Skip to content
/ loki Public

This program displays security advisories of open-sources packages your project uses no matter which GIT or CICD solution you use.

License

MIT license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

agu3rra/loki

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

25 Commits
docs
docs
 
 
go
go
 
 
python
python
 
 
.gitignore
.gitignore
 
 
licence
licence
 
 
readme.md
readme.md
 
 

Repository files navigation

Loki Open Source Scanner (work in progress...)

This program that displays security advisories for a given dependencies file leveraging GitHub's Security Advisory API.
For ad-hod advisory look-ups: https://github.com/advisories

About the name

Through his cunning, Loki helped the Aesir (Northern Gods) in difficult situations. In Norse mythology Loki is the son of giants and a trickster/shapeshifter. Likewise, open-source is ever-evolving. What is considered safe today will not remain so indefinetly. This is why automatically receiving advisories on new vulnerabilities that affect your software projets is key to ensure your customers don't fall victim to exploitation.

The goal of this project is to provide you with continuous feedback on the health status of your open-source libraries, no matter which GIT repository (GitHub, Gitlab, BitBucket, Azure Repos, etc) or integration pipelines you are using.

loki

Usage

> loki --dependencies "requirements.txt" --language "python"

#####################################################
# Welcome to the LOKI Open Source Scanner           #
#####################################################

Scan information:
Language ecosystem selected: Python
Dependencies file: requirements.txt
To supress and justify (optionally) findings, simply provide a gos3ignore.yml file.

-----------------------------------
Package 1: flask
Pinned version: None. Selecting latest: 0.12.2.
Total vulnerabilities: 2

Identified vulnerabilities
<< Vulnerability 1 >>
Severity: MODERATE
Summary: Moderate severity vulnerability that affects flask
Age: 201 days
--
Description:
The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3.
--
Vulnerable version range: < 0.12.3
GitHub Security Advisory ID: GHSA-562c-5r94-xh97
Published date: 2018-08-23T19:10:40Z
Last updated: 2019-07-03T21:02:03Z
Reference: https://github.com/advisories/GHSA-562c-5r94-xh97

<< Vulnerability 2 >>
Severity: LOW
Summary: Low severity vulnerability that affects flask
Age: 869 days
--
Description:
The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656.
--
Vulnerable version range: < 1.0.0
GitHub Security Advisory ID: GHSA-5wv5-4vpf-pj6m
Published date: 2019-07-19T16:12:46Z
Last updated: 2019-08-27T15:31:30Z
Reference: https://github.com/advisories/GHSA-5wv5-4vpf-pj6m
-----------------------------------

About

This program displays security advisories of open-sources packages your project uses no matter which GIT or CICD solution you use.

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages