Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vet is not able to detect setup.py manifest given a directory as scan input #163

Open
jchauhan opened this issue Nov 30, 2023 · 1 comment
Open

Vet is not able to detect setup.py manifest given a directory as scan input #163

jchauhan opened this issue Nov 30, 2023 · 1 comment
Assignees
@abhisek
Labels
bug Something isn't working

Comments

@jchauhan
Copy link
Contributor

Current Result

setup.py manifest is not detected

vet  scan -D ../**/tmp/***/ 

 .----------------.  .----------------.  .----------------.
| .--------------. || .--------------. || .--------------. |
| | ____   ____  | || |  _________   | || |  _________   | |
| ||_  _| |_  _| | || | |_   ___  |  | || | |  _   _  |  | |
| |  \ \   / /   | || |   | |_  \_|  | || | |_/ | | \_|  | |
| |   \ \ / /    | || |   |  _|  _   | || |     | |      | |
| |    \ ' /     | || |  _| |___/ |  | || |    _| |_     | |
| |     \_/      | || | |_________|  | || |   |_____|    | |
| |              | || |              | || |              | |
| '--------------' || '--------------' || '--------------' |
 '----------------'  '----------------'  '----------------'

Running in Community Mode
Scanning packages    ... done! [0 in 2ms]
Scanning manifests   ... done! [0 in 2ms]
  **   Summary of Findings 

  ** 0 critical, 0 high and 0 other vulnerabilities were identified

  ** 0 potentially unpopular library identified as direct dependency

  ** 0 libraries are out of date with major version drift in direct dependencies

  ** across 0 libraries in 1 manifest(s)

Consider upgrading the following libraries for maximum impact:

┌───────────┬─────────┬───────────┬────────┐
│ ECOSYSTEM │ PACKAGE │ UPDATE TO │ IMPACT │
├───────────┼─────────┼───────────┼────────┤
└───────────┴─────────┴───────────┴────────┘

Run with `vet --filter="..."` for custom filters to identify risky libraries
For more details https://github.com/safedep/vet

Expected Result

❯ ./vet  scan -D ../***/tmp/***/

 .----------------.  .----------------.  .----------------.
| .--------------. || .--------------. || .--------------. |
| | ____   ____  | || |  _________   | || |  _________   | |
| ||_  _| |_  _| | || | |_   ___  |  | || | |  _   _  |  | |
| |  \ \   / /   | || |   | |_  \_|  | || | |_/ | | \_|  | |
| |   \ \ / /    | || |   |  _|  _   | || |     | |      | |
| |    \ ' /     | || |  _| |___/ |  | || |    _| |_     | |
| |     \_/      | || | |_________|  | || |   |_____|    | |
| |              | || |              | || |              | |
| '--------------' || '--------------' || '--------------' |
 '----------------'  '----------------'  '----------------'

Running in Community Mode
Scanning packages    ... done! [67 in 3.202s]
Scanning manifests   ... done! [1 in 3.202s]
  **   Summary of Findings 

  ** 0 critical, 0 high and 2 other vulnerabilities were identified

  ** 1 potentially unpopular library identified as direct dependency

  ** 27 libraries are out of date with major version drift in direct dependencies

  ** across 71 libraries in 2 manifest(s)

Consider upgrading the following libraries for maximum impact:

┌───────────┬───────────────────┬───────────┬────────┐
│ ECOSYSTEM │ PACKAGE           │ UPDATE TO │ IMPACT │
├───────────┼───────────────────┼───────────┼────────┤
│ PyPI      │ dnsdb@0.2.5       │ 0.2.5     │ 2      │
│           │  low popularity   │           │        │
├───────────┼───────────────────┼───────────┼────────┤
│ PyPI      │ tqdm@0.0.0        │ 4.66.1    │ 2      │
│           │  drift            │           │        │
├───────────┼───────────────────┼───────────┼────────┤
│ PyPI      │ censys@0.0.0      │ 2.2.9     │ 2      │
│           │  drift            │           │        │
├───────────┼───────────────────┼───────────┼────────┤
│ PyPI      │ gvm-tools@21.6.0  │ 23.11.0   │ 2      │
│           │  drift            │           │        │
├───────────┼───────────────────┼───────────┼────────┤
│ PyPI      │ packaging@19.2    │ 23.2.0    │ 2      │
│           │  drift            │           │        │
└───────────┴───────────────────┴───────────┴────────┘

There are 25 more libraries that should be upgraded to reduce risk
Run vet with `--report-markdown=/path/to/report.md` for details

Run with `vet --filter="..."` for custom filters to identify risky libraries
For more details https://github.com/safedep/vet
@jchauhan jchauhan added the bug Something isn't working label Nov 30, 2023
jchauhan added a commit that referenced this issue Nov 30, 2023
@jchauhan
Fix for the issue #163 - Vet is not able to detect setup.py manifest …
084e834 
…given a directory as scan input
@abhisek
Copy link
Member

abhisek commented Nov 30, 2023
edited

@jchauhan This is by design currently i.e. setup.py manifest parser is not selected automatically due to it being a generic python code file and can cause high false positive if selected automatically. setup.py is available as an explicit manifest type --lockfile-as when the user is sure that they want vet to interpret setup.py as a manifest

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@abhisek abhisek

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@abhisek @jchauhan