Skip to content

Commit

Permalink
doc: updated README
Browse files Browse the repository at this point in the history 
Signed-off-by: Paul Horton <phorton@sonatype.com>
  • Loading branch information
@madpah
madpah committed Dec 13, 2021
1 parent d02fef3 commit 99c83ee
Showing 1 changed file with 72 additions and 0 deletions.
72 changes: 72 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -195,6 +195,78 @@ Put your Python dependencies in a chokehold.
╚══════════════════════╩════╝
```

...and this is what `jake` will output if any bad things are found:
```
___ ___ ___
___ / /\ / /\ / /\
/__/\ / /::\ / /:/ / /::\
\__\:\ / /:/\:\ / /:/ / /:/\:\
___ / /::\ / /::\ \:\ / /::\____ / /::\ \:\
/__/\ /:/\/ /__/:/\:\_\:\ /__/:/\:::::\ /__/:/\:\ \:\
\ \:\/:/~~ \__\/ \:\/:/ \__\/~|:|~~~~ \ \:\ \:\_\/
\ \::/ \__\::/ | |:| \ \:\ \:\
\__\/ / /:/ | |:| \ \:\_\/
/__/:/ |__|:| \ \:\
\__\/ \__\| \__\/
/) /)
_/_(/ _ _ __ _ (/_ _
o o (__/ )__(/_ /_)_/ (_(_(_/(___(/_ o o
Jake Version: 1.1.5
Put your Python dependencies in a chokehold
🐍 Collected 69 packages from your environment ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% -:--:--
🐍 Successfully queried OSS Index for package and vulnerability info ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% -:--:--
🐍 Sane number of results from OSS Index ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% -:--:--
[59/69] - pkg:pypi/cryptography@2.2 [VULNERABLE]
Vulnerability Details for pkg:pypi/cryptography@2.2
├── ⚠ ID: 333aca51-7375-4a9d-be64-16d316ab9274
│ └── ╭─ CVE-2020-36242 ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ │ │
│ │ In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class. │
│ │ │
│ │ Details: │
│ │ - CVSS Score: 9.1 - Critical │
│ │ - CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H │
│ │ - CWE: Unknown │
│ │ │
│ │ References: │
│ │ - https://ossindex.sonatype.org/vulnerability/333aca51-7375-4a9d-be64-16d316ab9274?component-type=pypi&component-name=cryptography&utm_source=python-oss-index-lib%400.2.1&utm_medium=integration │
│ │ - https://nvd.nist.gov/vuln/detail/CVE-2020-36242 │
│ │ │
│ ╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
└── ⚠ ID: f19ff95c-cec5-4263-8d3b-e3e64698881e
└── ╭─ CVE-2018-10903 ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 │
│ byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage. │
│ │
│ Details: │
│ - CVSS Score: 7.5 - High │
│ - CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N │
│ - CWE: Unknown │
│ │
│ References: │
│ - https://ossindex.sonatype.org/vulnerability/f19ff95c-cec5-4263-8d3b-e3e64698881e?component-type=pypi&component-name=cryptography&utm_source=python-oss-index-lib%400.2.1&utm_medium=integration │
│ - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10903 │
│ - https://github.com/pyca/cryptography/pull/4342/commits/688e0f673bfbf43fa898994326c6877f00ab19ef │
│ - https://nvd.nist.gov/vuln/detail/CVE-2018-10903 │
│ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
Summary
┏━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Audited Dependencies ┃ Vulnerabilities Found ┃
┡━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━┩
│ 69 │ 2 │
└──────────────────────┴───────────────────────┘
```

### Check for vulnerabilities using Sonatype Nexus Lifecycle

Access Sonatype's proprietary vulnerability data using `jake`:
Expand Down

0 comments on commit 99c83ee

Please sign in to comment.