diff --git a/.coveragerc b/.coveragerc deleted file mode 100644 index ea37326eb8..0000000000 --- a/.coveragerc +++ /dev/null @@ -1,13 +0,0 @@ -[run] -source = - cve_bin_tool - test -branch = True - -[report] -exclude_lines = - no cov - no qa - noqa - pragma: no cover - if __name__ == .__main__.: diff --git a/.github/workflows/cve_scan.yml b/.github/workflows/cve_scan.yml index e28a92117b..010ec27c12 100644 --- a/.github/workflows/cve_scan.yml +++ b/.github/workflows/cve_scan.yml @@ -26,7 +26,7 @@ jobs: with: python-version: '3.11' cache: 'pip' - cache-dependency-path: '**/requirements.txt' + cache-dependency-path: '**/pyproject.toml' - name: Get date id: get-date run: | diff --git a/.github/workflows/fuzzing.yml b/.github/workflows/fuzzing.yml index 72fe56e09b..a903c4f52f 100644 --- a/.github/workflows/fuzzing.yml +++ b/.github/workflows/fuzzing.yml @@ -27,14 +27,14 @@ jobs: run: | sudo apt-get update sudo apt-get install -y build-essential gcc g++ cmake - + - name: Install newer GCC run: | sudo apt-get update sudo apt-get install -y gcc-10 g++-10 sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-10 100 sudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-10 100 - + - name: Set up compiler environment run: | export CC=gcc @@ -54,14 +54,13 @@ jobs: pip install --upgrade atheris pip install --upgrade atheris-libprotobuf-mutator -v pip install --upgrade protobuf - + - name: Install Cve-bin-tool run: | python -m pip install --upgrade pip python -m pip install --upgrade setuptools - python -m pip install --upgrade -r dev-requirements.txt - python -m pip install --upgrade . - + python -m pip install --upgrade .[dev] + - name: Get date id: get-date run: | @@ -88,7 +87,7 @@ jobs: [[ -e fuzz-cache ]] && mkdir -p .cache && mv fuzz-cache ~/.cache/cve-bin-tool NO_EXIT_CVE_NUM=1 python -m cve_bin_tool.cli test/assets/test-kerberos-5-1.15.1.out --disable-data-source CURL,EPSS,GAD,NVD,OSV,PURL2CPE,RSD cp -r ~/.cache/cve-bin-tool fuzz-cache - + - name: Run Fuzzing id: fuzzing env: diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 542a442aa3..e195e42e3f 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -31,7 +31,7 @@ jobs: with: python-version: ${{ matrix.python }} cache: 'pip' - cache-dependency-path: '**/requirements.txt' + cache-dependency-path: '**/pyproject.toml' - name: Install dependencies and cve-bin-tool run: | python -m pip install --upgrade pip diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml index 6193b23f92..f1c8549436 100644 --- a/.github/workflows/testing.yml +++ b/.github/workflows/testing.yml @@ -161,8 +161,7 @@ jobs: python -m pip install --upgrade wheel python -m pip install --upgrade pdftotext python -m pip install --upgrade reportlab - python -m pip install --upgrade -r dev-requirements.txt - python -m pip install --upgrade . + python -m pip install --upgrade .[dev] - name: Try single CLI run of tool if: env.sbom != 'true' run: | @@ -258,8 +257,7 @@ jobs: python -m pip install --upgrade wheel python -m pip install --upgrade pdftotext python -m pip install --upgrade reportlab - python -m pip install --upgrade -r dev-requirements.txt - python -m pip install --editable . + python -m pip install --editable .[dev] - name: Try single CLI run of tool if: env.sbom != 'true' run: | @@ -270,10 +268,10 @@ jobs: if: env.sbom != 'true' run: > pytest - --cov + --cov --cov-report=xml --cov-append -n 8 - --junitxml=junit.xml + --junitxml=junit.xml -o junit_family=legacy -v --durations=50 --ignore=test/test_cli.py @@ -360,15 +358,14 @@ jobs: with: path: cache key: Linux-cve-bin-tool-${{ steps.get-date.outputs.yesterday }} - + - name: Install cve-bin-tool if: env.sbom != 'true' run: | python -m pip install --upgrade pip python -m pip install --upgrade setuptools python -m pip install --upgrade wheel - python -m pip install --upgrade -r dev-requirements.txt - python -m pip install --editable . + python -m pip install --editable .[dev] - name: Try single CLI run of tool if: env.sbom != 'true' run: | @@ -378,13 +375,13 @@ jobs: - name: Run language scanner tests if: env.sbom != 'true' run: > - pytest + pytest --cov --cov-report=xml - --junitxml=junit.xml + --junitxml=junit.xml -o junit_family=legacy - --cov-append -n 8 - -v --durations=50 + --cov-append -n 8 + -v --durations=50 test/test_language_scanner.py - name: Upload code coverage to codecov if: env.sbom != 'true' @@ -463,15 +460,14 @@ jobs: with: path: cache key: Linux-cve-bin-tool-${{ steps.get-date.outputs.yesterday }} - + - name: Install cve-bin-tool if: env.sbom != 'true' run: | python -m pip install --upgrade pip python -m pip install --upgrade setuptools python -m pip install --upgrade wheel - python -m pip install --upgrade -r dev-requirements.txt - python -m pip install --editable . + python -m pip install --editable .[dev] - name: Try single CLI run of tool if: env.sbom != 'true' run: | @@ -481,12 +477,12 @@ jobs: - name: Run binary scanner tests if: env.sbom != 'true' run: > - pytest - --cov - --cov-report=xml - --junitxml=junit.xml + pytest + --cov + --cov-report=xml + --junitxml=junit.xml -o junit_family=legacy - --cov-append -n 8 + --cov-append -n 8 -v --durations=50 test/test_scanner.py - name: Upload code coverage to codecov @@ -573,8 +569,7 @@ jobs: python -m pip install --upgrade pip python -m pip install --upgrade setuptools python -m pip install --upgrade wheel - python -m pip install --upgrade -r dev-requirements.txt - python -m pip install --editable . + python -m pip install --editable .[dev] - name: Try single CLI run of tool if: env.sbom != 'true' run: | @@ -584,12 +579,12 @@ jobs: - name: Run synchronous tests if: env.sbom != 'true' run: > - pytest - -v --cov - --cov-report=xml - --junitxml=junit.xml + pytest + -v --cov + --cov-report=xml + --junitxml=junit.xml -o junit_family=legacy - --cov-append + --cov-append --durations=50 test/test_cli.py test/test_cvedb.py @@ -716,8 +711,7 @@ jobs: python -m pip install --upgrade pip python -m pip install --upgrade setuptools python -m pip install --upgrade wheel - python -m pip install --upgrade -r dev-requirements.txt - python -m pip install --editable . + python -m pip install --editable .[dev] - name: Install playwright dependencies for HTML tests run: | python -m playwright install chromium --with-deps @@ -807,19 +801,18 @@ jobs: python -m pip install --upgrade pip python -m pip install --upgrade setuptools python -m pip install --upgrade wheel - python -m pip install --upgrade -r dev-requirements.txt - python -m pip install --upgrade . + python -m pip install --upgrade .[dev] - name: Try single CLI run of tool run: | python -m cve_bin_tool.cli test/assets/test-kerberos-5-1.15.1.out - name: Run async tests run: > - pytest - --cov + pytest + --cov --cov-report=xml - --junitxml=junit.xml + --junitxml=junit.xml -o junit_family=legacy - --cov-append -n 8 + --cov-append -n 8 -v --durations=50 --ignore=test/test_cli.py --ignore=test/test_cvedb.py @@ -828,25 +821,25 @@ jobs: --ignore=test/test_json.py - name: Run synchronous tests run: > - pytest - -v --cov + pytest + -v --cov --cov-report=xml - --junitxml=junit.xml + --junitxml=junit.xml -o junit_family=legacy --cov-append - --cov-report=xml + --cov-report=xml --durations=50 test/test_cli.py test/test_cvedb.py - name: Cache conda uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 env: - # Increase to reset cache if requirements.txt file has not changed + # Increase to reset cache if dependencies have not changed CACHE_NUMBER: 0 with: path: ~/conda_pkgs_dir key: ${{ runner.os }}-conda-${{ env.CACHE_NUMBER }}-${{ - hashFiles('requirements.txt') }} + hashFiles('pyproject.toml') }} - uses: conda-incubator/setup-miniconda@835234971496cad1653abb28a638a281cf32541f # v3.2.0 with: auto-update-conda: true @@ -859,18 +852,17 @@ jobs: python -m pip install --upgrade setuptools python -m pip install --upgrade wheel python -m pip install --upgrade reportlab - python -m pip install --upgrade -r dev-requirements.txt - python -m pip install --upgrade . + python -m pip install --upgrade .[dev] - name: Test PDF generation on Windows - run: > - pytest - test/test_output_engine.py - -k test_output_pdf + run: > + pytest + test/test_output_engine.py + -k test_output_pdf --cov --cov-append --cov-report=xml - --junitxml=junit.xml - -o junit_family=legacy + --junitxml=junit.xml + -o junit_family=legacy --durations=50 - name: Upload code coverage to codecov uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 diff --git a/.github/workflows/update-dev-requirements.py b/.github/workflows/update-dev-requirements.py deleted file mode 100644 index 4246420e44..0000000000 --- a/.github/workflows/update-dev-requirements.py +++ /dev/null @@ -1,31 +0,0 @@ -import re -from importlib.metadata import version - -new_pins = {"pre-commit": version("pre-commit")} -pre_commit_path = ".pre-commit-config.yaml" -with open(pre_commit_path) as f: - tools = f.read().split("repo") -for tool in tools: - package_match = re.search("id: (.*)", tool) - if not package_match: - continue - version_match = re.search("rev: (.*)", tool) - if not version_match: - continue - new_pins[package_match.group(1).lstrip()] = version_match.group(1).lstrip() - -requirements_path = "dev-requirements.txt" -with open(requirements_path) as f: - tools = f.readlines() -for ind, tool in enumerate(tools): - package_match = re.search("(.*)==(.*)", tool) - if not package_match: - continue - package_name = package_match.group(1) - if package_name in new_pins: - if ";" in tool: - tools[ind] = re.sub("==(.*);", f"=={new_pins[package_name]};", tool) - else: - tools[ind] = re.sub("==(.*)", f"=={new_pins[package_name]}", tool) -with open(requirements_path, "w") as f: - f.writelines(tools) diff --git a/.github/workflows/update-js-dependencies.yml b/.github/workflows/update-js-dependencies.yml index ecabad0a08..9efe435273 100644 --- a/.github/workflows/update-js-dependencies.yml +++ b/.github/workflows/update-js-dependencies.yml @@ -39,7 +39,7 @@ jobs: uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: path: ~/.cache/pip - key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }} + key: ${{ runner.os }}-pip-${{ hashFiles('**/pyproject.toml') }} restore-keys: | ${{ runner.os }}-pip- diff --git a/.github/workflows/update-pre-commit.yml b/.github/workflows/update-pre-commit.yml index b7b9c1d148..02cf78106d 100644 --- a/.github/workflows/update-pre-commit.yml +++ b/.github/workflows/update-pre-commit.yml @@ -43,10 +43,6 @@ jobs: pre-commit autoupdate pre-commit uninstall - - name: Sync `dev-requirements.txt` - run: | - python .github/workflows/update-dev-requirements.py - - name: Create Pull Request uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 with: diff --git a/.mypy.ini b/.mypy.ini deleted file mode 100644 index c7b2f21d53..0000000000 --- a/.mypy.ini +++ /dev/null @@ -1,22 +0,0 @@ -[mypy] - -[mypy-cvss.*] -ignore_missing_imports = True - -[mypy-defusedxml.*] -ignore_missing_imports = True - -[mypy-pdftotext.*] -ignore_missing_imports = True - -[mypy-plotly.*] -ignore_missing_imports = True - -[mypy-reportlab.*] -ignore_missing_imports = True - -[mypy-rpmfile.*] -ignore_missing_imports = True - -[mypy-zstandard.*] -ignore_missing_imports = True diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 4f89320b05..0db2fff24b 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -39,7 +39,8 @@ repos: hooks: - id: bandit exclude: ^fuzz/generated/ - args: ["-c", "bandit.conf"] + args: ["-c", "pyproject.toml"] + additional_dependencies: [ "bandit[toml]" ] - repo: https://github.com/jorisroovers/gitlint rev: v0.19.1 diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 8aa6995e72..40c81e08c9 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -125,18 +125,18 @@ While you're in a venv, the `python` command will point to whatever version you ## Installing dependencies -The packages you need to run CVE Binary Tool are listed in the `requirements.txt` file in the main cve-bin-tool directory. You can install all of them using the following pip command: +The packages you need to run CVE Binary Tool are listed in the `dependencies` section of the `pyproject.toml` file in the main cve-bin-tool directory. You can install all of them using the following pip command: ```bash -pip install -U -r requirements.txt +pip install -U -r . ``` -The `-U` in that line above will update you to the latest versions of packages as needed, which we recommend because people running security tools generally want to have all the latest updates if possible. The `-r requirements.txt` specifies the file with all the requirements. +The `-U` in that line above will update you to the latest versions of packages as needed, which we recommend because people running security tools generally want to have all the latest updates if possible. We also have a recommended list of dependencies just for developers that include things like the flake8 linter. You probably want to install them too if you're intending to be a developer. ```bash -pip install -r dev-requirements.txt +pip install -r .[dev] ``` ## Running your local copy of CVE Binary Tool @@ -183,7 +183,7 @@ pip install -e . The CVE Binary Tool has a set of tests that can be run using `pytest` command. Typically you want to run `pytest` in the cve-bin-tool directory to run the short test suite and make sure tests pass. -After running `pytest`, you may get several test failures relating to `ModuleNotFound` error. If you have run `pip install -r dev-requirements.txt` or equivalent and are sure you have the required modules installed, your issue may be related to Python's module search path. You can run this command instead : +After running `pytest`, you may get several test failures relating to `ModuleNotFound` error. If you have run `pip install -r .[dev]` or equivalent and are sure you have the required modules installed, your issue may be related to Python's module search path. You can run this command instead : ```bash python -m pytest @@ -211,10 +211,10 @@ CVE Binary Tool uses a few tools to improve code quality and readability: - `interrogate` checks your code base for missing docstrings. - `codespell` Detects common misspellings in text files. -We provide a `dev-requirements.txt` file which includes all the precise versions of tools as they'll be used in GitHub Actions. You an install them all using pip: +We have a list of optional dev dependencies in our `pyproject.toml` file which includes all the precise versions of tools as they'll be used in GitHub Actions. You can install them all using pip: ```bash -pip install -r dev-requirements.txt +pip install -r .[dev] ``` ### Using pre-commit to run linters automatically @@ -258,18 +258,18 @@ specify a whole folder using ```./``` ### Running bandit by itself -We have a configuration file for bandit called `bandit.conf` that you should use. This disables a few of the checkers. +We have configuration section for Bandit in our `pyproject.toml`. This disables a few of the checkers. To run it on all the code we scan, use the following: ```bash -bandit -c bandit.conf -r cve_bin_tool/ test/ +bandit -c pyproject.toml -r cve_bin_tool/ test/ ``` You can also run it on individual files: ```bash -bandit -c bandit.conf filename.py +bandit -c pyproject.toml filename.py ``` If you run it without the config file, it will run a few extra checkers, so you'll get additional warnings. diff --git a/MANIFEST.in b/MANIFEST.in index c4ab997750..5dcc9a6b77 100644 --- a/MANIFEST.in +++ b/MANIFEST.in @@ -1,4 +1,3 @@ -include requirements.txt include *.md include test/binaries/*.c include test/csv/*.csv diff --git a/bandit.conf b/bandit.conf deleted file mode 100644 index a0f0d7b075..0000000000 --- a/bandit.conf +++ /dev/null @@ -1,103 +0,0 @@ - -### Bandit config file generated from: -# '/home/terri/Code/venv3.8/bin/bandit-config-generator -o bandit.conf -s B603,B607' - -### This config may optionally select a subset of tests to run or skip by -### filling out the 'tests' and 'skips' lists given below. If no tests are -### specified for inclusion then it is assumed all tests are desired. The skips -### set will remove specific tests from the include set. This can be controlled -### using the -t/-s CLI options. Note that the same test ID should not appear -### in both 'tests' and 'skips', this would be nonsensical and is detected by -### Bandit at runtime. - -# Available tests: -# B101 : assert_used -# B102 : exec_used -# B103 : set_bad_file_permissions -# B104 : hardcoded_bind_all_interfaces -# B105 : hardcoded_password_string -# B106 : hardcoded_password_funcarg -# B107 : hardcoded_password_default -# B108 : hardcoded_tmp_directory -# B110 : try_except_pass -# B112 : try_except_continue -# B201 : flask_debug_true -# B301 : pickle -# B302 : marshal -# B303 : md5 -# B304 : ciphers -# B305 : cipher_modes -# B306 : mktemp_q -# B307 : eval -# B308 : mark_safe -# B309 : httpsconnection -# B310 : urllib_urlopen -# B311 : random -# B312 : telnetlib -# B313 : xml_bad_cElementTree -# B314 : xml_bad_ElementTree -# B315 : xml_bad_expatreader -# B316 : xml_bad_expatbuilder -# B317 : xml_bad_sax -# B318 : xml_bad_minidom -# B319 : xml_bad_pulldom -# B320 : xml_bad_etree -# B321 : ftplib -# B323 : unverified_context -# B324 : hashlib_new_insecure_functions -# B325 : tempnam -# B401 : import_telnetlib -# B402 : import_ftplib -# B403 : import_pickle -# B404 : import_subprocess -# B405 : import_xml_etree -# B406 : import_xml_sax -# B407 : import_xml_expat -# B408 : import_xml_minidom -# B409 : import_xml_pulldom -# B410 : import_lxml -# B411 : import_xmlrpclib -# B412 : import_httpoxy -# B413 : import_pycrypto -# B501 : request_with_no_cert_validation -# B502 : ssl_with_bad_version -# B503 : ssl_with_bad_defaults -# B504 : ssl_with_no_version -# B505 : weak_cryptographic_key -# B506 : yaml_load -# B507 : ssh_no_host_key_verification -# B601 : paramiko_calls -# B602 : subprocess_popen_with_shell_equals_true -# B603 : subprocess_without_shell_equals_true -# B604 : any_other_function_with_shell_equals_true -# B605 : start_process_with_a_shell -# B606 : start_process_with_no_shell -# B607 : start_process_with_partial_path -# B608 : hardcoded_sql_expressions -# B609 : linux_commands_wildcard_injection -# B610 : django_extra_used -# B611 : django_rawsql_used -# B701 : jinja2_autoescape_false -# B702 : use_of_mako_templates -# B703 : django_mark_safe - -# (optional) list included test IDs here, eg '[B101, B406]': -#tests: - -# (optional) list skipped test IDs here, eg '[B101, B406]': -skips: ['B603', 'B607', 'B404'] -# B603, B607 and B404 are all subprocess-related. -# B608 should be re-enabled when multi-line issues can be marked with nosec - -# Explanation: cve-bin-tool is at heart a shell script that calls other processes. -# Switching to pure python has significant performance impacts. - -# skips assert rule on tests -assert_used: - skips: ['*/test_*.py'] - -### (optional) plugin settings - some test plugins require configuration data -### that may be given here, per-plugin. All bandit test plugins have a built in -### set of sensible defaults and these will be used if no configuration is -### provided. It is not necessary to provide settings for every (or any) plugin -### if the defaults are acceptable. \ No newline at end of file diff --git a/dev-requirements.txt b/dev-requirements.txt deleted file mode 100644 index 64de1a9dcb..0000000000 --- a/dev-requirements.txt +++ /dev/null @@ -1,29 +0,0 @@ -bandit; python_version <= "3.8" -bandit==1.8.6; python_version > "3.8" -black==25.1.0; python_version > "3.8" -black; python_version <= "3.8" -build -isort; python_version < "3.8" -isort==6.0.1; python_version >= "3.8" -pre-commit; python_version <= "3.8" -pre-commit==4.3.0; python_version > "3.8" -codespell==v2.4.1 -flake8; python_version < "3.8" -flake8==7.3.0; python_version >= "3.8" -gitlint==v0.19.1 -interrogate -jsonschema -mypy==v1.17.1 -playwright -pytest>=7.2.0 -pytest-asyncio -pytest-cov -pytest-mock -pytest-playwright -pytest-xdist -types-beautifulsoup4 -types-jsonschema -types-PyYAML -types-requests -types-setuptools -types-toml diff --git a/doc/how_to_guides/cve_scanner_gh_action.md b/doc/how_to_guides/cve_scanner_gh_action.md index aa581759f0..835df8c6ec 100644 --- a/doc/how_to_guides/cve_scanner_gh_action.md +++ b/doc/how_to_guides/cve_scanner_gh_action.md @@ -38,7 +38,7 @@ jobs: uses: actions/cache@v3 with: path: ~/.cache/pip - key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }} + key: ${{ runner.os }}-pip-${{ hashFiles('**/pyproject.toml') }} restore-keys: | ${{ runner.os }}-pip- - name: get cached database diff --git a/doc/how_to_guides/cve_scanner_gh_action.yml b/doc/how_to_guides/cve_scanner_gh_action.yml index 3f2618e29f..daa87fff85 100644 --- a/doc/how_to_guides/cve_scanner_gh_action.yml +++ b/doc/how_to_guides/cve_scanner_gh_action.yml @@ -25,7 +25,7 @@ jobs: uses: actions/cache@v3 with: path: ~/.cache/pip - key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }} + key: ${{ runner.os }}-pip-${{ hashFiles('**/pyproject.toml') }} restore-keys: | ${{ runner.os }}-pip- - name: get cached database diff --git a/pyproject.toml b/pyproject.toml index 7cfb165952..3adec7d055 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,3 +1,170 @@ [build-system] requires = ["setuptools >= 64", "wheel"] -build-backend = "setuptools.build_meta" \ No newline at end of file +build-backend = "setuptools.build_meta" + +[project] +name = "cve-bin-tool" +dynamic = ["version"] +description = "CVE Binary Checker Tool" +readme = "README.md" +requires-python = ">=3.9" +license = "GPL-3.0-or-later" +authors = [{ name = "Terri Oda", email = "terri.oda@intel.com" }] +maintainers = [{ name = "Terri Oda", email = "terri.oda@intel.com" }] +keywords = ["security", "tools", "CVE"] +classifiers = [ + "Development Status :: 5 - Production/Stable", + "Intended Audience :: Developers", + "Natural Language :: English", + "Operating System :: OS Independent", + "Programming Language :: Python :: 3.9", + "Programming Language :: Python :: 3.10", + "Programming Language :: Python :: 3.11", + "Programming Language :: Python :: 3.12", + "Programming Language :: Python :: 3.13", + "Programming Language :: Python :: Implementation :: CPython", + "Programming Language :: Python :: Implementation :: PyPy", +] +dependencies = [ + "aiohttp[speedups]>=3.9.4", + "beautifulsoup4", + "cvss", + "defusedxml", + "distro", + "filetype>=1.2.0", + "gsutil", + "importlib_metadata>=3.6; python_version < '3.10'", + "importlib_resources; python_version < '3.9'", + "jinja2>=2.11.3", + "jsonschema>=3.0.2", + "lib4sbom>=0.8.7", + "lib4vex>=0.2.0", + "packageurl-python", + "packaging>=22.0", + "plotly", + "python-gnupg", + "pyyaml>=5.4", + "requests>=2.32.2", + "rich", + "rpmfile>=1.0.6", + "setuptools>=70.0.0", # pinned by Snyk to avoid a vulnerability + "toml; python_version < '3.11'", + "urllib3>=2.2.2", # dependency of requests added explicitly to avoid CVEs + "xmlschema", + "zipp>=3.19.1", # not directly required, pinned by Snyk to avoid a vulnerability + "zstandard", +] + +[project.optional-dependencies] +PDF = ["reportlab"] +dev = [ + "bandit[toml]; python_version <= '3.8'", + "bandit[toml]==1.8.6; python_version > '3.8'", + "black==25.1.0; python_version > '3.8'", + "black; python_version <= '3.8'", + "build", + "isort==6.0.1", + "pre-commit; python_version <= '3.8'", + "pre-commit==4.3.0; python_version > '3.8'", + "codespell==v2.4.1", + "flake8==7.3.0", + "gitlint==v0.19.1", + "interrogate", + "jsonschema", + "mypy==v1.17.1", + "playwright", + "pytest>=7.2.0", + "pytest-asyncio", + "pytest-cov", + "pytest-mock", + "pytest-playwright", + "pytest-xdist", + "types-beautifulsoup4", + "types-jsonschema", + "types-PyYAML", + "types-requests", + "types-setuptools", + "types-toml", +] + +[project.urls] +homepage = "https://github.com/intel/cve-bin-tool" +github = "https://github.com/intel/cve-bin-tool" +issues = "https://github.com/intel/cve-bin-tool/issues" +documentation = "https://cve-bin-tool.readthedocs.io/en/latest/" + +[project.scripts] +cve-bin-tool = "cve_bin_tool.cli:main" +csv2cve = "cve_bin_tool.csv2cve:main" +mismatch = "mismatch.cli:main" + +[tool.setuptools.packages.find] +exclude = ["locales", "presentation"] + +[tool.setuptools.dynamic] +version = { attr = "cve_bin_tool.version.VERSION" } + +[tool.setuptools.package-data] +"cve_bin_tool.output_engine" = [ + "html_reports/templates/*.html", + "html_reports/css/*.css", + "html_reports/js/*.js", + "print_mode/templates/*.html", +] +"cve_bin_tool" = ["schemas/*.xsd"] +"sbom" = ["*.spdx", "*.json"] +"mismatch" = ["*.py"] + +[tool.bandit] +skips = ["B603", "B607", "B404"] + +[tool.bandit.assert_used] +skips = ["*/test_*.py"] + +[tool.coverage.run] +source = ["cve_bin_tool", "test"] +branch = true + +[tool.coverage.report] +exclude_lines = [ + "no cov", + "no qa", + "noqa", + "pragma: no cover", + "if __name__ == .__main__.:", +] + +[tool.isort] +profile = "black" + +[[tool.mypy.overrides]] +module = "cvss.*" +ignore_missing_imports = true + +[[tool.mypy.overrides]] +module = "defusedxml.*" +ignore_missing_imports = true + +[[tool.mypy.overrides]] +module = "pdftotext.*" +ignore_missing_imports = true + +[[tool.mypy.overrides]] +module = "plotly.*" +ignore_missing_imports = true + +[[tool.mypy.overrides]] +module = "reportlab.*" +ignore_missing_imports = true + +[[tool.mypy.overrides]] +module = "rpmfile.*" +ignore_missing_imports = true + +[[tool.mypy.overrides]] +module = "zstandard.*" +ignore_missing_imports = true + +[tool.pytest.ini_options] +asyncio_mode = "strict" +asyncio_default_fixture_loop_scope = "function" diff --git a/requirements.txt b/requirements.txt deleted file mode 100644 index e411ca20d2..0000000000 --- a/requirements.txt +++ /dev/null @@ -1,27 +0,0 @@ -aiohttp[speedups]>=3.9.4 -beautifulsoup4 -cvss -defusedxml -distro -filetype>=1.2.0 -gsutil -importlib_metadata>=3.6; python_version < "3.10" -importlib_resources; python_version < "3.9" -jinja2>=2.11.3 -jsonschema>=3.0.2 -lib4sbom>=0.8.7 -lib4vex>=0.2.0 -packageurl-python -packaging>=22.0 -plotly -python-gnupg -pyyaml>=5.4 -requests>=2.32.2 -rich -rpmfile>=1.0.6 -setuptools>=70.0.0 # pinned by Snyk to avoid a vulnerability -toml; python_version < "3.11" -urllib3>=2.2.2 # dependency of requests added explictly to avoid CVEs -xmlschema -zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability -zstandard; python_version >= "3.4" diff --git a/setup.cfg b/setup.cfg index 895b6d25cc..5ac83e31cb 100644 --- a/setup.cfg +++ b/setup.cfg @@ -1,11 +1,4 @@ -[isort] -profile = black - [flake8] exclude = build, bandit.conf max-line-length = 88 extend-ignore = E203, E501 - -[tool:pytest] -asyncio_mode = strict -asyncio_default_fixture_loop_scope = function \ No newline at end of file diff --git a/setup.py b/setup.py deleted file mode 100644 index 97ed32e3b7..0000000000 --- a/setup.py +++ /dev/null @@ -1,83 +0,0 @@ -# Copyright (C) 2021 Intel Corporation -# SPDX-License-Identifier: GPL-3.0-or-later - -import ast -import os -import pathlib - -from setuptools import find_packages, setup - -PACKAGE_ROOT_PATH = pathlib.Path(__file__).parent.resolve() - -with open("README.md", encoding="utf-8") as f: - readme = f.read() - -with open("requirements.txt", encoding="utf-8") as f: - requirements = f.read().split("\n") - -with open(os.path.join("cve_bin_tool", "version.py")) as f: - for line in f: - if line.startswith("VERSION"): - VERSION = ast.literal_eval(line.strip().split("=")[-1].strip()) - break - - -setup_kwargs = dict( - name="cve-bin-tool", - version=VERSION, - description="CVE Binary Checker Tool", - long_description=readme, - long_description_content_type="text/markdown", - author="Terri Oda", - author_email="terri.oda@intel.com", - maintainer="Terri Oda", - maintainer_email="terri.oda@intel.com", - url="https://github.com/intel/cve-bin-tool", - license="GPL-3.0-or-later", - keywords=["security", "tools", "CVE"], - python_requires=">=3.9", - classifiers=[ - "Development Status :: 5 - Production/Stable", - "Intended Audience :: Developers", - "License :: OSI Approved :: GNU General Public License (GPL)", - "Natural Language :: English", - "Operating System :: OS Independent", - "Programming Language :: Python :: 3.9", - "Programming Language :: Python :: 3.10", - "Programming Language :: Python :: 3.11", - "Programming Language :: Python :: 3.12", - "Programming Language :: Python :: 3.13", - "Programming Language :: Python :: Implementation :: CPython", - "Programming Language :: Python :: Implementation :: PyPy", - ], - install_requires=requirements, - extras_require={ - "PDF": ["reportlab"], - }, - packages=find_packages( - exclude=["locales", "presentation"], - ), - package_data={ - "cve_bin_tool.output_engine": [ - "html_reports/templates/*.html", - "html_reports/css/*.css", - "html_reports/js/*.js", - "print_mode/templates/*.html", - ], - "cve_bin_tool": [ - "schemas/*.xsd", - ], - "sbom": ["*.spdx", "*.json"], - "mismatch": ["*.py"], - }, - entry_points={ - "console_scripts": [ - "cve-bin-tool = cve_bin_tool.cli:main", - "csv2cve = cve_bin_tool.csv2cve:main", - "mismatch = mismatch.cli:main", - ], - }, -) - -if __name__ == "__main__": - setup(**setup_kwargs) diff --git a/test/test_extractor.py b/test/test_extractor.py index 8b72cf791f..8342e0f9fc 100644 --- a/test/test_extractor.py +++ b/test/test_extractor.py @@ -163,12 +163,15 @@ async def test_extract_file_rpm(self, extension_list: list[str]): @pytest.mark.asyncio async def test_extract_file_rpm_no_rpm2cipo(self, extension_list: list[str]): """Test rpm extraction using rpmfile""" - with unittest.mock.patch( - "cve_bin_tool.async_utils.aio_inpath", - return_value=False, - ), unittest.mock.patch( - "cve_bin_tool.async_utils.aio_run_command", - ) as mock_aio_run_command: + with ( + unittest.mock.patch( + "cve_bin_tool.async_utils.aio_inpath", + return_value=False, + ), + unittest.mock.patch( + "cve_bin_tool.async_utils.aio_run_command", + ) as mock_aio_run_command, + ): await self.test_extract_file_rpm(extension_list) mock_aio_run_command.assert_not_called() diff --git a/test/test_output_engine.py b/test/test_output_engine.py index c29375f7ce..f73f0c96d6 100644 --- a/test/test_output_engine.py +++ b/test/test_output_engine.py @@ -964,10 +964,11 @@ def setUp(self) -> None: def test_generate_sbom(self): """Test SBOM generation""" - with patch( - "cve_bin_tool.sbom_manager.generate.SBOMPackage" - ) as mock_sbom_package, patch( - "cve_bin_tool.sbom_manager.generate.SBOMRelationship" + with ( + patch( + "cve_bin_tool.sbom_manager.generate.SBOMPackage" + ) as mock_sbom_package, + patch("cve_bin_tool.sbom_manager.generate.SBOMRelationship"), ): mock_package_instance = MagicMock() mock_sbom_package.return_value = mock_package_instance @@ -1030,10 +1031,11 @@ def test_generate_sbom(self): def test_generate_sbom_no_scan_mode(self): """Test SBOM generation in no-scan mode""" - with patch( - "cve_bin_tool.sbom_manager.generate.SBOMPackage" - ) as mock_sbom_package, patch( - "cve_bin_tool.sbom_manager.generate.SBOMRelationship" + with ( + patch( + "cve_bin_tool.sbom_manager.generate.SBOMPackage" + ) as mock_sbom_package, + patch("cve_bin_tool.sbom_manager.generate.SBOMRelationship"), ): mock_package_instance = MagicMock() mock_sbom_package.return_value = mock_package_instance diff --git a/test/test_package_list_parser.py b/test/test_package_list_parser.py index 066a93ff5e..49fec9ee5d 100644 --- a/test/test_package_list_parser.py +++ b/test/test_package_list_parser.py @@ -437,9 +437,10 @@ def test_parse_list_rpm_packages( mock_product_info.side_effect = [product_info1, product_info2] # Setup Path mocks using context manager to avoid mocking Path.is_file globally - with mock.patch("pathlib.Path.is_file", return_value=True), mock.patch( - "pathlib.Path.stat" - ) as mock_stat: + with ( + mock.patch("pathlib.Path.is_file", return_value=True), + mock.patch("pathlib.Path.stat") as mock_stat, + ): # Mock file stats mock_stat.return_value = mock.Mock(st_size=100) @@ -470,15 +471,14 @@ def _check_file_deb(self): ) # Set up all the necessary mocks using context managers - with mock.patch("distro.id", return_value="ubuntu"), mock.patch( - "pathlib.Path.is_file", return_value=True - ), mock.patch("pathlib.Path.stat") as mock_stat, mock.patch( - "subprocess.run" - ) as mock_run, mock.patch( - "re.findall", return_value=["invalid-pkg1", "invalid-pkg2"] - ), mock.patch( - "cve_bin_tool.package_list_parser.LOGGER" - ) as mock_logger: + with ( + mock.patch("distro.id", return_value="ubuntu"), + mock.patch("pathlib.Path.is_file", return_value=True), + mock.patch("pathlib.Path.stat") as mock_stat, + mock.patch("subprocess.run") as mock_run, + mock.patch("re.findall", return_value=["invalid-pkg1", "invalid-pkg2"]), + mock.patch("cve_bin_tool.package_list_parser.LOGGER") as mock_logger, + ): # Mock stat result to return non-zero size mock_stat.return_value = mock.Mock(st_size=100)