From 4eeb42af660d81e8adbb91c5a6aafb2164fa7e10 Mon Sep 17 00:00:00 2001 From: George Adams Date: Fri, 3 May 2024 15:47:36 +0100 Subject: [PATCH] pin pip dependencies to specific version and enable dependabot (#9) --- .github/dependabot.yml | 5 +++++ .gitignore | 4 ++++ cvereporter/fetch_vulnerabilities.py | 6 ------ cvereporter/nist_enhance.py | 4 ---- cvereporter/report.py | 5 +---- ojvg_convert.py | 2 +- requirements.txt | 8 +++----- 7 files changed, 14 insertions(+), 20 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 0e7398d..0cb03cc 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -8,3 +8,8 @@ updates: schedule: interval: daily open-pull-requests-limit: 10 +- package-ecosystem: pip + directory: "/" + schedule: + interval: daily + open-pull-requests-limit: 10 diff --git a/.gitignore b/.gitignore index 2cceedb..2a7ddc0 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,5 @@ **/__pycache__/* +lib/ +bin/ +share/ +pyvenv.cfg \ No newline at end of file diff --git a/cvereporter/fetch_vulnerabilities.py b/cvereporter/fetch_vulnerabilities.py index 7ee637f..f832469 100644 --- a/cvereporter/fetch_vulnerabilities.py +++ b/cvereporter/fetch_vulnerabilities.py @@ -1,19 +1,13 @@ #!/usr/bin/env python3 -import argparse import json import requests from bs4 import BeautifulSoup from datetime import datetime -from cyclonedx.model.impact_analysis import ImpactAnalysisAffectedStatus from cyclonedx.model.vulnerability import ( Vulnerability, VulnerabilitySource, - VulnerabilityScoreSource, - VulnerabilityRating, - VulnerabilitySeverity, BomTarget, - BomTargetVersionRange, ) """ diff --git a/cvereporter/nist_enhance.py b/cvereporter/nist_enhance.py index c283276..7a8a9fc 100644 --- a/cvereporter/nist_enhance.py +++ b/cvereporter/nist_enhance.py @@ -1,12 +1,8 @@ -from cyclonedx.model.impact_analysis import ImpactAnalysisAffectedStatus from cyclonedx.model.vulnerability import ( Vulnerability, VulnerabilitySource, VulnerabilityScoreSource, VulnerabilityRating, - VulnerabilitySeverity, - BomTarget, - BomTargetVersionRange, ) import requests import json diff --git a/cvereporter/report.py b/cvereporter/report.py index 3dec802..c561d1a 100644 --- a/cvereporter/report.py +++ b/cvereporter/report.py @@ -1,6 +1,5 @@ -from cyclonedx.exception import MissingOptionalDependencyException from cyclonedx.factory.license import LicenseFactory -from cyclonedx.model import OrganizationalEntity, XsUri, ExternalReferenceType +from cyclonedx.model import XsUri, ExternalReferenceType from cyclonedx.model.bom import Bom from cyclonedx.model.component import Component, ComponentType, ExternalReference from cyclonedx.model.impact_analysis import ImpactAnalysisAffectedStatus @@ -14,8 +13,6 @@ BomTargetVersionRange, ) from cyclonedx.output.json import JsonV1Dot4 -from cyclonedx.schema import SchemaVersion, OutputFormat -from cyclonedx.validation.json import JsonStrictValidator from datetime import datetime """ diff --git a/ojvg_convert.py b/ojvg_convert.py index 2dc1bcd..83f4e80 100644 --- a/ojvg_convert.py +++ b/ojvg_convert.py @@ -1,5 +1,5 @@ import json -from cve_pipeline import fetch_vulnerabilities, report, nist_enhance +from cvereporter import fetch_vulnerabilities, report, nist_enhance """ This file will take a downloaded version of all the CVEs from OJVG which are retrieved by ojvg_download.py and enhance with NIST data, resulting in the creation of the VDR. diff --git a/requirements.txt b/requirements.txt index ff89ace..3ea8ef1 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,5 +1,3 @@ -beautifulsoup4 -requests -cyclonedx-python-lib -pytest -black \ No newline at end of file +beautifulsoup4==4.12.3 +cyclonedx-python-lib===7.3.1 +requests==2.31.0