Project dependencies may have API risk issues
PyDeps opened this issue · comments
Hi, In nerve, inappropriate dependency versioning constraints can cause risks.
Below are the dependencies and version constraints that the project is using
alabaster==0.7.12
aniso8601==8.0.0
Babel==2.8.0
bcrypt==3.1.7
beautifulsoup4==4.9.1
bs4==0.0.1
certifi==2020.6.20
cffi==1.14.0
chardet==3.0.4
click==7.1.2
cryptography==3.0
decorator==4.4.2
dnspython==2.0.0
docutils==0.16
Flask==1.1.2
Flask-HTTPAuth==4.1.0
Flask-RESTful==0.3.8
html5lib==1.1
idna==2.10
imagesize==1.2.0
itsdangerous==1.1.0
Jinja2==2.11.2
MarkupSafe==1.1.1
mysql-connector==2.2.9
packaging==20.4
paramiko==2.7.1
Pillow==7.2.0
psutil==5.7.2
psycopg2-binary==2.8.5
pycparser==2.20
Pygments==2.6.1
pymongo==3.11.0
PyNaCl==1.4.0
pyparsing==2.4.7
PyPDF2==1.26.0
python-nmap==0.6.1
pytz==2020.1
redis==3.5.3
reportlab==3.5.46
requests==2.24.0
simplejson==3.17.2
six==1.15.0
snowballstemmer==2.0.0
soupsieve==2.0.1
Sphinx==3.1.2
sphinx-rtd-theme==0.5.0
sphinxcontrib-applehelp==1.0.2
sphinxcontrib-devhelp==1.0.2
sphinxcontrib-htmlhelp==1.0.3
sphinxcontrib-jsmath==1.0.1
sphinxcontrib-qthelp==1.0.3
sphinxcontrib-serializinghtml==1.1.4
urllib3==1.25.9
validators==0.18.1
webencodings==0.5.1
Werkzeug==1.0.1
The version constraint == will introduce the risk of dependency conflicts because the scope of dependencies is too strict.
The version constraint No Upper Bound and * will introduce the risk of the missing API Error because the latest version of the dependencies may remove some APIs.
After further analysis, in this project,
The version constraint of dependency beautifulsoup4 can be changed to >=4.10.0,<=4.11.1.
The version constraint of dependency Jinja2 can be changed to >=2.7,<=3.1.2.
The version constraint of dependency paramiko can be changed to >=1.13.0,<=2.11.0.
The version constraint of dependency psutil can be changed to >=3.0.0,<=5.9.1.
The version constraint of dependency pymongo can be changed to >=2.4,<=4.1.1.
The version constraint of dependency python-nmap can be changed to >=0.3.4,<=0.7.1.
The version constraint of dependency redis can be changed to >=2.0.0,<=4.3.3.
The version constraint of dependency requests can be changed to >=2.4.0,<=2.15.1.
The version constraint of dependency urllib3 can be changed to >=1.9,<=1.26.9.
The version constraint of dependency validators can be changed to >=0.9,<=0.20.0.
The version constraint of dependency Werkzeug can be changed to >=0.6.1,<=2.1.2.
The above modification suggestions can reduce the dependency conflicts as much as possible,
and introduce the latest version as much as possible without calling Error in the projects.
The invocation of the current project includes all the following methods.
The calling methods from the beautifulsoup4
bs4.BeautifulSoup
The calling methods from the Jinja2
jinja2.Environment.get_template
The calling methods from the paramiko
paramiko.SSHClient.close paramiko.AutoAddPolicy paramiko.SSHClient paramiko.SSHClient.set_missing_host_key_policy paramiko.SSHClient.connect
The calling methods from the psutil
psutil.net_if_addrs
The calling methods from the pymongo
pymongo.MongoClient
The calling methods from the python-nmap
nmap.PortScanner
The calling methods from the redis
redis.ConnectionPool redis.Redis
The calling methods from the requests
requests.head requests.auth.HTTPBasicAuth urllib3.disable_warnings requests.post requests.put requests.get requests.options requests.delete
The calling methods from the urllib3
urllib3.disable_warnings
The calling methods from the validators
validators.domain
The calling methods from the Werkzeug
werkzeug.security.generate_password_hash werkzeug.security.check_password_hash
The calling methods from the all methods
core.logging.logger.debug email.mime.multipart.MIMEMultipart.attach logging.getLogger.setLevel core.reports.generate_txt isinstance self.http_request paramiko.AutoAddPolicy core.parser.ConfParser.get_cfg_webhook socket.gethostname core.parser.Helper email.mime.multipart.MIMEMultipart self.contains_password_form flask.Flask.register_blueprint validators.domain ftplib.FTP.login run_rules core.port_scanner.Scanner core.redis.rds.store_json core.redis.rds.store core.security.verify_password flask_restful.Api threading.Thread.start socket.socket.close paramiko.SSHClient.connect self.r.sadd self.nmap.scan.items core.redis.rds.start_session urllib3.disable_warnings flask.request.get_json core.manager.rule_manager version.VERSION.replace.replace core.utils.Utils.is_string_email core.parser.ConfParser.get_cfg_networks core.redis.rds.store_topology core.utils.Charts.make_radar host.data.add jinja2.FileSystemLoader u_settings.get.route open core.redis.rds.create_session werkzeug.security.generate_password_hash self.netutils.is_valid_port ipaddress.ip_address threading.enumerate db.db_ports.database_ports.items core.reports.generate_csv pickle.loads resp.text.startswith self.is_file_ds_store self.utils.hash_sha1 resp.headers.get core.utils.Utils.generate_uuid core.parser.ConfParser.get_cfg_custom_ports core.utils.Utils.sev_to_human core.parser.ConfParser core.parser.ConfParser.get_cfg_usernames psycopg2.connect.close bs4.BeautifulSoup.find_all logging.StreamHandler.setLevel self.randomize_origin core.redis.rds.is_ip_blocked type smtplib.SMTP.sendmail core.redis.rds.get_vuln_data app.config.update core.parser.ConfParser.get_cfg_allow_bf core.redis.rds.store_vuln core.redis.rds.clear_session dns.resolver.query core.utils.Integration k.decode.decode self.r.dbsize core.parser.ConfParser.get_cfg_exc_networks flask.stream_with_context core.parser.ScanParser.get_module self.get_scan_progress os.remove core.parser.ConfParser.get_cfg_scan_threads os.environ.get smtplib.SMTP.login os.urandom self.rds.clear_session core.redis.rds.get_last_scan core.utils.Network requests.put copy.deepcopy.append flask.render_template core.utils.Integration.submit_webhook __import__ logging.StreamHandler.setFormatter core.triage.Triage.run_cmd f.write join __import__.Rule os.geteuid scanner.scan.items open.write flask.request.get_json.get format.decode smtplib.SMTP datetime.datetime.now.strftime self.r.get flask.Blueprint self.mongodb_attack k.decode.split socket.socket.connect_ex function_to_protect self.generate_str pickle.dumps format.encode resp.headers.get.lower sys.path.insert socket.socket.settimeout redis.ConnectionPool self.utils.is_string_url core.parser.ConfParser.get_cfg_max_ports requests.get requests.options self.rds.store_json core.redis.rds.get_exclusions core.parser.ScanParser self.utils.generate_uuid f.read dict core.triage.Triage.http_request paramiko.SSHClient.close core.utils.Utils.is_string_url len vulns.items flask.session.get self.r.scan_iter core.redis.rds.end_session json.dumps core.redis.rds.initialize core.utils.Charts requests.post self.is_scan_active core.redis.rds.store_sch conf.get_cfg_exc_networks.append core.utils.Network.get_primary_ip email.mime.multipart.MIMEMultipart.as_string str core.redis.rds.get_topology xml.etree.ElementTree.SubElement core.parser.ConfParser.get_cfg_netinterface core.redis.rds.get_inventory_data all redis.Redis p.get_module.lower re.findall core.register.Register flask_httpauth.HTTPBasicAuth self.store pymongo.MongoClient self.r.flushdb core.utils.Utils core.utils.Network.get_nics core.workers.start_workers requests.head core.reports.generate_xml logging.getLevelName join.keys ssl.create_default_context self.is_attack_active glob.glob mysql.connector.connect RedisManager copy.deepcopy socket.socket.sendall flask.make_response s.recv.decode csv.writer.writerow core.parser.ConfParser.get_cfg_passwords bs4.BeautifulSoup.findAll self.clear_session self.netutils.is_dns ipaddress.ip_network core.manager.rule_manager.values flask_restful.Api.add_resource text.encode struct.unpack_from sys.exit shlex.split core.parser.ConfParser.get_cfg_allow_inet xml.etree.ElementTree.Element any mysql.connector.connect.is_connected paramiko.SSHClient f.close flask.flash self.ssh_attack email.mime.text.MIMEText.add_header core.redis.rds.get_scan_data.items requests.delete logging.FileHandler.setLevel self.r.smembers sorted.items core.parser.ScanParser.get_cpe network.startswith self.r.delete re.match functools.wraps resp.url.startswith xml.etree.ElementTree.tostring.items schedule_domains i.attrs.get header.lower hashlib.sha1 os.path.basename subprocess.Popen flask.Flask core.utils.Integration.submit_slack datetime.datetime.now uuid.uuid4 psycopg2.connect self.mysql_attack self.generate_filename fields.append version.VERSION.replace core.parser.ConfParser.get_cfg_frequency core.parser.ConfParser.get_cfg_domains nmap.PortScanner flask.send_from_directory flask.Flask.run socket.socket.recv p.get_product.lower resp.headers.startswith flask.make_response.set_cookie core.redis.rds.store_inv core.redis.rds.get_slack_settings socket.socket self.utils.is_string_safe float flask.redirect rules.append core.redis.rds.get_ips_to_scan core.parser.ScanParser.get_product core.redis.rds.get_scan_config logging.Formatter core.redis.rds.get_scan_count self.psql_attack flask.request.form.get core.redis.rds.get_scan_progress socket.socket.connect psutil.net_if_addrs xml.etree.ElementTree.tostring generate core.parser.ScanParser.get_domain requests.auth.HTTPBasicAuth self.utils.get_datetime email.header.Header resp.headers.items core.reports.generate_html data.items flask.session.pop flask.request.values.get header.startswith smtplib.SMTP.starttls a.has_attr socket.socket.getsockname self.netutils.is_network_in_denylist core.mailer.send_email ftplib.FTP char.isdigit core.parser.SchemaParser.verify core.redis.rds.store_sca core.redis.rds.delete random.choices value.items core.utils.Charts.make_doughnut time.sleep threading.Thread jinja2.Environment format self.rule_match_string.items core.register.Register.scan core.redis.rds.log_attempt self.r.incr key.decode.split sorted resp.text.split.replace a.contents.split port.ip.MongoClient.list_database_names logging.getLogger.addHandler logging.StreamHandler i.name.startswith core.redis.rds.get_session_state core.redis.rds.get_email_settings logging.FileHandler flask.Blueprint.route core.parser.ConfParser.get_raw_cfg email.mime.text.MIMEText core.parser.SchemaParser core.parser.Helper.portTranslate csv.writer core.logging.logger.error mysql.connector.connect.close logging.getLogger core.triage.Triage self.utils.clear_log core.triage.Triage.string_in_headers flask.request.get_json.route self.netutils.is_network text.encode.hashlib.sha1.hexdigest get_rules re.search set bs4.BeautifulSoup self.rds.create_session threading.active_count self.ftp_attack k.decode schedule_ips templateEnv.get_template.render werkzeug.security.check_password_hash self.r.exists core.redis.rds.get_scan_data paramiko.SSHClient.set_missing_host_key_policy self.r.get.decode urllib.parse.urlparse subprocess.Popen.communicate resp.text.split smtplib.SMTP_SSL open.close os.path.exists core.logging.logger.info self.redis_attack xml.etree.ElementTree.Element.append core.redis.rds.get_vuln_by_id xml.etree.ElementTree.tostring.decode int core.triage.Triage.has_cves uuid.uuid4.str.split req.headers.get socket.getservbyport logging.FileHandler.setFormatter flask.Response email.utils.formataddr smtplib.SMTP.quit core.port_scanner.Scanner.scan r.split config.WEB_LOG.open.close self.utils.is_user_root res.items jinja2.Environment.get_template core.utils.Utils.is_version_latest core.utils.Utils.get_date self.r.set self.store_json self.nmap.scan core.redis.rds.is_session_active
@developer
Could please help me check this issue?
May I pull a request to fix it?
Thank you very much.