Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

dependency-check

Package Overview
Dependencies
Maintainers
1
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

dependency-check

Shim to easily install OWASP dependency-check-cli into Python projects

  • 0.6.0
  • PyPI
  • Socket score

Maintainers
1

:Code: https://github.com/jhermann/dependency-check-py#readme :Docs: https://github.com/jeremylong/dependencycheck#readme :CI: https://travis-ci.org/jhermann/dependency-check-py :Issues: https://github.com/jhermann/dependency-check-py/issues

Overview

dependency-check scans application dependencies and checks whether they contain any published vulnerabilities (based on the NIST NVD_). It runs in the JVM, so you need some form of java available in your PATH. The script should work on Linux, Mac OSX and Windows, but right now is only tested on Linux.

Usage

After installation, you'll have the dependency-check command available that, on first use, will automatically download and install the OWASP release archive once for all projects. It'll then redirect any calls to that installation, meaning the downloaded NVD data is shared amongst projects.

.. code-block::

dependency-check --disableAssembly -s . -o build --project "$(python ./setup.py --name)" \
    --exclude ".git/**" --exclude ".venv/**" --exclude "**/__pycache__/**" --exclude ".tox/**" \
    && xdg-open build/dependency-check-report.html

Please see the DependencyCheck site_ for more configuration and usage details.

To install from PyPI, add dependency-check to your dev-requirements.txt or a similar file. For more installation options, see the “Installation” section below.

|Installation Demo|

Customization

Using environment variables, you can change the version and download location of the release archive, and the directory for the local installation.

=============================== ============================================================================================== Variable Default =============================== ============================================================================================== DEPENDENCY_CHECK_VERSION 6.2.2 DEPENDENCY_CHECK_URL https://github.com/jeremylong/DependencyCheck/releases/download/v{version}/dependency-check-{version}-release.zip DEPENDENCY_CHECK_HOME ~/.local/dependency-check DEPENDENCY_CHECK_NVD_URL Use NIST NVD URLs =============================== ==============================================================================================

To update to a new version of the OWASP software, delete ~/.local/dependency-check/bin/, set DEPENDENCY_CHECK_VERSION to the new version number, and call dependency-check.

The variable DEPENDENCY_CHECK_NVD_URL can be used to point to a local copy of the various NVD feeds, in a flat hierarchy with compressed JSON files.

.. code-block:: shell

export DEPENDENCY_CHECK_NVD_URL='https://repo.local/nvd/nvdcve-1.1-%d.json.gz'

If you set this, the options --cveUrlBase and --cveUrlModified will be added to each call. Note that the %d representing the year is replaced by modified for the latter.

Remove the ~/.local/dependency-check/data/ directory to force a full data reload.

Installation

To just get the dependency-check CLI tool installed into your home, independent of any project, call python3 -m pip install --user dependency-check as usual, see releases_ for an overview of available versions.

If you prefer an isolated and easily removable venv installation, consider using dephell jail install dependency-check_ instead.

To get a bleeding-edge version from source, use these commands::

repo="jhermann/dependency-check-py"
python3 -m pip install -r "https://raw.githubusercontent.com/$repo/master/requirements.txt"
python3 -m pip install "https://github.com/$repo/archive/master.zip#egg=dependency-check"

As a developer, to create a working directory for this project, call these commands::

git clone "https://github.com/jhermann/dependency-check-py.git"
cd "dependency-check-py"
command . .env --yes --develop
invoke build --docs test check

You might also need to follow some setup procedures <https://py-generic-project.readthedocs.io/en/latest/installing.html#quick-setup>_ to make the necessary basic commands available on Linux, Mac OS X, and Windows.

Other Python Security Tools

  • openstack/bandit_ – Security linter designed to find common security issues in Python code, by static AST analysis.

  • pyupio/safety_ – Safety checks your installed dependencies for known security vulnerabilities.

    • pyupio/safety-db_ – A curated database of security vulnerabilities in Python packages.
  • eliasgranderubio/dagda_ – Static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in Docker images, and runtime monitoring of containers for anomalous activities.

  • anchore/anchore-engine_ – A service for inspection, analysis and certification of container images, provided as a ready-to-deploy Docker container image.

  • vintasoftware/python-linters-and-code-analysis_ – Curated list of Python linters and code analysis tools.

.. _openstack/bandit: https://github.com/openstack/bandit .. _pyupio/safety: https://github.com/pyupio/safety .. _pyupio/safety-db: https://github.com/pyupio/safety-db .. _eliasgranderubio/dagda: https://github.com/eliasgranderubio/dagda .. _anchore/anchore-engine: https://github.com/anchore/anchore-engine .. _vintasoftware/python-linters-and-code-analysis: https://github.com/vintasoftware/python-linters-and-code-analysis

.. _NVD: https://nvd.nist.gov/ .. _OWASP dependency-check-cli: https://github.com/jeremylong/dependencycheck#readme .. _DependencyCheck site: https://www.owasp.org/index.php/OWASP_Dependency_Check .. _pip script installer: https://github.com/mitsuhiko/pipsi#pipsi .. _releases: https://github.com/jhermann/dependency-check-py/releases .. _dephell jail install dependency-check: https://dephell.readthedocs.io/cmd-jail-install.html

.. |Installation Demo| image:: https://raw.githubusercontent.com/jhermann/dependency-check-py/master/dependency_check.gif

.. |Travis CI| image:: https://api.travis-ci.org/jhermann/dependency-check-py.svg :target: https://travis-ci.org/jhermann/dependency-check-py .. |Coveralls| image:: https://img.shields.io/coveralls/jhermann/dependency-check-py.svg :target: https://coveralls.io/r/jhermann/dependency-check-py .. |GitHub Issues| image:: https://img.shields.io/github/issues/jhermann/dependency-check-py.svg :target: https://github.com/jhermann/dependency-check-py/issues .. |License| image:: https://img.shields.io/pypi/l/dependency-check.svg :target: https://github.com/jhermann/dependency-check-py/blob/master/LICENSE .. |Development Status| image:: https://img.shields.io/pypi/status/dependency-check.svg :target: https://pypi.python.org/pypi/dependency-check/ .. |Latest Version| image:: https://img.shields.io/pypi/v/dependency-check.svg :target: https://pypi.python.org/pypi/dependency-check/ .. |Download format| image:: https://img.shields.io/pypi/format/dependency-check.svg :target: https://pypi.python.org/pypi/dependency-check/ .. |Downloads| image:: https://img.shields.io/pypi/dw/dependency-check.svg :target: https://pypi.python.org/pypi/dependency-check/

Keywords

FAQs


Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc