v/1.4.10
 # https://deps.dev/_/s/nuget/p/system.text.json/v/9.0.6
 DEPSDEV_URL_TPL = "https://deps.dev/_/s/%s/p/%s/v/%s"
+# KEY is the package manager official name and VALUE if the corresponding name used by deps.dev
+DEPSDEV_PACKAGE_MANAGER_MAPPING = {"pip": "pypi"}
 
 
 @functools.total_ordering
@@ -188,6 +195,9 @@ def find_fix_exists_for_osv_scanner_vuln(vulnerability):
 
 
 def find_if_false_positive(package_name, package_version, package_manager, cves_id_list):
+    depdev_package_manager_name = package_manager
+    if package_manager in DEPSDEV_PACKAGE_MANAGER_MAPPING:
+        depdev_package_manager_name = DEPSDEV_PACKAGE_MANAGER_MAPPING[package_manager]
     # When the version contain a range (it is the case for NPM) then I consider that
     # I cannot perform the validation against DEPS.DEV
     if len(re.findall(r'[\<\>|\*]+', package_version)) > 0 or " - " in package_version:
@@ -200,7 +210,7 @@ def find_if_false_positive(package_name, package_version, package_manager, cves_
     try:
         package_name_adapted = package_name.replace("/", ":")  # on deps.dev the group name and the artefact name are separated by ":"
         package_name_adapted = encode_package_name(package_name_adapted)
-        package_depsdev_url = DEPSDEV_URL_TPL % (package_manager, package_name_adapted, package_version)
+        package_depsdev_url = DEPSDEV_URL_TPL % (depdev_package_manager_name, package_name_adapted, package_version)
         response = REQ_SESSION.get(package_depsdev_url, timeout=REQ_TIMEOUT)
         if response.status_code == 200:
             cves_id_found = []
@@ -521,6 +531,46 @@ def load_data_from_retirejs(json_data):
     return vulnerable_components
 
 
+def load_data_from_pip_audit(json_data):
+    vulnerable_components = []
+    package_manager_name = "pip"
+    for dep in json_data["dependencies"]:
+        vulns = dep["vulns"]
+        component_name = dep["name"]
+        component_version = dep["version"]
+        for vuln in vulns:
+            ghsa = vuln["id"]
+            cves = vuln["aliases"]
+            fixed_versions = vuln["fix_versions"]
+            if len(fixed_versions) > 0:
+                extra = "Fixed in versions " + ",".join(fixed_versions)
+            else:
+                extra = ""
+            # As the CVSS score is not provided then retrieve
+            # the severity and the score using the CVE ID (take first CVE as the reference)
+            cve_id = cves[0]
+            data = find_cve_severity([cve_id])
+            if data[cve_id] is not None:
+                cvss_score = data[cve_id][0]
+                severity = data[cve_id][1]
+            else:
+                cvss_score = 0
+                severity = "NA"
+            vulnerable_component = VulnerableComponentProperties()
+            vulnerable_component.package_name = component_name
+            vulnerable_component.version = component_version
+            vulnerable_component.file_name = "-"
+            vulnerable_component.ghsa_ids = ghsa
+            vulnerable_component.cve_ids = CVE_GHSA_CWE_SEPARATOR_CHAR.join(cves)
+            vulnerable_component.cwe_ids = ""
+            vulnerable_component.cvss_score = cvss_score
+            vulnerable_component.severity = severity
+            vulnerable_component.extra_information = extra
+            vulnerable_component.package_manager = package_manager_name
+            vulnerable_components.append(vulnerable_component)
+    return vulnerable_components
+
+
 def enrich_with_false_positive_marker(vulnerable_components):
     for vulnerable_component in vulnerable_components:
         cves_id_list = vulnerable_component.cve_ids.split(CVE_GHSA_CWE_SEPARATOR_CHAR)
@@ -557,6 +607,8 @@ def load_information(input_data_file, sca_tool_id):
         vulnerable_components = load_data_from_npm_audit(components_data)
     elif sca_tool_id == "yarn-audit":
         vulnerable_components = load_data_from_yarn_audit(components_data)
+    elif sca_tool_id == "pip-audit":
+        vulnerable_components = load_data_from_pip_audit(components_data)
     else:
         raise Exception("SCA tools not supported!")
     return vulnerable_components