diff --git a/.github/workflows/version-check.yml b/.github/workflows/version-check.yml index 7c18905..1eefa27 100644 --- a/.github/workflows/version-check.yml +++ b/.github/workflows/version-check.yml @@ -35,16 +35,43 @@ jobs: MAIN_VERSION=$(git show origin/main:socketsecurity/__init__.py | grep -o "__version__.*" | awk '{print $3}' | tr -d "'") echo "MAIN_VERSION=$MAIN_VERSION" >> $GITHUB_ENV - # Compare versions using Python - python3 -c " + export PR_VERSION + export MAIN_VERSION + + # Compare against both main and latest published PyPI release. + python3 <<'PY' + import json + import os + import urllib.request from packaging import version - pr_ver = version.parse('${PR_VERSION}') - main_ver = version.parse('${MAIN_VERSION}') - if pr_ver <= main_ver: - print(f'❌ Version must be incremented! Main: {main_ver}, PR: {pr_ver}') - exit(1) - print(f'✅ Version properly incremented from {main_ver} to {pr_ver}') - " + + pr_ver = version.parse(os.environ["PR_VERSION"]) + main_ver = version.parse(os.environ["MAIN_VERSION"]) + + with urllib.request.urlopen("https://pypi.org/pypi/socketsecurity/json") as response: + pypi_data = json.load(response) + + published_versions = [] + for raw in pypi_data.get("releases", {}).keys(): + parsed = version.parse(raw) + if not parsed.is_prerelease and not parsed.is_devrelease: + published_versions.append(parsed) + + pypi_ver = max(published_versions) if published_versions else version.parse("0.0.0") + required_floor = max(main_ver, pypi_ver) + + if pr_ver <= required_floor: + print( + f"❌ Version must be greater than main and PyPI! " + f"Main: {main_ver}, PyPI: {pypi_ver}, PR: {pr_ver}" + ) + raise SystemExit(1) + + print( + f"✅ Version properly incremented. " + f"Main: {main_ver}, PyPI: {pypi_ver}, PR: {pr_ver}" + ) + PY - name: Require uv.lock update when pyproject changes run: | diff --git a/.hooks/sync_version.py b/.hooks/sync_version.py index 4abf179..57b29d3 100644 --- a/.hooks/sync_version.py +++ b/.hooks/sync_version.py @@ -12,7 +12,9 @@ VERSION_PATTERN = re.compile(r"__version__\s*=\s*['\"]([^'\"]+)['\"]") PYPROJECT_PATTERN = re.compile(r'^version\s*=\s*".*"$', re.MULTILINE) -PYPI_API = "https://test.pypi.org/pypi/socketsecurity/json" +STABLE_VERSION_PATTERN = re.compile(r"^\d+\.\d+\.\d+$") +PYPI_PROD_API = "https://pypi.org/pypi/socketsecurity/json" +PYPI_TEST_API = "https://test.pypi.org/pypi/socketsecurity/json" def read_version_from_init(path: pathlib.Path) -> str: content = path.read_text() @@ -39,17 +41,39 @@ def bump_patch_version(version: str) -> str: parts[-1] = str(int(parts[-1]) + 1) return ".".join(parts) -def fetch_existing_versions() -> set: +def parse_stable_version(version: str): + if not STABLE_VERSION_PATTERN.fullmatch(version): + return None + return tuple(int(part) for part in version.split(".")) + + +def format_stable_version(version_parts) -> str: + return ".".join(str(part) for part in version_parts) + + +def fetch_existing_versions(api_url: str) -> set: try: - with urllib.request.urlopen(PYPI_API) as response: + with urllib.request.urlopen(api_url) as response: data = json.load(response) return set(data.get("releases", {}).keys()) except Exception as e: - print(f"⚠️ Warning: Failed to fetch existing versions from Test PyPI: {e}") + print(f"⚠️ Warning: Failed to fetch versions from {api_url}: {e}") return set() + +def fetch_latest_stable_pypi_version(): + versions = fetch_existing_versions(PYPI_PROD_API) + stable_versions = [] + for ver in versions: + parsed = parse_stable_version(ver) + if parsed is not None: + stable_versions.append(parsed) + if not stable_versions: + return None + return max(stable_versions) + def find_next_available_dev_version(base_version: str) -> str: - existing_versions = fetch_existing_versions() + existing_versions = fetch_existing_versions(PYPI_TEST_API) for i in range(1, 100): candidate = f"{base_version}.dev{i}" if candidate not in existing_versions: @@ -57,6 +81,19 @@ def find_next_available_dev_version(base_version: str) -> str: print("❌ Could not find available .devN slot after 100 attempts.") sys.exit(1) + +def find_next_stable_patch_version(current_version: str) -> str: + current_stable = current_version.split(".dev")[0] if ".dev" in current_version else current_version + current_parts = parse_stable_version(current_stable) + if current_parts is None: + print(f"❌ Unsupported version format for stable bump: {current_version}") + sys.exit(1) + + latest_pypi_parts = fetch_latest_stable_pypi_version() + base_parts = max([current_parts, latest_pypi_parts] if latest_pypi_parts else [current_parts]) + next_parts = (base_parts[0], base_parts[1], base_parts[2] + 1) + return format_stable_version(next_parts) + def inject_version(version: str): print(f"🔁 Updating version to: {version}") @@ -105,13 +142,25 @@ def main(): print(f"⚠️ Version was unchanged — auto-bumped. Please git add{lock_hint} + commit again.") sys.exit(0) else: - new_version = bump_patch_version(current_version) + new_version = find_next_stable_patch_version(current_version) inject_version(new_version) uv_lock_changed = run_uv_lock() lock_hint = " and uv.lock" if uv_lock_changed else "" - print(f"⚠️ Version was unchanged — auto-bumped. Please git add{lock_hint} + commit again.") + print(f"⚠️ Version was unchanged — auto-bumped to {new_version}. Please git add{lock_hint} + commit again.") sys.exit(1) else: + if not dev_mode: + current_parts = parse_stable_version(current_version) + latest_pypi_parts = fetch_latest_stable_pypi_version() + if current_parts is not None and latest_pypi_parts is not None and current_parts <= latest_pypi_parts: + next_parts = (latest_pypi_parts[0], latest_pypi_parts[1], latest_pypi_parts[2] + 1) + new_version = format_stable_version(next_parts) + inject_version(new_version) + uv_lock_changed = run_uv_lock() + lock_hint = " and uv.lock" if uv_lock_changed else "" + print(f"⚠️ Version {current_version} is already published on PyPI — auto-bumped to {new_version}. Please git add{lock_hint} + commit again.") + sys.exit(1) + uv_lock_changed = run_uv_lock() if uv_lock_changed: print("⚠️ Version already bumped, but uv.lock was out of date and has been updated. Please git add uv.lock + commit again.") diff --git a/README.md b/README.md index 7929189..66f042c 100644 --- a/README.md +++ b/README.md @@ -84,6 +84,7 @@ socketcli \ | Use case | Recommended mode | Key flags | |:--|:--|:--| | Basic policy enforcement in CI | Diff-based policy check | `--strict-blocking` | +| Legal/compliance artifact generation | Legal preset | `--legal` | | Reachable-focused SARIF for reporting | Full-scope grouped SARIF | `--reach --sarif-scope full --sarif-grouping alert --sarif-reachability reachable --sarif-file ` | | Detailed reachability export for investigations | Full-scope instance SARIF | `--reach --sarif-scope full --sarif-grouping instance --sarif-reachability all --sarif-file ` | | Net-new PR findings only | Diff-scope SARIF | `--reach --sarif-scope diff --sarif-reachability reachable --sarif-file ` | @@ -134,6 +135,35 @@ Run: socketcli --config .socketcli.toml --target-path . ``` +Legal/compliance preset example: + +```bash +socketcli --legal --target-path . +``` + +This preset enables license generation and writes default artifacts unless you override them: +- `socket-report.json` +- `socket-summary.txt` +- `socket-report-link.txt` +- `socket-sbom.json` +- `socket-license.json` + +FOSSA-compatibility shaped legal artifacts: + +```bash +socketcli --legal-format fossa --target-path . +``` + +This switches the JSON report and legal artifact payloads to FOSSA-style compatibility shapes: +- the analyze artifact becomes a `project` / `vulnerability` / `licensing` / `quality` report +- the SBOM artifact becomes a FOSSA-attribution-style payload with `copyrightsByLicense`, `deepDependencies`, `directDependencies`, `licenses`, and `project` keys + +When `--legal-format fossa` is used without explicit output paths, the defaults are closer to the FOSSA pipeline contract: +- `fossa-analyze.json` +- `fossa-test.txt` +- `fossa-link.txt` +- `fossa-sbom.json` + Reference sample configs: TOML: diff --git a/pyproject.toml b/pyproject.toml index 81b9d87..137b98d 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -6,7 +6,7 @@ build-backend = "hatchling.build" [project] name = "socketsecurity" -version = "2.2.90" +version = "2.2.91" requires-python = ">= 3.11" license = {"file" = "LICENSE"} dependencies = [ @@ -16,7 +16,7 @@ dependencies = [ 'GitPython', 'packaging', 'python-dotenv', - "socketdev>=3.1.0,<4.0.0", + "socketdev>=3.0.33,<4.0.0", "bs4>=0.0.2", "markdown>=3.10", ] @@ -57,7 +57,7 @@ socketcli = "socketsecurity.socketcli:cli" socketclidev = "socketsecurity.socketcli:cli" [project.urls] -Homepage = "https://github.com/SocketDev/socket-python-cli" +Homepage = "https://socket.dev" [tool.coverage.run] source = ["socketsecurity"] diff --git a/socketsecurity/__init__.py b/socketsecurity/__init__.py index 90049de..7fdf737 100644 --- a/socketsecurity/__init__.py +++ b/socketsecurity/__init__.py @@ -1,3 +1,3 @@ __author__ = 'socket.dev' -__version__ = '2.2.90' +__version__ = '2.2.91' USER_AGENT = f'SocketPythonCLI/{__version__}' diff --git a/socketsecurity/config.py b/socketsecurity/config.py index 1e2717c..c048af2 100644 --- a/socketsecurity/config.py +++ b/socketsecurity/config.py @@ -79,6 +79,7 @@ class CliConfig: enable_debug: bool = False allow_unverified: bool = False enable_json: bool = False + json_file: Optional[str] = None enable_sarif: bool = False sarif_file: Optional[str] = None sarif_scope: str = "diff" @@ -86,6 +87,8 @@ class CliConfig: sarif_reachability: str = "all" enable_gitlab_security: bool = False gitlab_security_file: Optional[str] = None + summary_file: Optional[str] = None + report_link_file: Optional[str] = None disable_overview: bool = False disable_security_issue: bool = False files: str = None @@ -137,6 +140,8 @@ class CliConfig: reach_continue_on_no_source_files: bool = False max_purl_batch_size: int = 5000 enable_commit_status: bool = False + legal: bool = False + legal_format: str = "socket" config_file: Optional[str] = None @classmethod @@ -194,6 +199,7 @@ def from_args(cls, args_list: Optional[List[str]] = None) -> 'CliConfig': 'enable_diff': args.enable_diff, 'allow_unverified': args.allow_unverified, 'enable_json': args.enable_json, + 'json_file': args.json_file, 'enable_sarif': args.enable_sarif, 'sarif_file': args.sarif_file, 'sarif_scope': args.sarif_scope, @@ -201,6 +207,8 @@ def from_args(cls, args_list: Optional[List[str]] = None) -> 'CliConfig': 'sarif_reachability': args.sarif_reachability, 'enable_gitlab_security': args.enable_gitlab_security, 'gitlab_security_file': args.gitlab_security_file, + 'summary_file': args.summary_file, + 'report_link_file': args.report_link_file, 'disable_overview': args.disable_overview, 'disable_security_issue': args.disable_security_issue, 'files': args.files, @@ -246,9 +254,40 @@ def from_args(cls, args_list: Optional[List[str]] = None) -> 'CliConfig': 'reach_continue_on_no_source_files': args.reach_continue_on_no_source_files, 'max_purl_batch_size': args.max_purl_batch_size, 'enable_commit_status': args.enable_commit_status, + 'legal': args.legal or args.legal_format == "fossa", + 'legal_format': args.legal_format, 'config_file': args.config_file, 'version': __version__ } + + if config_args['legal']: + config_args['generate_license'] = True + if not config_args['json_file']: + config_args['json_file'] = "socket-report.json" + if not config_args['summary_file']: + config_args['summary_file'] = "socket-summary.txt" + if not config_args['report_link_file']: + config_args['report_link_file'] = "socket-report-link.txt" + if not config_args['sbom_file']: + config_args['sbom_file'] = "socket-sbom.json" + if config_args['license_file_name'] == "license_output.json": + config_args['license_file_name'] = "socket-license.json" + + if config_args['legal_format'] == "fossa": + if not args.json_file: + config_args['json_file'] = "fossa-analyze.json" + if not args.summary_file: + config_args['summary_file'] = "fossa-test.txt" + if not args.report_link_file: + config_args['report_link_file'] = "fossa-link.txt" + if not args.license_file_name: + # argparse always provides a default, so this branch is defensive only + config_args['license_file_name'] = "fossa-sbom.json" + elif args.license_file_name == "license_output.json": + config_args['license_file_name'] = "fossa-sbom.json" + if not args.sbom_file: + # FOSSA's "SBOM" artifact is the attribution payload; suppress the extra Socket-only SBOM file by default. + config_args['sbom_file'] = None excluded_ecosystems = config_args["excluded_ecosystems"] if isinstance(excluded_ecosystems, list): config_args["excluded_ecosystems"] = excluded_ecosystems @@ -570,6 +609,12 @@ def create_argument_parser() -> argparse.ArgumentParser: action="store_true", help="Output in JSON format" ) + output_group.add_argument( + "--json-file", + dest="json_file", + metavar="", + help="Output file path for JSON report" + ) output_group.add_argument( "--enable-sarif", dest="enable_sarif", @@ -617,6 +662,18 @@ def create_argument_parser() -> argparse.ArgumentParser: default="gl-dependency-scanning-report.json", help="Output file path for GitLab Security report (default: gl-dependency-scanning-report.json)" ) + output_group.add_argument( + "--summary-file", + dest="summary_file", + metavar="", + help="Output file path for a plain-text summary report" + ) + output_group.add_argument( + "--report-link-file", + dest="report_link_file", + metavar="", + help="Output file path for the Socket report link" + ) output_group.add_argument( "--disable-overview", dest="disable_overview", @@ -750,6 +807,19 @@ def create_argument_parser() -> argparse.ArgumentParser: action="store_true", help="Disable SSL certificate verification for API requests" ) + advanced_group.add_argument( + "--legal", + dest="legal", + action="store_true", + help="Enable legal/compliance-friendly defaults and file outputs" + ) + advanced_group.add_argument( + "--legal-format", + dest="legal_format", + choices=["socket", "fossa"], + default="socket", + help="Select the legal artifact format. 'socket' keeps Socket-native outputs; 'fossa' emits compatibility-shaped JSON artifacts." + ) config_group.add_argument( "--include-module-folders", dest="include_module_folders", diff --git a/socketsecurity/fossa_compat.py b/socketsecurity/fossa_compat.py new file mode 100644 index 0000000..0be11a9 --- /dev/null +++ b/socketsecurity/fossa_compat.py @@ -0,0 +1,459 @@ +"""FOSSA-compat output shaping for `--legal-format fossa`. + +Builds two artifacts whose top-level shapes mirror real FOSSA pipeline outputs: + + fossa-analyze.json — wrapper of {project, vulnerability, licensing, quality}, + where `project` is the raw `fossa analyze --json` shape and + the three arrays are FOSSA /api/v2/issues-shaped items. + fossa-sbom.json — `fossa report --json attribution` shape: 5 top-level keys + (copyrightsByLicense, deepDependencies, directDependencies, + licenses, project). + +Fields without a Socket data source are emitted as documented defaults: + + vulnerability[]: + epss -> {score: None, percentile: None} + cvssVector -> None + exploitability -> None + cveStatus -> None + published -> None + containerLayers -> {base: 0, other: 0} + customRiskScore -> None + remediation.partialFixDistance, completeFixDistance -> None (semver-distance TBD) + remediation.partialFix, completeFix -> same Socket fix version + (Socket has no partial/complete distinction) + projects[].scannedAt, analyzedAt, firstFoundAt -> None + + dependencies[] (SBOM): + description, downloadUrl, projectUrl -> "" + hash, isGolang -> None (always null in real FOSSA samples) + notes, otherLicenses -> [] + + Top-level SBOM: + copyrightsByLicense -> {} (would require parsing attribText for `Copyright (c)` lines) + licenses -> {} (would require bundling SPDX license body texts) +""" +from __future__ import annotations + +from typing import Any, Iterable, Optional + +from socketsecurity.config import CliConfig +from socketsecurity.core.classes import Diff, Issue, Package + +LICENSE_ALERT_TYPES = {"licenseSpdxDisj"} +QUALITY_ALERT_PREFIXES = ("risk", "quality", "outdated", "unmaintained") + + +def _ecosystem_to_package_manager(ecosystem: Optional[str]) -> str: + mapping = { + "pypi": "pip", + "npm": "npm", + "maven": "maven", + "nuget": "nuget", + "gem": "gem", + "golang": "go", + "cargo": "cargo", + } + if not ecosystem: + return "unknown" + return mapping.get(ecosystem, ecosystem) + + +def _listify(value: Any) -> list[Any]: + if value is None: + return [] + if isinstance(value, list): + return value + return [value] + + +def _first_non_empty(*values: Any) -> Any: + for value in values: + if value not in (None, "", [], {}): + return value + return None + + +def _build_project_metadata(diff_report: Diff, config: CliConfig) -> dict[str, Any]: + repo = getattr(config, "repo", None) or "socket-default-repo" + branch = getattr(config, "branch", None) or "socket-default-branch" + revision = getattr(diff_report, "id", None) or getattr(diff_report, "new_scan_id", None) or "unknown-revision" + report_url = getattr(diff_report, "report_url", None) or getattr(diff_report, "diff_url", None) + return { + "branch": branch, + "id": f"{repo}${revision}", + "project": repo, + "projectId": repo, + "revision": revision, + "url": report_url, + } + + +def _build_source_metadata(issue: Issue, package: Optional[Package]) -> dict[str, Any]: + package_type = _ecosystem_to_package_manager( + getattr(package, "type", None) or getattr(issue, "pkg_type", None) + ) + package_name = getattr(package, "name", None) or getattr(issue, "pkg_name", None) + package_version = getattr(package, "version", None) or getattr(issue, "pkg_version", None) + package_url = getattr(package, "url", None) or getattr(issue, "url", None) + return { + "id": f"{package_type}+{package_name}${package_version}", + "name": package_name, + "url": package_url, + "version": package_version, + "packageManager": package_type, + } + + +def _build_depths(package: Optional[Package]) -> dict[str, int]: + is_direct = bool(getattr(package, "direct", False)) + return { + "direct": 1 if is_direct else 0, + "deep": 0 if is_direct else 1, + } + + +def _build_statuses(issue: Issue) -> dict[str, int]: + is_ignored = bool(getattr(issue, "ignore", False)) + return { + "active": 0 if is_ignored else 1, + "ignored": 1 if is_ignored else 0, + } + + +def _build_projects_entry(project: dict[str, Any], package: Optional[Package]) -> list[dict[str, Any]]: + is_direct = bool(getattr(package, "direct", False)) + return [{ + "id": project["projectId"], + "status": "active", + "depth": 1 if is_direct else 2, + "title": project["project"], + "scannedAt": None, + "analyzedAt": None, + "url": project["url"], + "firstFoundAt": None, + "defaultBranch": project["branch"], + "latest": True, + "revisionId": f"{project['projectId']}${project['revision']}", + "revisionScanId": project["revision"], + }] + + +def _extract_cve(props: dict[str, Any]) -> Optional[str]: + cve = _first_non_empty(props.get("cveId"), props.get("cve")) + if isinstance(cve, list): + return cve[0] if cve else None + return cve + + +def _extract_float(*values: Any) -> Optional[float]: + value = _first_non_empty(*values) + if value is None: + return None + try: + return float(value) + except (TypeError, ValueError): + return None + + +def _extract_string_list(*values: Any) -> list[str]: + items = _listify(_first_non_empty(*values)) + output = [] + for item in items: + if isinstance(item, str) and item: + output.append(item) + return output + + +def _build_remediation(props: dict[str, Any]) -> dict[str, Any]: + fix = _first_non_empty( + props.get("firstPatchedVersionIdentifier"), + props.get("partialFix"), + props.get("completeFix"), + props.get("fixedVersion"), + props.get("fixed_version"), + props.get("patchedVersion"), + props.get("patched_version"), + ) + return { + "partialFix": fix, + "partialFixDistance": props.get("partialFixDistance"), + "completeFix": fix, + "completeFixDistance": props.get("completeFixDistance"), + } + + +def _build_epss(props: dict[str, Any]) -> dict[str, Any]: + score = _extract_float(props.get("epssScore"), props.get("epss_score")) + percentile = _extract_float(props.get("epssPercentile"), props.get("epss_percentile")) + return { + "score": score, + "percentile": percentile, + } + + +def _build_metrics(props: dict[str, Any]) -> list[dict[str, Any]]: + metrics = props.get("metrics") + if isinstance(metrics, list): + return metrics + + metric_map = [ + ("Attack Vector", props.get("attackVector")), + ("Attack Complexity", props.get("attackComplexity")), + ("Privileges Required", props.get("privilegesRequired")), + ("User Interaction", props.get("userInteraction")), + ("Scope", props.get("scope")), + ("Confidentiality Impact", props.get("confidentialityImpact")), + ("Integrity Impact", props.get("integrityImpact")), + ("Availability Impact", props.get("availabilityImpact")), + ] + return [ + {"name": name, "value": value} + for name, value in metric_map + if value not in (None, "") + ] + + +def _extract_references(issue: Issue, props: dict[str, Any]) -> list[str]: + references = _listify(props.get("references")) + if props.get("url"): + references.append(props["url"]) + if getattr(issue, "url", None): + references.append(issue.url) + deduped = [] + seen = set() + for reference in references: + if not isinstance(reference, str) or not reference: + continue + if reference in seen: + continue + seen.add(reference) + deduped.append(reference) + return deduped + + +def _build_vulnerability_entry( + issue: Issue, package: Optional[Package], project: dict[str, Any], index: int +) -> dict[str, Any]: + props = getattr(issue, "props", {}) or {} + return { + "id": props.get("id") or f"socket-vulnerability-{index}", + "type": "vulnerability", + "createdAt": props.get("createdAt"), + "source": _build_source_metadata(issue, package), + "depths": _build_depths(package), + "containerLayers": {"base": 0, "other": 0}, + "statuses": _build_statuses(issue), + "projects": _build_projects_entry(project, package), + "url": getattr(issue, "url", None) or project["url"], + "vulnId": _first_non_empty(props.get("ghsaId"), props.get("cveId"), issue.key, f"socket-vuln-{index}"), + "title": getattr(issue, "title", None), + "cve": _extract_cve(props), + "cvss": _extract_float(props.get("cvssScore"), props.get("cvss")), + "severity": getattr(issue, "severity", "unknown"), + "details": _first_non_empty(getattr(issue, "description", None), props.get("overview"), props.get("note")), + "remediation": _build_remediation(props), + "metrics": _build_metrics(props), + "cveStatus": props.get("cveStatus"), + "cwes": _extract_string_list(props.get("cwes"), props.get("cwe")), + "published": props.get("published"), + "affectedVersionRanges": _extract_string_list( + props.get("affectedVersionRanges"), + props.get("vulnerableVersionRange"), + props.get("affected_versions"), + ), + "patchedVersionRanges": _extract_string_list( + props.get("patchedVersionRanges"), + props.get("firstPatchedVersionIdentifier"), + props.get("patched_versions"), + ), + "references": _extract_references(issue, props), + "cvssVector": props.get("cvssVector"), + "exploitability": props.get("exploitability"), + "epss": _build_epss(props), + "cpes": _extract_string_list(props.get("cpes")), + "customRiskScore": None, + } + + +def _build_licensing_entry( + issue: Issue, package: Optional[Package], project: dict[str, Any], index: int +) -> dict[str, Any]: + props = getattr(issue, "props", {}) or {} + package_license = getattr(package, "license", None) + issue_type = "policy_conflict" + if not package_license: + issue_type = "unlicensed_dependency" + elif getattr(issue, "type", None) not in LICENSE_ALERT_TYPES: + issue_type = "policy_flag" + return { + "id": props.get("id") or f"socket-licensing-{index}", + "type": issue_type, + "createdAt": props.get("createdAt"), + "source": _build_source_metadata(issue, package), + "depths": _build_depths(package), + "statuses": _build_statuses(issue), + "projects": _build_projects_entry(project, package), + "url": getattr(issue, "url", None) or project["url"], + "title": getattr(issue, "title", None) or "License Policy Violation", + "details": _first_non_empty(getattr(issue, "description", None), props.get("note"), package_license), + "license": package_license, + "identifiedLicense": package_license, + "references": _extract_references(issue, props), + } + + +def _build_quality_entry( + issue: Issue, package: Optional[Package], project: dict[str, Any], index: int +) -> dict[str, Any]: + props = getattr(issue, "props", {}) or {} + return { + "id": props.get("id") or f"socket-quality-{index}", + "type": getattr(issue, "type", None) or "quality_issue", + "createdAt": props.get("createdAt"), + "source": _build_source_metadata(issue, package), + "depths": _build_depths(package), + "statuses": _build_statuses(issue), + "projects": _build_projects_entry(project, package), + "url": getattr(issue, "url", None) or project["url"], + "title": getattr(issue, "title", None), + "details": _first_non_empty(getattr(issue, "description", None), props.get("note")), + "references": _extract_references(issue, props), + } + + +def _iter_selected_issues(diff_report: Diff, config: CliConfig) -> Iterable[Issue]: + """Yield all currently-present issues (new + unchanged) to match FOSSA's + /api/v2/issues behavior, which returns a point-in-time snapshot of all + issues at the scan revision, not only diff-new ones. The `config` argument + is retained for signature stability but no longer gates output. + """ + yield from getattr(diff_report, "new_alerts", []) or [] + yield from getattr(diff_report, "unchanged_alerts", []) or [] + + +def _classify_issue(issue: Issue) -> str: + issue_type = (getattr(issue, "type", "") or "").lower() + category = (getattr(issue, "category", "") or "").lower() + if issue_type in LICENSE_ALERT_TYPES or "license" in issue_type or category == "licensing": + return "licensing" + if category == "quality" or issue_type.startswith(QUALITY_ALERT_PREFIXES): + return "quality" + return "vulnerability" + + +def build_fossa_report_payload(diff_report: Diff, config: CliConfig) -> dict[str, Any]: + project = _build_project_metadata(diff_report, config) + package_lookup = getattr(diff_report, "packages", {}) or {} + vulnerabilities = [] + licensing = [] + quality = [] + + for index, issue in enumerate(_iter_selected_issues(diff_report, config), start=1): + package = package_lookup.get(getattr(issue, "pkg_id", "")) if package_lookup else None + category = _classify_issue(issue) + if category == "licensing": + licensing.append(_build_licensing_entry(issue, package, project, index)) + elif category == "quality": + quality.append(_build_quality_entry(issue, package, project, index)) + else: + vulnerabilities.append(_build_vulnerability_entry(issue, package, project, index)) + + return { + "project": project, + "vulnerability": vulnerabilities, + "licensing": licensing, + "quality": quality, + } + + +def _build_attribution_project(diff_report: Diff, config: CliConfig) -> dict[str, Any]: + repo = getattr(config, "repo", None) or "socket-default-repo" + revision = ( + getattr(diff_report, "id", None) + or getattr(diff_report, "new_scan_id", None) + or "unknown-revision" + ) + return {"name": repo, "revision": revision} + + +def _build_dependency_licenses(package: Package) -> list[dict[str, str]]: + """Build the `licenses[]` array: prefer licenseAttrib entries (full attribution text), + fall back to a single name-only entry from declared license, else empty. + """ + attribs = getattr(package, "licenseAttrib", None) or [] + licenses = [] + for attrib in attribs: + attrib_text = attrib.get("attribText", "") if isinstance(attrib, dict) else getattr(attrib, "attribText", "") + attrib_data = attrib.get("attribData", []) if isinstance(attrib, dict) else getattr(attrib, "attribData", []) + spdx = "" + if attrib_data: + first = attrib_data[0] + spdx = first.get("spdxExpr", "") if isinstance(first, dict) else getattr(first, "spdxExpr", "") + if attrib_text or spdx: + licenses.append({"attribution": attrib_text or "", "name": spdx or getattr(package, "license", "") or ""}) + if licenses: + return licenses + declared = getattr(package, "license", None) + if declared: + return [{"attribution": "", "name": declared}] + return [] + + +def _build_dependency_entry(package: Package, dependency_paths: list[str]) -> dict[str, Any]: + return { + "authors": list(getattr(package, "author", []) or []), + "dependencyPaths": list(dependency_paths), + "description": "", + "downloadUrl": "", + "hash": None, + "isGolang": None, + "licenses": _build_dependency_licenses(package), + "notes": [], + "otherLicenses": [], + "package": package.name, + "projectUrl": "", + "source": _ecosystem_to_package_manager(package.type), + "title": package.name, + "version": package.version, + } + + +def _compute_dependency_paths(package: Package, package_lookup: dict[str, Package]) -> list[str]: + if bool(getattr(package, "direct", False)): + return [package.name] + ancestors = getattr(package, "topLevelAncestors", None) or [] + paths = [] + for ancestor_id in ancestors: + ancestor = package_lookup.get(ancestor_id) + if ancestor and getattr(ancestor, "name", None): + paths.append(f"{ancestor.name} > {package.name}") + if not paths: + return [package.name] + return paths + + +def _partition_dependencies(packages: list[Package]) -> tuple[list[dict[str, Any]], list[dict[str, Any]]]: + direct: list[dict[str, Any]] = [] + deep: list[dict[str, Any]] = [] + package_lookup = {getattr(p, "id", None): p for p in packages if getattr(p, "id", None)} + for package in packages: + paths = _compute_dependency_paths(package, package_lookup) + entry = _build_dependency_entry(package, paths) + if bool(getattr(package, "direct", False)): + direct.append(entry) + else: + deep.append(entry) + return direct, deep + + +def build_fossa_attribution_payload(diff_report: Diff, config: CliConfig) -> dict[str, Any]: + packages = list((getattr(diff_report, "packages", {}) or {}).values()) + direct, deep = _partition_dependencies(packages) + return { + "copyrightsByLicense": {}, + "deepDependencies": deep, + "directDependencies": direct, + "licenses": {}, + "project": _build_attribution_project(diff_report, config), + } diff --git a/socketsecurity/output.py b/socketsecurity/output.py index 921ca79..63fe565 100644 --- a/socketsecurity/output.py +++ b/socketsecurity/output.py @@ -5,6 +5,7 @@ from .core.messages import Messages from .core.classes import Diff, Issue from .config import CliConfig +from .fossa_compat import build_fossa_report_payload from socketsecurity.plugins.manager import PluginManager from socketsecurity.core.alert_selection import ( clone_diff_with_selected_alerts, @@ -90,6 +91,9 @@ def handle_output(self, diff_report: Diff) -> None: plugin_mgr = PluginManager({"slack": slack_config}) plugin_mgr.send(diff_report, config=self.config) + self.save_json_file(diff_report, getattr(self.config, "json_file", None)) + self.save_summary_file(diff_report, getattr(self.config, "summary_file", None)) + self.save_report_link_file(diff_report, getattr(self.config, "report_link_file", None)) self.save_sbom_file(diff_report, self.config.sbom_file) def return_exit_code(self, diff_report: Diff) -> int: @@ -107,50 +111,15 @@ def return_exit_code(self, diff_report: Diff) -> int: def output_console_comments(self, diff_report: Diff, sbom_file_name: Optional[str] = None) -> None: """Outputs formatted console comments""" - selected_alerts = select_diff_alerts(diff_report, strict_blocking=self.config.strict_blocking) - has_new_alerts = len(selected_alerts) > 0 - has_unchanged_alerts = ( - self.config.strict_blocking and - hasattr(diff_report, 'unchanged_alerts') and - len(diff_report.unchanged_alerts) > 0 - ) - - if not has_new_alerts and not has_unchanged_alerts: - self.logger.info("No issues found") - return - - # Count blocking vs warning alerts - new_blocking = sum(1 for issue in diff_report.new_alerts if issue.error) - new_warning = sum(1 for issue in diff_report.new_alerts if issue.warn) - - unchanged_blocking = 0 - unchanged_warning = 0 - if has_unchanged_alerts: - unchanged_blocking = sum(1 for issue in diff_report.unchanged_alerts if issue.error) - unchanged_warning = sum(1 for issue in diff_report.unchanged_alerts if issue.warn) - - selected_diff = clone_diff_with_selected_alerts(diff_report, selected_alerts) - console_security_comment = Messages.create_console_security_alert_table(selected_diff) - - # Build status message - self.logger.info("Security issues detected by Socket Security:") - if new_blocking > 0: - self.logger.info(f" - NEW blocking issues: {new_blocking}") - if new_warning > 0: - self.logger.info(f" - NEW warning issues: {new_warning}") - if unchanged_blocking > 0: - self.logger.info(f" - EXISTING blocking issues: {unchanged_blocking} (causing failure due to --strict-blocking)") - if unchanged_warning > 0: - self.logger.info(f" - EXISTING warning issues: {unchanged_warning}") - - self.logger.info(f"Diff Url: {diff_report.diff_url}") - self.logger.info(f"\n{console_security_comment}") + summary_text = self.build_summary_text(diff_report) + for line in summary_text.splitlines(): + self.logger.info(line) + if not summary_text.strip(): + self.logger.info("") def output_console_json(self, diff_report: Diff, sbom_file_name: Optional[str] = None) -> None: """Outputs JSON formatted results""" - selected_alerts = select_diff_alerts(diff_report, strict_blocking=self.config.strict_blocking) - selected_diff = clone_diff_with_selected_alerts(diff_report, selected_alerts) - console_security_comment = Messages.create_security_comment_json(selected_diff) + console_security_comment = self.build_json_report(diff_report) self.save_sbom_file(diff_report, sbom_file_name) self.logger.info(json.dumps(console_security_comment)) @@ -246,14 +215,106 @@ def report_pass(self, diff_report: Diff) -> bool: def save_sbom_file(self, diff_report: Diff, sbom_file_name: Optional[str] = None) -> None: """Saves SBOM file if filename is provided""" - if not sbom_file_name or not diff_report.sbom: + if not sbom_file_name: return - sbom_path = Path(sbom_file_name) - sbom_path.parent.mkdir(parents=True, exist_ok=True) + sbom_data = getattr(diff_report, "sbom", None) + if sbom_data is None: + sbom_data = [] + + self.write_json_file(sbom_file_name, sbom_data) - with open(sbom_path, "w") as f: - json.dump(diff_report.sbom, f, indent=2) + def build_summary_text(self, diff_report: Diff) -> str: + """Render the console summary text for stdout and file output.""" + selected_alerts = select_diff_alerts(diff_report, strict_blocking=self.config.strict_blocking) + has_new_alerts = len(selected_alerts) > 0 + has_unchanged_alerts = ( + self.config.strict_blocking and + hasattr(diff_report, 'unchanged_alerts') and + len(diff_report.unchanged_alerts) > 0 + ) + + if not has_new_alerts and not has_unchanged_alerts: + return "No issues found" + + new_blocking = sum(1 for issue in diff_report.new_alerts if issue.error) + new_warning = sum(1 for issue in diff_report.new_alerts if issue.warn) + + unchanged_blocking = 0 + unchanged_warning = 0 + if has_unchanged_alerts: + unchanged_blocking = sum(1 for issue in diff_report.unchanged_alerts if issue.error) + unchanged_warning = sum(1 for issue in diff_report.unchanged_alerts if issue.warn) + + selected_diff = clone_diff_with_selected_alerts(diff_report, selected_alerts) + console_security_comment = Messages.create_console_security_alert_table(selected_diff) + + lines = ["Security issues detected by Socket Security:"] + if new_blocking > 0: + lines.append(f" - NEW blocking issues: {new_blocking}") + if new_warning > 0: + lines.append(f" - NEW warning issues: {new_warning}") + if unchanged_blocking > 0: + lines.append( + f" - EXISTING blocking issues: {unchanged_blocking} (causing failure due to --strict-blocking)" + ) + if unchanged_warning > 0: + lines.append(f" - EXISTING warning issues: {unchanged_warning}") + + report_link = getattr(diff_report, "report_url", "") or getattr(diff_report, "diff_url", "") + lines.append(f"Diff Url: {report_link}") + lines.append("") + lines.append(str(console_security_comment)) + return "\n".join(lines) + + def build_json_report(self, diff_report: Diff) -> dict: + """Build the JSON report payload for stdout and file output.""" + if getattr(self.config, "legal_format", "socket") == "fossa": + return build_fossa_report_payload(diff_report, self.config) + + selected_alerts = select_diff_alerts(diff_report, strict_blocking=self.config.strict_blocking) + selected_diff = clone_diff_with_selected_alerts(diff_report, selected_alerts) + report = Messages.create_security_comment_json(selected_diff) + legal_flag = getattr(self.config, "legal", False) + repo = getattr(self.config, "repo", None) + branch = getattr(self.config, "branch", None) + commit_sha = getattr(self.config, "commit_sha", None) + report["report_url"] = getattr(diff_report, "report_url", None) + report["repo"] = repo if isinstance(repo, str) or repo is None else None + report["branch"] = branch if isinstance(branch, str) or branch is None else None + report["commit_sha"] = commit_sha if isinstance(commit_sha, str) or commit_sha is None else None + report["legal_mode"] = legal_flag if isinstance(legal_flag, bool) else False + return report + + def save_json_file(self, diff_report: Diff, json_file_name: Optional[str] = None) -> None: + if not json_file_name: + return + self.write_json_file(json_file_name, self.build_json_report(diff_report)) + + def save_summary_file(self, diff_report: Diff, summary_file_name: Optional[str] = None) -> None: + if not summary_file_name: + return + self.write_text_file(summary_file_name, self.build_summary_text(diff_report) + "\n") + + def save_report_link_file(self, diff_report: Diff, report_link_file_name: Optional[str] = None) -> None: + if not report_link_file_name: + return + report_link = getattr(diff_report, "report_url", "") or getattr(diff_report, "diff_url", "") + if not report_link: + return + self.write_text_file(report_link_file_name, report_link + "\n") + + def write_json_file(self, file_name: str, content: Any) -> None: + file_path = Path(file_name) + file_path.parent.mkdir(parents=True, exist_ok=True) + with open(file_path, "w") as f: + json.dump(content, f, indent=2) + + def write_text_file(self, file_name: str, content: str) -> None: + file_path = Path(file_name) + file_path.parent.mkdir(parents=True, exist_ok=True) + with open(file_path, "w") as f: + f.write(content) def output_gitlab_security(self, diff_report: Diff) -> None: """ diff --git a/socketsecurity/socketcli.py b/socketsecurity/socketcli.py index 1f2b166..26823cc 100644 --- a/socketsecurity/socketcli.py +++ b/socketsecurity/socketcli.py @@ -1,9 +1,8 @@ import json import os +import shutil import sys import traceback -import shutil -import warnings from datetime import datetime, timezone from uuid import uuid4 @@ -11,6 +10,7 @@ from git import InvalidGitRepositoryError, NoSuchPathError from socketdev import socketdev from socketdev.fullscans import FullScanParams + from socketsecurity.config import CliConfig from socketsecurity.core import Core from socketsecurity.core.classes import Diff @@ -20,12 +20,48 @@ from socketsecurity.core.messages import Messages from socketsecurity.core.scm_comments import Comments from socketsecurity.core.socket_config import SocketConfig +from socketsecurity.fossa_compat import build_fossa_attribution_payload from socketsecurity.output import OutputHandler socket_logger, log = initialize_logging() load_dotenv() + +def build_license_artifact_payload( + diff: Diff, + legal_format: str = "socket", + config: CliConfig | None = None, +) -> dict: + """Build the license artifact payload from a diff, tolerating sparse scan paths.""" + if legal_format == "fossa": + if config is None: + raise ValueError("config is required when building FOSSA-format legal artifacts") + return build_fossa_attribution_payload(diff, config) + + all_packages = {} + packages = getattr(diff, "packages", {}) or {} + for purl in packages: + package = packages[purl] + output = { + "id": package.id, + "name": package.name, + "version": package.version, + "ecosystem": package.type, + "direct": package.direct, + "url": package.url, + "license": package.license, + "licenseDetails": package.licenseDetails, + "licenseAttrib": package.licenseAttrib, + "purl": package.purl, + } + all_packages[package.id] = output + return all_packages + +def _write_attribution_file(config, payload: dict) -> None: + Core.save_file(config.license_file_name, json.dumps(payload, indent=2)) + + def cli(): try: main_code() @@ -125,7 +161,7 @@ def main_code(): # Check if plan matches enterprise* pattern (enterprise, enterprise_trial, etc.) if not org_plan.startswith('enterprise'): - log.error(f"Reachability analysis is only available for enterprise plans.") + log.error("Reachability analysis is only available for enterprise plans.") log.error(f"Your organization plan is: {org_plan}") log.error("Please upgrade to an enterprise plan to use reachability analysis.") sys.exit(3) @@ -310,7 +346,7 @@ def main_code(): continue_on_no_source_files=config.reach_continue_on_no_source_files, ) - log.info(f"Reachability analysis completed successfully") + log.info("Reachability analysis completed successfully") log.info(f"Results written to: {result['report_path']}") if result.get('scan_id'): log.info(f"Reachability scan ID: {result['scan_id']}") @@ -743,23 +779,12 @@ def _is_unprocessed(c): # Handle license generation if not should_skip_scan and diff.id != "NO_DIFF_RAN" and diff.id != "NO_SCAN_RAN" and config.generate_license: - all_packages = {} - for purl in diff.packages: - package = diff.packages[purl] - output = { - "id": package.id, - "name": package.name, - "version": package.version, - "ecosystem": package.type, - "direct": package.direct, - "url": package.url, - "license": package.license, - "licenseDetails": package.licenseDetails, - "licenseAttrib": package.licenseAttrib, - "purl": package.purl, - } - all_packages[package.id] = output - core.save_file(config.license_file_name, json.dumps(all_packages)) + all_packages = build_license_artifact_payload( + diff, + legal_format=getattr(config, "legal_format", "socket"), + config=config, + ) + _write_attribution_file(config, all_packages) # If we forced API mode due to no supported files, behave as if --disable-blocking was set if force_api_mode: diff --git a/tests/fixtures/fossa/README.md b/tests/fixtures/fossa/README.md new file mode 100644 index 0000000..853d716 --- /dev/null +++ b/tests/fixtures/fossa/README.md @@ -0,0 +1,18 @@ +# FOSSA reference fixtures + +Real `fossa analyze` and `fossa report --json attribution` artifacts captured +from a representative Azure DevOps FOSSA pipeline run, used as the +structural-parity baseline for `--legal-format fossa` output. + +Customer-identifying values (org IDs, project names) have been sanitized; the +structural shape, key sets, value types, and per-field cardinality match the +real artifacts byte-for-byte aside from those substitutions. + +- `fossa-analyze-populated.json` — composed FOSSA analyze artifact with + vulnerabilities present. +- `fossa-analyze-empty.json` — composed FOSSA analyze artifact with zero + vulnerabilities. +- `fossa-sbom-populated.json` — `fossa report --json attribution` output with + direct + deep dependencies. +- `fossa-sbom-empty-deep.json` — attribution output with empty + `deepDependencies`. diff --git a/tests/fixtures/fossa/fossa-analyze-empty.json b/tests/fixtures/fossa/fossa-analyze-empty.json new file mode 100644 index 0000000..fd7efa3 --- /dev/null +++ b/tests/fixtures/fossa/fossa-analyze-empty.json @@ -0,0 +1,13 @@ +{ + "project": { + "branch": "refs/heads/master", + "id": "custom+1234/example-validation-project-03cb9ead2f744dfa5506ec0c915423947ec2fe11-go-linux", + "project": "1234/example-validation-project", + "projectId": "custom+1234/example-validation-project", + "revision": "12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-go-linux", + "url": "https://app.fossa.com/account/saml/1234?next=/projects/custom%252b1234%252fexample-validation-project/refs/branch/refs%252fheads%252fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-go-linux" + }, + "vulnerability": [], + "licensing": [], + "quality": [] +} diff --git a/tests/fixtures/fossa/fossa-analyze-populated.json b/tests/fixtures/fossa/fossa-analyze-populated.json new file mode 100644 index 0000000..515fed9 --- /dev/null +++ b/tests/fixtures/fossa/fossa-analyze-populated.json @@ -0,0 +1,1275 @@ +{ + "project": { + "branch": "refs/heads/master", + "id": "custom+1234/example-validation-project-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "project": "1234/example-validation-project", + "projectId": "custom+1234/example-validation-project", + "revision": "12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "url": "https://app.fossa.com/account/saml/1234?next=/projects/custom%252b1234%252fexample-validation-project/refs/branch/refs%252fheads%252fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux" + }, + "vulnerability": [ + { + "id": 11088939, + "type": "vulnerability", + "createdAt": "2025-10-08T10:41:05.933Z", + "source": { + "id": "pip+certifi$2023.11.17", + "name": "certifi", + "url": "https://github.com/certifi/python-certifi", + "version": "2023.11.17", + "packageManager": "pip" + }, + "depths": { + "direct": 0, + "deep": 1 + }, + "containerLayers": { + "base": 0, + "other": 0 + }, + "statuses": { + "active": 1, + "ignored": 0 + }, + "projects": [ + { + "id": "custom+1234/example-validation-project", + "status": "active", + "depth": 2, + "title": "example-validation-project", + "scannedAt": "2026-05-21T17:48:13.555+00:00", + "analyzedAt": "2026-05-21T17:48:02.821Z", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project", + "firstFoundAt": "2025-10-08T10:41:05.933+00:00", + "defaultBranch": "refs/heads/test-fossa-scans", + "latest": false, + "revisionId": "custom+1234/example-validation-project$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionScanId": 106820047 + } + ], + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/11088939?revisionScanId=106820047", + "vulnId": "CVE-2024-39689_pip+certifi", + "title": "Insufficient Verification of Data Authenticity", + "cve": "CVE-2024-39689", + "cvss": 7.5, + "severity": "high", + "details": "Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.5.30 and prior to 2024.7.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.7.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being removed pursuant to an investigation which identified \"long-running and unresolved compliance issues.\"", + "remediation": { + "partialFix": "2024.7.4", + "partialFixDistance": "MAJOR", + "completeFix": "2024.7.4", + "completeFixDistance": "MAJOR" + }, + "metrics": [ + { + "name": "Attack Vector", + "value": "Network" + }, + { + "name": "Attack Complexity", + "value": "Low" + }, + { + "name": "Privileges Required", + "value": "None" + }, + { + "name": "User Interaction", + "value": "None" + }, + { + "name": "Scope", + "value": "Unchanged" + }, + { + "name": "Confidentiality Impact", + "value": "None" + }, + { + "name": "Integrity Impact", + "value": "High" + }, + { + "name": "Availability Impact", + "value": "None" + } + ], + "cveStatus": "COMPLETED", + "cwes": [ + "CWE-345" + ], + "published": "2024-07-05T19:15:10Z", + "affectedVersionRanges": [ + ">=2021.5.30,<2024.7.4" + ], + "patchedVersionRanges": [ + "2024.7.4" + ], + "references": [ + "https://github.com/advisories/GHSA-248v-346w-9cwc", + "https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463", + "https://github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwc", + "https://github.com/pypa/advisory-database/tree/main/vulns/certifi/PYSEC-2024-230.yaml", + "https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI", + "https://pypi.org/project/certifi/", + "https://security.netapp.com/advisory/ntap-20241206-0001", + "https://security.netapp.com/advisory/ntap-20241206-0001/" + ], + "cvssVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "exploitability": "UNKNOWN", + "epss": { + "score": 0.21233, + "percentile": 0.95751 + }, + "cpes": [], + "customRiskScore": null + }, + { + "id": 11088937, + "type": "vulnerability", + "createdAt": "2025-10-08T10:41:05.933Z", + "source": { + "id": "pip+idna$3.6", + "name": "idna", + "url": "https://pypi.org/project/idna/", + "version": "3.6", + "packageManager": "pip" + }, + "depths": { + "direct": 0, + "deep": 1 + }, + "containerLayers": { + "base": 0, + "other": 0 + }, + "statuses": { + "active": 1, + "ignored": 0 + }, + "projects": [ + { + "id": "custom+1234/example-validation-project", + "status": "active", + "depth": 2, + "title": "example-validation-project", + "scannedAt": "2026-05-21T17:48:13.555+00:00", + "analyzedAt": "2026-05-21T17:48:02.821Z", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project", + "firstFoundAt": "2025-10-08T10:41:05.933+00:00", + "defaultBranch": "refs/heads/test-fossa-scans", + "latest": false, + "revisionId": "custom+1234/example-validation-project$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionScanId": 106820047 + } + ], + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/11088937?revisionScanId=106820047", + "vulnId": "CVE-2024-3651_pip+idna", + "title": "Uncontrolled Resource Consumption", + "cve": "CVE-2024-3651", + "cvss": 7.5, + "severity": "high", + "details": "A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service condition. This vulnerability is triggered by a crafted input that causes the `idna.encode()` function to process the input with considerable computational load, significantly increasing the processing time in a quadratic manner relative to the input size.", + "remediation": { + "partialFix": "3.7", + "completeFix": "3.7" + }, + "metrics": [ + { + "name": "Attack Vector", + "value": "Network" + }, + { + "name": "Attack Complexity", + "value": "Low" + }, + { + "name": "Privileges Required", + "value": "None" + }, + { + "name": "User Interaction", + "value": "None" + }, + { + "name": "Scope", + "value": "Unchanged" + }, + { + "name": "Confidentiality Impact", + "value": "None" + }, + { + "name": "Integrity Impact", + "value": "None" + }, + { + "name": "Availability Impact", + "value": "High" + } + ], + "cveStatus": "COMPLETED", + "cwes": [ + "CWE-400", + "CWE-1333" + ], + "published": "2024-07-07T18:15:00Z", + "affectedVersionRanges": [ + "<3.7" + ], + "patchedVersionRanges": [ + "3.7" + ], + "references": [ + "https://github.com/advisories/GHSA-jjg7-2v4v-x38h", + "https://github.com/kjd/idna/commit/1d365e17e10d72d0b7876316fc7b9ca0eebdd38d", + "https://github.com/kjd/idna/security/advisories/GHSA-jjg7-2v4v-x38h", + "https://github.com/pypa/advisory-database/tree/main/vulns/idna/PYSEC-2024-60.yaml", + "https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb", + "https://lists.debian.org/debian-lts-announce/2024/05/msg00006.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4YQUPYH3SVZ5GFF2CDQ55FCM575AZTF2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F2S5E23N6E52S46KGNYTDFB75LOC4N4D", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S5IDLLD2IKSIVRBSLB34WTSYGLMWUFWF", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULSC7HBJKXB3BZV367WM5BR6DFEC4Z43", + "https://pypi.org/project/idna/" + ], + "cvssVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "exploitability": "UNKNOWN", + "epss": { + "score": 0.0067, + "percentile": 0.71572 + }, + "cpes": [], + "customRiskScore": null + }, + { + "id": 15980738, + "type": "vulnerability", + "createdAt": "2026-05-20T14:40:25.221Z", + "source": { + "id": "pip+requests$2.27.1", + "name": "requests", + "url": "https://pypi.org/project/requests/", + "version": "2.27.1", + "packageManager": "pip" + }, + "depths": { + "direct": 1, + "deep": 0 + }, + "containerLayers": { + "base": 0, + "other": 0 + }, + "statuses": { + "active": 1, + "ignored": 0 + }, + "projects": [ + { + "id": "custom+1234/example-validation-project", + "status": "active", + "depth": 1, + "title": "example-validation-project", + "scannedAt": "2026-05-21T17:48:13.555+00:00", + "analyzedAt": "2026-05-21T17:48:02.821Z", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project", + "firstFoundAt": "2026-05-20T14:40:25.221+00:00", + "defaultBranch": "refs/heads/test-fossa-scans", + "latest": false, + "revisionId": "custom+1234/example-validation-project$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionScanId": 106820047 + } + ], + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/15980738?revisionScanId=106820047", + "vulnId": "CVE-2026-25645_pip+requests", + "title": "Insecure Temporary File", + "cve": "CVE-2026-25645", + "cvss": 4.4, + "severity": "medium", + "details": "Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call `extract_zipped_paths()` directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access.", + "remediation": { + "partialFix": "2.33.0", + "partialFixDistance": "MINOR", + "completeFix": "2.33.0", + "completeFixDistance": "MINOR" + }, + "metrics": [ + { + "name": "Attack Vector", + "value": "Local" + }, + { + "name": "Attack Complexity", + "value": "High" + }, + { + "name": "Privileges Required", + "value": "Low" + }, + { + "name": "User Interaction", + "value": "Required" + }, + { + "name": "Scope", + "value": "Unchanged" + }, + { + "name": "Confidentiality Impact", + "value": "None" + }, + { + "name": "Integrity Impact", + "value": "High" + }, + { + "name": "Availability Impact", + "value": "None" + } + ], + "cveStatus": "COMPLETED", + "cwes": [ + "CWE-377" + ], + "published": "2026-03-25T17:16:52Z", + "affectedVersionRanges": [ + "<2.33.0" + ], + "patchedVersionRanges": [ + "2.33.0" + ], + "references": [ + "https://github.com/advisories/GHSA-gc5v-m9x4-r6x2", + "https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7", + "https://github.com/psf/requests/releases/tag/v2.33.0", + "https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2", + "https://pypi.org/project/requests/" + ], + "cvssVector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N", + "exploitability": "UNKNOWN", + "epss": { + "score": 5E-05, + "percentile": 0.00232 + }, + "cpes": [], + "customRiskScore": null + }, + { + "id": 11088938, + "type": "vulnerability", + "createdAt": "2025-10-08T10:41:05.933Z", + "source": { + "id": "pip+requests$2.27.1", + "name": "requests", + "url": "https://pypi.org/project/requests/", + "version": "2.27.1", + "packageManager": "pip" + }, + "depths": { + "direct": 1, + "deep": 0 + }, + "containerLayers": { + "base": 0, + "other": 0 + }, + "statuses": { + "active": 1, + "ignored": 0 + }, + "projects": [ + { + "id": "custom+1234/example-validation-project", + "status": "active", + "depth": 1, + "title": "example-validation-project", + "scannedAt": "2026-05-21T17:48:13.555+00:00", + "analyzedAt": "2026-05-21T17:48:02.821Z", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project", + "firstFoundAt": "2025-10-08T10:41:05.933+00:00", + "defaultBranch": "refs/heads/test-fossa-scans", + "latest": false, + "revisionId": "custom+1234/example-validation-project$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionScanId": 106820047 + } + ], + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/11088938?revisionScanId=106820047", + "vulnId": "CVE-2024-47081_pip+requests", + "title": "Insufficiently Protected Credentials", + "cve": "CVE-2024-47081", + "cvss": 5.3, + "severity": "medium", + "details": "Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc file can be disabled with `trust_env=False` on one's Requests Session.", + "remediation": { + "partialFix": "2.32.4", + "partialFixDistance": "MINOR", + "completeFix": "2.33.0", + "completeFixDistance": "MINOR" + }, + "metrics": [ + { + "name": "Attack Vector", + "value": "Network" + }, + { + "name": "Attack Complexity", + "value": "High" + }, + { + "name": "Privileges Required", + "value": "None" + }, + { + "name": "User Interaction", + "value": "Required" + }, + { + "name": "Scope", + "value": "Unchanged" + }, + { + "name": "Confidentiality Impact", + "value": "High" + }, + { + "name": "Integrity Impact", + "value": "None" + }, + { + "name": "Availability Impact", + "value": "None" + } + ], + "cveStatus": "COMPLETED", + "cwes": [ + "CWE-522" + ], + "published": "2025-06-09T19:06:08Z", + "affectedVersionRanges": [ + "<2.32.4" + ], + "patchedVersionRanges": [ + "2.32.4" + ], + "references": [ + "http://seclists.org/fulldisclosure/2025/Jun/2", + "http://www.openwall.com/lists/oss-security/2025/06/03/11", + "http://www.openwall.com/lists/oss-security/2025/06/03/9", + "http://www.openwall.com/lists/oss-security/2025/06/04/1", + "http://www.openwall.com/lists/oss-security/2025/06/04/6", + "https://github.com/advisories/GHSA-9hjg-9r4m-mvj7", + "https://github.com/psf/requests/commit/96ba401c1296ab1dda74a2365ef36d88f7d144ef", + "https://github.com/psf/requests/pull/6965", + "https://github.com/psf/requests/security/advisories/GHSA-9hjg-9r4m-mvj7", + "https://pypi.org/project/requests/", + "https://requests.readthedocs.io/en/latest/api/#requests.Session.trust_env", + "https://seclists.org/fulldisclosure/2025/Jun/2" + ], + "cvssVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", + "exploitability": "UNKNOWN", + "epss": { + "score": 0.00208, + "percentile": 0.43056 + }, + "cpes": [], + "customRiskScore": null + }, + { + "id": 9643353, + "type": "vulnerability", + "createdAt": "2025-10-08T10:41:05.933Z", + "source": { + "id": "pip+requests$2.27.1", + "name": "requests", + "url": "https://pypi.org/project/requests/", + "version": "2.27.1", + "packageManager": "pip" + }, + "depths": { + "direct": 1, + "deep": 0 + }, + "containerLayers": { + "base": 0, + "other": 0 + }, + "statuses": { + "active": 1, + "ignored": 0 + }, + "projects": [ + { + "id": "custom+1234/example-validation-project", + "status": "active", + "depth": 1, + "title": "example-validation-project", + "scannedAt": "2026-05-21T17:48:13.555+00:00", + "analyzedAt": "2026-05-21T17:48:02.821Z", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project", + "firstFoundAt": "2025-10-08T10:41:05.933+00:00", + "defaultBranch": "refs/heads/test-fossa-scans", + "latest": false, + "revisionId": "custom+1234/example-validation-project$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionScanId": 106820047 + } + ], + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/9643353?revisionScanId=106820047", + "vulnId": "CVE-2024-35195_pip+requests", + "title": "Always-Incorrect Control Flow Implementation", + "cve": "CVE-2024-35195", + "cvss": 5.6, + "severity": "medium", + "details": "Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.", + "remediation": { + "partialFix": "2.32.0", + "partialFixDistance": "MINOR", + "completeFix": "2.33.0", + "completeFixDistance": "MINOR" + }, + "metrics": [ + { + "name": "Attack Vector", + "value": "Local" + }, + { + "name": "Attack Complexity", + "value": "High" + }, + { + "name": "Privileges Required", + "value": "High" + }, + { + "name": "User Interaction", + "value": "Required" + }, + { + "name": "Scope", + "value": "Unchanged" + }, + { + "name": "Confidentiality Impact", + "value": "High" + }, + { + "name": "Integrity Impact", + "value": "High" + }, + { + "name": "Availability Impact", + "value": "None" + } + ], + "cveStatus": "COMPLETED", + "cwes": [ + "CWE-670" + ], + "published": "2024-05-20T20:15:00Z", + "affectedVersionRanges": [ + "<2.32.0" + ], + "patchedVersionRanges": [ + "2.32.0" + ], + "references": [ + "https://github.com/advisories/GHSA-9wx4-h78v-vm56", + "https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac", + "https://github.com/psf/requests/pull/6655", + "https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYLSNK5TL46Q6XPRVMHVWS63MVJQOK4Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N7WP6EYDSUOCOJYHDK5NX43PYZ4SNHGZ", + "https://pypi.org/project/requests/" + ], + "cvssVector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N", + "exploitability": "UNKNOWN", + "epss": { + "score": 0.00044, + "percentile": 0.13635 + }, + "cpes": [], + "customRiskScore": null + }, + { + "id": 9643352, + "type": "vulnerability", + "createdAt": "2025-10-08T10:41:05.933Z", + "source": { + "id": "pip+requests$2.27.1", + "name": "requests", + "url": "https://pypi.org/project/requests/", + "version": "2.27.1", + "packageManager": "pip" + }, + "depths": { + "direct": 1, + "deep": 0 + }, + "containerLayers": { + "base": 0, + "other": 0 + }, + "statuses": { + "active": 1, + "ignored": 0 + }, + "projects": [ + { + "id": "custom+1234/example-validation-project", + "status": "active", + "depth": 1, + "title": "example-validation-project", + "scannedAt": "2026-05-21T17:48:13.555+00:00", + "analyzedAt": "2026-05-21T17:48:02.821Z", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project", + "firstFoundAt": "2025-10-08T10:41:05.933+00:00", + "defaultBranch": "refs/heads/test-fossa-scans", + "latest": false, + "revisionId": "custom+1234/example-validation-project$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionScanId": 106820047 + } + ], + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/9643352?revisionScanId=106820047", + "vulnId": "CVE-2023-32681_pip+requests", + "title": "Exposure of Sensitive Information to an Unauthorized Actor", + "cve": "CVE-2023-32681", + "cvss": 6.1, + "severity": "medium", + "details": "Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.", + "remediation": { + "partialFix": "2.31.0", + "partialFixDistance": "MINOR", + "completeFix": "2.33.0", + "completeFixDistance": "MINOR" + }, + "metrics": [ + { + "name": "Attack Vector", + "value": "Network" + }, + { + "name": "Attack Complexity", + "value": "High" + }, + { + "name": "Privileges Required", + "value": "None" + }, + { + "name": "User Interaction", + "value": "Required" + }, + { + "name": "Scope", + "value": "Changed" + }, + { + "name": "Confidentiality Impact", + "value": "High" + }, + { + "name": "Integrity Impact", + "value": "None" + }, + { + "name": "Availability Impact", + "value": "None" + } + ], + "cveStatus": "COMPLETED", + "cwes": [ + "CWE-200" + ], + "published": "2023-05-26T18:15:00Z", + "affectedVersionRanges": [ + ">=2.3.0,<2.31.0" + ], + "patchedVersionRanges": [ + "2.31.0" + ], + "references": [ + "https://github.com/advisories/GHSA-j8r2-6x86-q33q", + "https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5", + "https://github.com/psf/requests/releases/tag/v2.31.0", + "https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q", + "https://github.com/pypa/advisory-database/tree/main/vulns/requests/PYSEC-2023-74.yaml", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00018.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ/", + "https://pypi.org/project/requests/", + "https://security.gentoo.org/glsa/202309-08" + ], + "cvssVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N", + "exploitability": "UNKNOWN", + "epss": { + "score": 0.06121, + "percentile": 0.90893 + }, + "cpes": [], + "customRiskScore": null + }, + { + "id": 17096816, + "type": "vulnerability", + "createdAt": "2026-05-20T14:40:25.221Z", + "source": { + "id": "pip+urllib3$1.26.20", + "name": "urllib3", + "url": "https://pypi.org/project/urllib3/", + "version": "1.26.20", + "packageManager": "pip" + }, + "depths": { + "direct": 0, + "deep": 1 + }, + "containerLayers": { + "base": 0, + "other": 0 + }, + "statuses": { + "active": 1, + "ignored": 0 + }, + "projects": [ + { + "id": "custom+1234/example-validation-project", + "status": "active", + "depth": 2, + "title": "example-validation-project", + "scannedAt": "2026-05-21T17:48:13.555+00:00", + "analyzedAt": "2026-05-21T17:48:02.821Z", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project", + "firstFoundAt": "2026-05-20T14:40:25.221+00:00", + "defaultBranch": "refs/heads/test-fossa-scans", + "latest": false, + "revisionId": "custom+1234/example-validation-project$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionScanId": 106820047 + } + ], + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/17096816?revisionScanId=106820047", + "vulnId": "CVE-2026-44431_pip+urllib3", + "title": "Exposure of Sensitive Information to an Unauthorized Actor", + "cve": "CVE-2026-44431", + "cvss": 8.2, + "severity": "high", + "details": "urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.", + "remediation": { + "partialFix": "2.7.0", + "partialFixDistance": "MAJOR", + "completeFix": "2.7.0", + "completeFixDistance": "MAJOR" + }, + "metrics": [ + { + "name": "Attack Vector", + "value": "Network" + }, + { + "name": "Attack Complexity", + "value": "High" + }, + { + "name": "Attack Requirements", + "value": "Present" + }, + { + "name": "Privileges Required", + "value": "None" + }, + { + "name": "User Interaction", + "value": "None" + }, + { + "name": "Confidentiality Impact to the Vulnerable System", + "value": "High" + }, + { + "name": "Integrity Impact to the Vulnerable System", + "value": "None" + }, + { + "name": "Availability Impact to the Vulnerable System", + "value": "None" + } + ], + "cveStatus": "COMPLETED", + "cwes": [ + "CWE-200", + "NVD-CWE-noinfo" + ], + "published": "2026-05-13T16:16:57Z", + "affectedVersionRanges": [ + ">=1.23,<2.7.0" + ], + "patchedVersionRanges": [], + "references": [ + "https://github.com/advisories/GHSA-qccp-gfcp-xxvc", + "https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc" + ], + "cvssVector": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", + "exploitability": "UNKNOWN", + "epss": { + "score": 0.0004, + "percentile": 0.12165 + }, + "cpes": [], + "customRiskScore": null + }, + { + "id": 14594289, + "type": "vulnerability", + "createdAt": "2026-02-20T18:40:20.814Z", + "source": { + "id": "pip+urllib3$1.26.20", + "name": "urllib3", + "url": "https://pypi.org/project/urllib3/", + "version": "1.26.20", + "packageManager": "pip" + }, + "depths": { + "direct": 0, + "deep": 1 + }, + "containerLayers": { + "base": 0, + "other": 0 + }, + "statuses": { + "active": 1, + "ignored": 0 + }, + "projects": [ + { + "id": "custom+1234/example-validation-project", + "status": "active", + "depth": 2, + "title": "example-validation-project", + "scannedAt": "2026-05-21T17:48:13.555+00:00", + "analyzedAt": "2026-05-21T17:48:02.821Z", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project", + "firstFoundAt": "2026-02-20T18:40:20.814+00:00", + "defaultBranch": "refs/heads/test-fossa-scans", + "latest": false, + "revisionId": "custom+1234/example-validation-project$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionScanId": 106820047 + } + ], + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/14594289?revisionScanId=106820047", + "vulnId": "CVE-2026-21441_pip+urllib3", + "title": "Improper Handling of Highly Compressed Data (Data Amplification)", + "cve": "CVE-2026-21441", + "cvss": 8.9, + "severity": "high", + "details": "urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source.", + "remediation": { + "partialFix": "2.6.3", + "partialFixDistance": "MAJOR", + "completeFix": "2.7.0", + "completeFixDistance": "MAJOR" + }, + "metrics": [ + { + "name": "Attack Vector", + "value": "Network" + }, + { + "name": "Attack Complexity", + "value": "Low" + }, + { + "name": "Attack Requirements", + "value": "Present" + }, + { + "name": "Privileges Required", + "value": "None" + }, + { + "name": "User Interaction", + "value": "None" + }, + { + "name": "Confidentiality Impact to the Vulnerable System", + "value": "None" + }, + { + "name": "Integrity Impact to the Vulnerable System", + "value": "None" + }, + { + "name": "Availability Impact to the Vulnerable System", + "value": "High" + } + ], + "cveStatus": "COMPLETED", + "cwes": [ + "CWE-409" + ], + "published": "2026-01-07T22:15:44Z", + "affectedVersionRanges": [ + ">=1.22,<2.6.3" + ], + "patchedVersionRanges": [ + "2.6.3" + ], + "references": [ + "https://github.com/advisories/GHSA-38jv-5279-wg99", + "https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b", + "https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99", + "https://lists.debian.org/debian-lts-announce/2026/01/msg00017.html", + "https://pypi.org/project/urllib3/" + ], + "cvssVector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", + "exploitability": "UNKNOWN", + "epss": { + "score": 0.00032, + "percentile": 0.09194 + }, + "cpes": [], + "customRiskScore": null + }, + { + "id": 14169171, + "type": "vulnerability", + "createdAt": "2026-02-20T18:40:20.814Z", + "source": { + "id": "pip+urllib3$1.26.20", + "name": "urllib3", + "url": "https://pypi.org/project/urllib3/", + "version": "1.26.20", + "packageManager": "pip" + }, + "depths": { + "direct": 0, + "deep": 1 + }, + "containerLayers": { + "base": 0, + "other": 0 + }, + "statuses": { + "active": 1, + "ignored": 0 + }, + "projects": [ + { + "id": "custom+1234/example-validation-project", + "status": "active", + "depth": 2, + "title": "example-validation-project", + "scannedAt": "2026-05-21T17:48:13.555+00:00", + "analyzedAt": "2026-05-21T17:48:02.821Z", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project", + "firstFoundAt": "2026-02-20T18:40:20.814+00:00", + "defaultBranch": "refs/heads/test-fossa-scans", + "latest": false, + "revisionId": "custom+1234/example-validation-project$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionScanId": 106820047 + } + ], + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/14169171?revisionScanId=106820047", + "vulnId": "CVE-2025-66418_pip+urllib3", + "title": "Allocation of Resources Without Limits or Throttling", + "cve": "CVE-2025-66418", + "cvss": 8.9, + "severity": "high", + "details": "urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.", + "remediation": { + "partialFix": "2.6.0", + "partialFixDistance": "MAJOR", + "completeFix": "2.7.0", + "completeFixDistance": "MAJOR" + }, + "metrics": [ + { + "name": "Attack Vector", + "value": "Network" + }, + { + "name": "Attack Complexity", + "value": "Low" + }, + { + "name": "Attack Requirements", + "value": "Present" + }, + { + "name": "Privileges Required", + "value": "None" + }, + { + "name": "User Interaction", + "value": "None" + }, + { + "name": "Confidentiality Impact to the Vulnerable System", + "value": "None" + }, + { + "name": "Integrity Impact to the Vulnerable System", + "value": "None" + }, + { + "name": "Availability Impact to the Vulnerable System", + "value": "High" + } + ], + "cveStatus": "COMPLETED", + "cwes": [ + "CWE-770" + ], + "published": "2025-12-05T16:15:51Z", + "affectedVersionRanges": [ + ">=1.24,<2.6.0" + ], + "patchedVersionRanges": [ + "2.6.0" + ], + "references": [ + "https://github.com/advisories/GHSA-gm62-xv2j-4w53", + "https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8", + "https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53", + "https://pypi.org/project/urllib3/" + ], + "cvssVector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", + "exploitability": "UNKNOWN", + "epss": { + "score": 0.00019, + "percentile": 0.05115 + }, + "cpes": [], + "customRiskScore": null + }, + { + "id": 14169170, + "type": "vulnerability", + "createdAt": "2026-02-20T18:40:20.814Z", + "source": { + "id": "pip+urllib3$1.26.20", + "name": "urllib3", + "url": "https://pypi.org/project/urllib3/", + "version": "1.26.20", + "packageManager": "pip" + }, + "depths": { + "direct": 0, + "deep": 1 + }, + "containerLayers": { + "base": 0, + "other": 0 + }, + "statuses": { + "active": 1, + "ignored": 0 + }, + "projects": [ + { + "id": "custom+1234/example-validation-project", + "status": "active", + "depth": 2, + "title": "example-validation-project", + "scannedAt": "2026-05-21T17:48:13.555+00:00", + "analyzedAt": "2026-05-21T17:48:02.821Z", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project", + "firstFoundAt": "2026-02-20T18:40:20.814+00:00", + "defaultBranch": "refs/heads/test-fossa-scans", + "latest": false, + "revisionId": "custom+1234/example-validation-project$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionScanId": 106820047 + } + ], + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/14169170?revisionScanId=106820047", + "vulnId": "CVE-2025-66471_pip+urllib3", + "title": "Improper Handling of Highly Compressed Data (Data Amplification)", + "cve": "CVE-2025-66471", + "cvss": 8.9, + "severity": "high", + "details": "urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data.", + "remediation": { + "partialFix": "2.6.0", + "partialFixDistance": "MAJOR", + "completeFix": "2.7.0", + "completeFixDistance": "MAJOR" + }, + "metrics": [ + { + "name": "Attack Vector", + "value": "Network" + }, + { + "name": "Attack Complexity", + "value": "Low" + }, + { + "name": "Attack Requirements", + "value": "Present" + }, + { + "name": "Privileges Required", + "value": "None" + }, + { + "name": "User Interaction", + "value": "None" + }, + { + "name": "Confidentiality Impact to the Vulnerable System", + "value": "None" + }, + { + "name": "Integrity Impact to the Vulnerable System", + "value": "None" + }, + { + "name": "Availability Impact to the Vulnerable System", + "value": "High" + } + ], + "cveStatus": "COMPLETED", + "cwes": [ + "CWE-409" + ], + "published": "2025-12-05T17:16:04Z", + "affectedVersionRanges": [ + ">=1.0,<2.6.0" + ], + "patchedVersionRanges": [ + "2.6.0" + ], + "references": [ + "https://github.com/advisories/GHSA-2xpw-w6gg-jr37", + "https://github.com/urllib3/urllib3/commit/c19571de34c47de3a766541b041637ba5f716ed7", + "https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37", + "https://pypi.org/project/urllib3/" + ], + "cvssVector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", + "exploitability": "UNKNOWN", + "epss": { + "score": 0.00017, + "percentile": 0.04227 + }, + "cpes": [], + "customRiskScore": null + }, + { + "id": 10198614, + "type": "vulnerability", + "createdAt": "2025-10-08T10:41:05.933Z", + "source": { + "id": "pip+urllib3$1.26.20", + "name": "urllib3", + "url": "https://pypi.org/project/urllib3/", + "version": "1.26.20", + "packageManager": "pip" + }, + "depths": { + "direct": 0, + "deep": 1 + }, + "containerLayers": { + "base": 0, + "other": 0 + }, + "statuses": { + "active": 1, + "ignored": 0 + }, + "projects": [ + { + "id": "custom+1234/example-validation-project", + "status": "active", + "depth": 2, + "title": "example-validation-project", + "scannedAt": "2026-05-21T17:48:13.555+00:00", + "analyzedAt": "2026-05-21T17:48:02.821Z", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project", + "firstFoundAt": "2025-10-08T10:41:05.933+00:00", + "defaultBranch": "refs/heads/test-fossa-scans", + "latest": false, + "revisionId": "custom+1234/example-validation-project$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionScanId": 106820047 + } + ], + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/10198614?revisionScanId=106820047", + "vulnId": "CVE-2025-50181_pip+urllib3", + "title": "URL Redirection to Untrusted Site ('Open Redirect')", + "cve": "CVE-2025-50181", + "cvss": 5.3, + "severity": "medium", + "details": "urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable. This issue has been patched in version 2.5.0.", + "remediation": { + "partialFix": "2.5.0", + "partialFixDistance": "MAJOR", + "completeFix": "2.7.0", + "completeFixDistance": "MAJOR" + }, + "metrics": [ + { + "name": "Attack Vector", + "value": "Network" + }, + { + "name": "Attack Complexity", + "value": "High" + }, + { + "name": "Privileges Required", + "value": "Low" + }, + { + "name": "User Interaction", + "value": "None" + }, + { + "name": "Scope", + "value": "Unchanged" + }, + { + "name": "Confidentiality Impact", + "value": "High" + }, + { + "name": "Integrity Impact", + "value": "None" + }, + { + "name": "Availability Impact", + "value": "None" + } + ], + "cveStatus": "COMPLETED", + "cwes": [ + "CWE-601" + ], + "published": "2025-06-18T17:50:00Z", + "affectedVersionRanges": [ + "<2.5.0" + ], + "patchedVersionRanges": [ + "2.5.0" + ], + "references": [ + "https://github.com/advisories/GHSA-pq67-6m6q-mj2v", + "https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857", + "https://github.com/urllib3/urllib3/releases/tag/2.5.0", + "https://github.com/urllib3/urllib3/security/advisories/GHSA-pq67-6m6q-mj2v", + "https://pypi.org/project/urllib3/" + ], + "cvssVector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", + "exploitability": "UNKNOWN", + "epss": { + "score": 0.00079, + "percentile": 0.23201 + }, + "cpes": [], + "customRiskScore": null + } + ], + "licensing": [], + "quality": [] +} diff --git a/tests/fixtures/fossa/fossa-sbom-empty-deep.json b/tests/fixtures/fossa/fossa-sbom-empty-deep.json new file mode 100644 index 0000000..f3cf63e --- /dev/null +++ b/tests/fixtures/fossa/fossa-sbom-empty-deep.json @@ -0,0 +1 @@ +{"copyrightsByLicense":{"MIT":["2013 Fatih Arslan","2016 Yasuhiro Matsumoto","Yasuhiro MATSUMOTO "]},"deepDependencies":[{"authors":["mattn","hymkor","koron","alecrabbit","dolmen","tklauser","ikedam","toshimaru","mislav","ncw","aviau","cenkalti","whereswaldon","secDre4mer","alexandear","radeksimko","segrey","magicshui","filimonov","naoyukis","rbtnn","tyru","uji"],"dependencyPaths":["github.com/fatih/color > github.com/mattn/go-colorable"],"description":"Cached by the Go Module Proxy at Wed, 29 Sep 2021 16:02:39 GMT","downloadUrl":"https://proxy.golang.org/github.com/mattn/go-colorable/@v/v0.1.9.zip","hash":null,"isGolang":null,"licenses":[{"attribution":"Copyright (c) 2016 Yasuhiro Matsumoto\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.","name":"MIT"}],"notes":[],"otherLicenses":[],"package":"github.com/mattn/go-colorable","projectUrl":"http://godoc.org/github.com/mattn/go-colorable","source":"go","title":"github.com/mattn/go-colorable","version":"v0.1.9"},{"authors":["mattn","tklauser","thesyncim","dolmen","renovate[bot]","shogo82148","aeppert","grafov","carlosedp","mysqto","dkegel-fastly","dmgk","ddevault","Mischi","fatih","cookieY","lgonzalez-silen","mahdi-hm","marcauberer","martinlindhe","ncw","radeksimko","sthibaul","CaptainCodeman","tjni","stuartnelson3"],"dependencyPaths":["github.com/fatih/color > github.com/mattn/go-colorable > github.com/mattn/go-isatty","github.com/fatih/color > github.com/mattn/go-isatty"],"description":"Cached by the Go Module Proxy at Sun, 29 Aug 2021 14:41:14 GMT","downloadUrl":"https://proxy.golang.org/github.com/mattn/go-isatty/@v/v0.0.14.zip","hash":null,"isGolang":null,"licenses":[{"attribution":"Copyright (c) Yasuhiro MATSUMOTO \nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.","name":"MIT"}],"notes":[],"otherLicenses":[],"package":"github.com/mattn/go-isatty","projectUrl":"http://godoc.org/github.com/mattn/go-isatty","source":"go","title":"github.com/mattn/go-isatty","version":"v0.0.14"}],"directDependencies":[{"authors":["fatih","dependabot[bot]","gregpoirson","pellared","n10v","sashamelentyev","bl-ue","zddhub","ataypamart","pattmax00","qualidafial","martinlindhe","msabramo","rhysd","Tonkpils","klauspost","jeffwillette","hackebrot","sinan","tliron","morfu","mattn","majiayu000","UnSubble","ilyabrin","hyunsooda","hermanschaaf","DrKhyz","EdwardBetts","dmitris","cenkalti","moorereason","andrewaustin","deining","AlekSi","klaidliadon","ahmetb","achilleas-k"],"dependencyPaths":["github.com/fatih/color"],"description":"Color package for Go (golang)","downloadUrl":"https://proxy.golang.org/github.com/fatih/color/@v/v1.13.0.zip","hash":null,"isGolang":null,"licenses":[{"attribution":"Copyright (c) 2013 Fatih Arslan\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.","name":"MIT"}],"notes":[],"otherLicenses":[],"package":"github.com/fatih/color","projectUrl":"https://pkg.go.dev/github.com/fatih/color","source":"go","title":"github.com/fatih/color","version":"v1.13.0"}],"licenses":{"MIT":"MIT License\nCopyright (c) \n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE."},"project":{"name":"example-validation-project","revision":"12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-go-windows"}} \ No newline at end of file diff --git a/tests/fixtures/fossa/fossa-sbom-populated.json b/tests/fixtures/fossa/fossa-sbom-populated.json new file mode 100644 index 0000000..303f92c --- /dev/null +++ b/tests/fixtures/fossa/fossa-sbom-populated.json @@ -0,0 +1 @@ +{"copyrightsByLicense":{"Apache-2.0":["Amazon.com, Inc. or its affiliates. All Rights Reserved."," Amazon.com, Inc. or its affiliates. All Rights Reserved.","2015 Google Inc. All rights reserved."],"BSD-3-Clause":["2013-2023 Kim Davies and contributors.","2022 Intel Corporation","2023 Intel Corporation","2019 Google LLC","2024 Arm Limited and/or its affiliates ","2022-2023 Intel Corporation","2021 Serge Sans Paille","2010 Jonathan Hartley","2014 Bibek Kafle and Roland Shoemaker","2014 John MacFarlane","Individual contributors.","2015 The Go Authors. All rights reserved."," Individual contributors.","2005-2020 NumPy Developers."],"CC-BY-SA-4.0":[],"IETF":[],"MIT":["2020 Will McGugan"," Sindre Sorhus (sindresorhus.com)","2012-2022 Amazon.com, Inc. or its affiliates. All Rights Reserved.","2012-2013 Mitch Garnaat http://garnaat.org/","2012-2013 Amazon.com, Inc. or its affiliates. All Rights Reserved.","2016 Amazon.com, Inc. or its affiliates. All Rights Reserved.","2013 Amazon.com, Inc. or its affiliates. All Rights Reserved.","2013 Kenneth Reitz","2008-2011 Andrey Petrov and contributors (see CONTRIBUTORS.txt),","2012 Kenneth Reitz.","2010-2020 Benjamin Peterson","2008-2020 Andrey Petrov and contributors (see CONTRIBUTORS.txt)","2015-2016 Will Bond ","2012 Senko Rasic ","2008-2020 Andrey Petrov and contributors.","2019 TAHRI Ahmed R."],"MPL-2.0":["2012-2022 Amazon.com, Inc. or its affiliates. All Rights Reserved.","2019-2022 Pyodide contributors and Mozilla","2013 Kenneth Reitz","2008-2011 Andrey Petrov and contributors (see CONTRIBUTORS.txt),","2012 Kenneth Reitz."]},"deepDependencies":[{"authors":["me@kennethreitz.com"],"dependencyPaths":["requests > certifi"],"description":"Python package for providing Mozilla's CA Bundle.","downloadUrl":"https://files.pythonhosted.org/packages/d4/91/c89518dd4fe1f3a4e3f6ab7ff23cb00ef2e8c9adf99dacc618ad5e068e28/certifi-2023.11.17.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"This package contains a modified version of ca-bundle.crt:\n\nca-bundle.crt -- Bundle of CA Root Certificates\n\nThis is a bundle of X.509 certificates of public Certificate Authorities\n(CA). These were automatically extracted from Mozilla's root certificates\nfile (certdata.txt). This file can be found in the mozilla source tree:\nhttps://hg.mozilla.org/mozilla-central/file/tip/security/nss/lib/ckfw/builtins/certdata.txt\nIt contains the certificates in PEM format and therefore\ncan be directly used with curl / libcurl / php_curl, or with\nan Apache+mod_ssl webserver for SSL client authentication.\nJust configure this file as the SSLCACertificateFile.#\n\n***** BEGIN LICENSE BLOCK *****\nThis Source Code Form is subject to the terms of the Mozilla Public License,\nv. 2.0. If a copy of the MPL was not distributed with this file, You can obtain\none at http://mozilla.org/MPL/2.0/.\n\n***** END LICENSE BLOCK *****\n@(#) $RCSfile: certdata.txt,v $ $Revision: 1.80 $ $Date: 2011/11/03 15:11:58 $\n","name":"MPL-2.0"}],"notes":[],"otherLicenses":[],"package":"certifi","projectUrl":"https://github.com/certifi/python-certifi","source":"pip","title":"certifi","version":"2023.11.17"},{"authors":["\"Ahmed R. TAHRI\" "],"dependencyPaths":["requests > charset-normalizer"],"description":"The Real First Universal Charset Detector. Open, modern and actively maintained alternative to Chardet.","downloadUrl":"https://files.pythonhosted.org/packages/56/31/7bcaf657fafb3c6db8c787a865434290b726653c912085fbd371e9b92e1c/charset-normalizer-2.0.12.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"MIT License\n\nCopyright (c) 2019 TAHRI Ahmed R.\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.","name":"MIT"}],"notes":[],"otherLicenses":[],"package":"charset-normalizer","projectUrl":"https://pypi.org/project/charset-normalizer/","source":"pip","title":"charset-normalizer","version":"2.0.12"},{"authors":["Jonathan Hartley "],"dependencyPaths":["rich > colorama"],"description":"Cross-platform colored terminal text.","downloadUrl":"https://files.pythonhosted.org/packages/d8/53/6f443c9a4a8358a93a6792e2acffb9d9d5cb0a5cfd8802644b7b1c9a02e4/colorama-0.4.6.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"Copyright (c) 2010 Jonathan Hartley\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are met:\n\n* Redistributions of source code must retain the above copyright notice, this\n list of conditions and the following disclaimer.\n\n* Redistributions in binary form must reproduce the above copyright notice,\n this list of conditions and the following disclaimer in the documentation\n and/or other materials provided with the distribution.\n\n* Neither the name of the copyright holders, nor those of its contributors\n may be used to endorse or promote products derived from this software without\n specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND\nANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED\nWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE\nFOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\nDAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR\nSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER\nCAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,\nOR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n","name":"BSD-3-Clause"}],"notes":[],"otherLicenses":[],"package":"colorama","projectUrl":"https://pypi.org/project/colorama/","source":"pip","title":"colorama","version":"0.4.6"},{"authors":["rolandshoemaker@gmail.com"],"dependencyPaths":["rich > commonmark"],"description":"commonmark.py\n=============\n\ncommonmark.py is a pure Python port of `jgm `__'s\n`commonmark.js `__, a\nMarkdown parser and renderer for the\n`CommonMark `__ specification, using only native\nmodules. Once both this project and the CommonMark specification are\nstable we will release the first ``1.0`` version and attempt to keep up\nto date with changes in ``commonmark.js``.\n\ncommonmark.py is tested against the CommonMark spec with Python versions\n2.7, 3.4, 3.5, 3.6, and 3.7.\n\n**Current version:** 0.9.1\n\n|Pypi Link| |Build Status| |Doc Link|\n\nInstallation\n------------\n\n::\n\n $ pip install commonmark\n\nUsage\n-----\n\n::\n\n >>> import commonmark\n >>> commonmark.commonmark('*hello!*')\n '

hello!

\\n'\n\nOr, without the syntactic sugar:\n\n.. code:: python\n\n import commonmark\n parser = commonmark.Parser()\n ast = parser.parse(\"Hello *World*\")\n\n renderer = commonmark.HtmlRenderer()\n html = renderer.render(ast)\n print(html) #

Hello World

\n\n # inspecting the abstract syntax tree\n json = commonmark.dumpJSON(ast)\n commonmark.dumpAST(ast) # pretty print generated AST structure\n\nThere is also a CLI:\n\n::\n\n $ cmark README.md -o README.html\n $ cmark README.md -o README.json -aj # output AST as JSON\n $ cmark README.md -a # pretty print generated AST structure\n $ cmark -h\n usage: cmark [-h] [-o [O]] [-a] [-aj] [infile]\n\n Process Markdown according to the CommonMark specification.\n\n positional arguments:\n infile Input Markdown file to parse, defaults to stdin\n\n optional arguments:\n -h, --help show this help message and exit\n -o [O] Output HTML/JSON file, defaults to stdout\n -a Print formatted AST\n -aj Output JSON AST\n\n\nContributing\n------------\n\nIf you would like to offer suggestions/optimizations/bugfixes through\npull requests please do! Also if you find an error in the\nparser/renderer that isn't caught by the current test suite please open\na new issue and I would also suggest you send the\n`commonmark.js `__ project\na pull request adding your test to the existing test suite.\n\nTests\n-----\n\nTo work on commonmark.py, you will need to be able to run the test suite to\nmake sure your changes don't break anything. To run the tests, you can do\nsomething like this:\n\n::\n\n $ pyvenv venv\n $ ./venv/bin/python setup.py develop test\n\nThe tests script, ``commonmark/tests/run_spec_tests.py``, is pretty much a devtool. As\nwell as running all the tests embedded in ``spec.txt`` it also allows you\nto run specific tests using the ``-t`` argument, provide information\nabout passed tests with ``-p``, percentage passed by category of test\nwith ``-s``, and enter markdown interactively with ``-i`` (In\ninteractive mode end a block by inputting a line with just ``end``, to\nquit do the same but with ``quit``). ``-d`` can be used to print call\ntracing.\n\n::\n\n $ ./venv/bin/python commonmark/tests/run_spec_tests.py -h\n usage: run_spec_tests.py [-h] [-t T] [-p] [-f] [-i] [-d] [-np] [-s]\n\n script to run the CommonMark specification tests against the commonmark.py\n parser.\n\n optional arguments:\n -h, --help show this help message and exit\n -t T Single test to run or comma separated list of tests (-t 10 or -t 10,11,12,13)\n -p Print passed test information\n -f Print failed tests (during -np...)\n -i Interactive Markdown input mode\n -d Debug, trace calls\n -np Only print section header, tick, or cross\n -s Print percent of tests passed by category\n\nAuthors\n-------\n\n- `Bibek Kafle `__\n- `Roland Shoemaker `__\n- `Nikolas Nyby `__\n\n.. |Pypi Link| image:: https://img.shields.io/pypi/v/commonmark.svg\n :target: https://pypi.org/project/commonmark/\n\n.. |Build Status| image:: https://travis-ci.org/rtfd/commonmark.py.svg?branch=master\n :target: https://travis-ci.org/rtfd/commonmark.py\n\n.. |Doc Link| image:: https://readthedocs.org/projects/commonmarkpy/badge/?version=latest\n :target: https://commonmarkpy.readthedocs.io/en/latest/?badge=latest\n :alt: Documentation Status\n\n\n","downloadUrl":"https://files.pythonhosted.org/packages/60/48/a60f593447e8f0894ebb7f6e6c1f25dafc5e89c5879fdc9360ae93ff83f0/commonmark-0.9.1.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"Copyright (c) 2014, Bibek Kafle and Roland Shoemaker\r\n\r\nBased on stmd.js: Copyright (c) 2014, John MacFarlane\r\n\r\nAll rights reserved.\r\n\r\nRedistribution and use in source and binary forms, with or without\r\nmodification, are permitted provided that the following conditions are met:\r\n\r\n * Redistributions of source code must retain the above copyright\r\n notice, this list of conditions and the following disclaimer.\r\n\r\n * Redistributions in binary form must reproduce the above\r\n copyright notice, this list of conditions and the following\r\n disclaimer in the documentation and/or other materials provided\r\n with the distribution.\r\n\r\n * Neither the names of Bibek Kafle, Roland Shoemaker nor the names of other\r\n contributors may be used to endorse or promote products derived\r\n from this software without specific prior written permission.\r\n\r\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\r\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\r\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\r\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\r\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\r\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\r\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\r\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\r\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\r\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\r\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.","name":"BSD-3-Clause"}],"notes":[],"otherLicenses":[{"attribution":"Attribution-ShareAlike 4.0 International<>\nUsing Creative Commons Public Licenses\nCreative Commons public licenses provide a standard set of terms and conditions that creators and other rights holders may use to share original works of authorship and other material subject to copyright and certain other rights specified in the public license below. The following considerations are for informational purposes only, are not exhaustive, and do not form part of our licenses.\nConsiderations for licensors: Our public licenses are intended for use by those authorized to give the public permission to use material in ways otherwise restricted by copyright and certain other rights. Our licenses are irrevocable. Licensors should read and understand the terms and conditions of the license they choose before applying it. Licensors should also secure all rights necessary before applying our licenses so that the public can reuse the material as expected. Licensors should clearly mark any material not subject to the license. This includes other CC-licensed material, or material used under an exception or limitation to copyright. More considerations for licensors : wiki.creativecommons.org/Considerations_for_licensors\nConsiderations for the public: By using one of our public licenses, a licensor grants the public permission to use the licensed material under specified terms and conditions. If the licensor's permission is not necessary for any reason–for example, because of any applicable exception or limitation to copyright–then that use is not regulated by the license. Our licenses grant only permissions under copyright and certain other rights that a licensor has authority to grant. Use of the licensed material may still be restricted for other reasons, including because others have copyright or other rights in the material. A licensor may make special requests, such as asking that all changes be marked or described.\nAlthough not required by our licenses, you are encouraged to respect those requests where reasonable. More considerations for the public : wiki.creativecommons.org/Considerations_for_licensees\nCreative Commons Attribution-ShareAlike 4.0 International Public License\nBy exercising the Licensed Rights (defined below), You accept and agree to be bound by the terms and conditions of this Creative Commons Attribution-ShareAlike 4.0 International Public License (\"Public License\"). To the extent this Public License may be interpreted as a contract, You are granted the Licensed Rights in consideration of Your acceptance of these terms and conditions, and the Licensor grants You such rights in consideration of benefits the Licensor receives from making the Licensed Material available under these terms and conditions.\nSection 1 – Definitions.\n a. Adapted Material means material subject to Copyright and Similar Rights that is derived from or based upon the Licensed Material and in which the Licensed Material is translated, altered, arranged, transformed, or otherwise modified in a manner requiring permission under the Copyright and Similar Rights held by the Licensor. For purposes of this Public License, where the Licensed Material is a musical work, performance, or sound recording, Adapted Material is always produced where the Licensed Material is synched in timed relation with a moving image.\n b. Adapter's License means the license You apply to Your Copyright and Similar Rights in Your contributions to Adapted Material in accordance with the terms and conditions of this Public License.\n c. BY-SA Compatible License means a license listed at creativecommons.org/compatiblelicenses, approved by Creative Commons as essentially the equivalent of this Public License.\n d. Copyright and Similar Rights means copyright and/or similar rights closely related to copyright including, without limitation, performance, broadcast, sound recording, and Sui Generis Database Rights, without regard to how the rights are labeled or categorized. For purposes of this Public License, the rights specified in Section 2(b)(1)-(2) are not Copyright and Similar Rights.\n e. Effective Technological Measures means those measures that, in the absence of proper authority, may not be circumvented under laws fulfilling obligations under Article 11 of the WIPO Copyright Treaty adopted on December 20, 1996, and/or similar international agreements.\n f. Exceptions and Limitations means fair use, fair dealing, and/or any other exception or limitation to Copyright and Similar Rights that applies to Your use of the Licensed Material.\n g. License Elements means the license attributes listed in the name of a Creative Commons Public License. The License Elements of this Public License are Attribution and ShareAlike.\n h. Licensed Material means the artistic or literary work, database, or other material to which the Licensor applied this Public License.\n i. Licensed Rights means the rights granted to You subject to the terms and conditions of this Public License, which are limited to all Copyright and Similar Rights that apply to Your use of the Licensed Material and that the Licensor has authority to license.\n j. Licensor means the individual(s) or entity(ies) granting rights under this Public License.\n k. Share means to provide material to the public by any means or process that requires permission under the Licensed Rights, such as reproduction, public display, public performance, distribution, dissemination, communication, or importation, and to make material available to the public including in ways that members of the public may access the material from a place and at a time individually chosen by them.\n l. Sui Generis Database Rights means rights other than copyright resulting from Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, as amended and/or succeeded, as well as other essentially equivalent rights anywhere in the world.\n m. You means the individual or entity exercising the Licensed Rights under this Public License. Your has a corresponding meaning.\nSection 2 – Scope.\n a. License grant.\n 1. Subject to the terms and conditions of this Public License, the Licensor hereby grants You a worldwide, royalty-free, non-sublicensable, non-exclusive, irrevocable license to exercise the Licensed Rights in the Licensed Material to:\n A. reproduce and Share the Licensed Material, in whole or in part; and\n B. produce, reproduce, and Share Adapted Material.\n 2. Exceptions and Limitations. For the avoidance of doubt, where Exceptions and Limitations apply to Your use, this Public License does not apply, and You do not need to comply with its terms and conditions.\n 3. Term. The term of this Public License is specified in Section 6(a).\n 4. Media and formats; technical modifications allowed. The Licensor authorizes You to exercise the Licensed Rights in all media and formats whether now known or hereafter created, and to make technical modifications necessary to do so. The Licensor waives and/or agrees not to assert any right or authority to forbid You from making technical modifications necessary to exercise the Licensed Rights, including technical modifications necessary to circumvent Effective Technological Measures. For purposes of this Public License, simply making modifications authorized by this Section 2(a)(4) never produces Adapted Material.\n 5. Downstream recipients.\n A. Offer from the Licensor – Licensed Material. Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License.\n B. Additional offer from the Licensor – Adapted Material. Every recipient of Adapted Material from You automatically receives an offer from the Licensor to exercise the Licensed Rights in the Adapted Material under the conditions of the Adapter's License You apply.\n C. No downstream restrictions. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material.\n 6. No endorsement. Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i).\n b. Other rights.\n 1. Moral rights, such as the right of integrity, are not licensed under this Public License, nor are publicity, privacy, and/or other similar personality rights; however, to the extent possible, the Licensor waives and/or agrees not to assert any such rights held by the Licensor to the limited extent necessary to allow You to exercise the Licensed Rights, but not otherwise.\n 2. Patent and trademark rights are not licensed under this Public License.\n 3. To the extent possible, the Licensor waives any right to collect royalties from You for the exercise of the Licensed Rights, whether directly or through a collecting society under any voluntary or waivable statutory or compulsory licensing scheme. In all other cases the Licensor expressly reserves any right to collect such royalties.\nSection 3 – License Conditions.\nYour exercise of the Licensed Rights is expressly made subject to the following conditions.\n a. Attribution.\n 1. If You Share the Licensed Material (including in modified form), You must:\n A. retain the following if it is supplied by the Licensor with the Licensed Material:\n i. identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated);\n ii. a copyright notice;\n iii. a notice that refers to this Public License;\n iv. a notice that refers to the disclaimer of warranties;\n v. a URI or hyperlink to the Licensed Material to the extent reasonably practicable;\n B. indicate if You modified the Licensed Material and retain an indication of any previous modifications; and\n C. indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License.\n 2. You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information.\n 3. If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable.\n b. ShareAlike.In addition to the conditions in Section 3(a), if You Share Adapted Material You produce, the following conditions also apply.\n 1. The Adapter's License You apply must be a Creative Commons license with the same License Elements, this version or later, or a BY-SA Compatible License.\n 2. You must include the text of, or the URI or hyperlink to, the Adapter's License You apply. You may satisfy this condition in any reasonable manner based on the medium, means, and context in which You Share Adapted Material.\n 3. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, Adapted Material that restrict exercise of the rights granted under the Adapter's License You apply.\nSection 4 – Sui Generis Database Rights.\nWhere the Licensed Rights include Sui Generis Database Rights that apply to Your use of the Licensed Material:\n a. for the avoidance of doubt, Section 2(a)(1) grants You the right to extract, reuse, reproduce, and Share all or a substantial portion of the contents of the database;\n b. if You include all or a substantial portion of the database contents in a database in which You have Sui Generis Database Rights, then the database in which You have Sui Generis Database Rights (but not its individual contents) is Adapted Material, including for purposes of Section 3(b); and\n c. You must comply with the conditions in Section 3(a) if You Share all or a substantial portion of the contents of the database.\n For the avoidance of doubt, this Section 4 supplements and does not replace Your obligations under this Public License where the Licensed Rights include other Copyright and Similar Rights.\nSection 5 – Disclaimer of Warranties and Limitation of Liability.\n a. Unless otherwise separately undertaken by the Licensor, to the extent possible, the Licensor offers the Licensed Material as-is and as-available, and makes no representations or warranties of any kind concerning the Licensed Material, whether express, implied, statutory, or other. This includes, without limitation, warranties of title, merchantability, fitness for a particular purpose, non-infringement, absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not known or discoverable. Where disclaimers of warranties are not allowed in full or in part, this disclaimer may not apply to You.\n b. To the extent possible, in no event will the Licensor be liable to You on any legal theory (including, without limitation, negligence) or otherwise for any direct, special, indirect, incidental, consequential, punitive, exemplary, or other losses, costs, expenses, or damages arising out of this Public License or use of the Licensed Material, even if the Licensor has been advised of the possibility of such losses, costs, expenses, or damages. Where a limitation of liability is not allowed in full or in part, this limitation may not apply to You.\n c. The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability.\nSection 6 – Term and Termination.\n a. This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically.\n b. Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates:\n 1. automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or\n 2. upon express reinstatement by the Licensor.\n c. For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License.\n d. For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License.\n e. Sections 1, 5, 6, 7, and 8 survive termination of this Public License.\nSection 7 – Other Terms and Conditions.\n a. The Licensor shall not be bound by any additional or different terms or conditions communicated by You unless expressly agreed.\n b. Any arrangements, understandings, or agreements regarding the Licensed Material not stated herein are separate from and independent of the terms and conditions of this Public License.\nSection 8 – Interpretation.\n a. For the avoidance of doubt, this Public License does not, and shall not be interpreted to, reduce, limit, restrict, or impose conditions on any use of the Licensed Material that could lawfully be made without permission under this Public License.\n b. To the extent possible, if any provision of this Public License is deemed unenforceable, it shall be automatically reformed to the minimum extent necessary to make it enforceable. If the provision cannot be reformed, it shall be severed from this Public License without affecting the enforceability of the remaining terms and conditions.\n c. No term or condition of this Public License will be waived and no failure to comply consented to unless expressly agreed to by the Licensor.\n d. Nothing in this Public License constitutes or may be interpreted as a limitation upon, or waiver of, any privileges and immunities that apply to the Licensor or You, including from the legal processes of any jurisdiction or authority.\nCreative Commons is not a party to its public licenses. Notwithstanding, Creative Commons may elect to apply one of its public licenses to material it publishes and in those instances will be considered the \"Licensor.\" Except for the limited purpose of indicating that material is shared under a Creative Commons public license or as otherwise permitted by the Creative Commons policies published at creativecommons.org/policies, Creative Commons does not authorize the use of the trademark \"Creative Commons\" or any other trademark or logo of Creative Commons without its prior written consent including, without limitation, in connection with any unauthorized modifications to any of its public licenses or any other arrangements, understandings, or agreements concerning use of licensed material. For the avoidance of doubt, this paragraph does not form part of the public licenses.\nCreative Commons may be contacted at creativecommons.org.","name":"CC-BY-SA-4.0"}],"package":"commonmark","projectUrl":"https://github.com/rtfd/commonmark.py","source":"pip","title":"commonmark","version":"0.9.1"},{"authors":["Kim Davies "],"dependencyPaths":["requests > idna"],"description":"Internationalized Domain Names in Applications (IDNA)","downloadUrl":"https://files.pythonhosted.org/packages/bf/3f/ea4b9117521a1e9c50344b909be7886dd00a519552724809bb1f486986c2/idna-3.6.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"BSD 3-Clause License\n\nCopyright (c) 2013-2023, Kim Davies and contributors.\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n1. Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer.\n\n2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in the\n documentation and/or other materials provided with the distribution.\n\n3. Neither the name of the copyright holder nor the names of its\n contributors may be used to endorse or promote products derived from\n this software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nHOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED\nTO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR\nPROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF\nLIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING\nNEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS\nSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n","name":"BSD-3-Clause"}],"notes":[],"otherLicenses":[],"package":"idna","projectUrl":"https://pypi.org/project/idna/","source":"pip","title":"idna","version":"3.6"},{"authors":["Andrey Petrov "],"dependencyPaths":["requests > urllib3"],"description":"HTTP library with thread-safe connection pooling, file post, and more.","downloadUrl":"https://files.pythonhosted.org/packages/e4/e8/6ff5e6bc22095cfc59b6ea711b687e2b7ed4bdb373f7eeec370a97d7392f/urllib3-1.26.20.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"MIT License\n\nCopyright (c) 2008-2020 Andrey Petrov and contributors (see CONTRIBUTORS.txt)\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n","name":"MIT"}],"notes":[],"otherLicenses":[{"attribution":"Copyright 2015 Google Inc. All rights reserved.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\nhttp://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\nSee the License for the specific language governing permissions and limitations under the License.","name":"Apache-2.0"}],"package":"urllib3","projectUrl":"https://pypi.org/project/urllib3/","source":"pip","title":"urllib3","version":"1.26.20"}],"directDependencies":[{"authors":["Amazon Web Services"],"dependencyPaths":["botocore"],"description":"Low-level, data-driven core of boto 3.","downloadUrl":"https://files.pythonhosted.org/packages/6d/a1/95ec376c2300e605225998619c46f7093c515710b9d6d65f891f126f32b6/botocore-1.43.12.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n","name":"Apache-2.0"}],"notes":[],"otherLicenses":[{"attribution":"Copyright (c) 2012-2022 Amazon.com, Inc. or its affiliates. All Rights Reserved.\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.","name":"MIT"},{"attribution":"1. Definitions\n 1.1. \"Contributor\" means each individual or legal entity that creates, contributes to the creation of, or owns Covered Software.\n 1.2. \"Contributor Version\" means the combination of the Contributions of others (if any) used by a Contributor and that particular Contributor's Contribution.\n 1.3. \"Contribution\" means Covered Software of a particular Contributor.\n 1.4. \"Covered Software\" means Source Code Form to which the initial Contributor has attached the notice in Exhibit A, the Executable Form of such Source Code Form, and Modifications of such Source Code Form, in each case including portions thereof.\n 1.5. \"Incompatible With Secondary Licenses\" means\n (a) that the initial Contributor has attached the notice described in Exhibit B to the Covered Software; or\n (b) that the Covered Software was made available under the terms of version 1.1 or earlier of the License, but not also under the terms of a Secondary License.\n 1.6. \"Executable Form\" means any form of the work other than Source Code Form.\n 1.7. \"Larger Work\" means a work that combines Covered Software with other material, in a separate file or files, that is not Covered Software.\n 1.8. \"License\" means this document.\n 1.9. \"Licensable\" means having the right to grant, to the maximum extent possible, whether at the time of the initial grant or subsequently, any and all of the rights conveyed by this License.\n 1.10. \"Modifications\" means any of the following:\n (a) any file in Source Code Form that results from an addition to, deletion from, or modification of the contents of Covered Software; or\n (b) any new file in Source Code Form that contains any Covered Software.\n 1.11. \"Patent Claims\" of a Contributor means any patent claim(s), including without limitation, method, process, and apparatus claims, in any patent Licensable by such Contributor that would be infringed, but for the grant of the License, by the making, using, selling, offering for sale, having made, import, or transfer of either its Contributions or its Contributor Version.\n 1.12. \"Secondary License\" means either the GNU General Public License, Version 2.0, the GNU Lesser General Public License, Version 2.1, the GNU Affero General Public License, Version 3.0, or any later versions of those licenses.\n 1.13. \"Source Code Form\" means the form of the work preferred for making modifications.\n 1.14. \"You\" (or \"Your\") means an individual or a legal entity exercising rights under this License. For legal entities, \"You\" includes any entity that controls, is controlled by, or is under common control with You. For purposes of this definition, \"control\" means (a) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (b) ownership of more than fifty percent (50%) of the outstanding shares or beneficial ownership of such entity.\n 2. License Grants and Conditions\n 2.1. Grants\n Each Contributor hereby grants You a world-wide, royalty-free, non-exclusive license:\n (a) under intellectual property rights (other than patent or trademark) Licensable by such Contributor to use, reproduce, make available, modify, display, perform, distribute, and otherwise exploit its Contributions, either on an unmodified basis, with Modifications, or as part of a Larger Work; and\n (b) under Patent Claims of such Contributor to make, use, sell, offer for sale, have made, import, and otherwise transfer either its Contributions or its Contributor Version.\n 2.2. Effective Date\n The licenses granted in Section 2.1 with respect to any Contribution become effective for each Contribution on the date the Contributor first distributes such Contribution.\n 2.3. Limitations on Grant Scope\n The licenses granted in this Section 2 are the only rights granted under this License. No additional rights or licenses will be implied from the distribution or licensing of Covered Software under this License. Notwithstanding Section 2.1(b) above, no patent license is granted by a Contributor:\n (a) for any code that a Contributor has removed from Covered Software; or\n (b) for infringements caused by: (i) Your and any other third party's modifications of Covered Software, or (ii) the combination of its Contributions with other software (except as part of its Contributor Version); or\n (c) under Patent Claims infringed by Covered Software in the absence of its Contributions.\n This License does not grant any rights in the trademarks, service marks, or logos of any Contributor (except as may be necessary to comply with the notice requirements in Section 3.4).\n 2.4. Subsequent Licenses\n No Contributor makes additional grants as a result of Your choice to distribute the Covered Software under a subsequent version of this License (see Section 10.2) or under the terms of a Secondary License (if permitted under the terms of Section 3.3).\n 2.5. Representation\n Each Contributor represents that the Contributor believes its Contributions are its original creation(s) or it has sufficient rights to grant the rights to its Contributions conveyed by this License.\n 2.6. Fair Use\n This License is not intended to limit any rights You have under applicable copyright doctrines of fair use, fair dealing, or other equivalents.\n 2.7. Conditions\n Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in Section 2.1.\n 3. Responsibilities\n 3.1. Distribution of Source Form\n All distribution of Covered Software in Source Code Form, including any Modifications that You create or to which You contribute, must be under the terms of this License. You must inform recipients that the Source Code Form of the Covered Software is governed by the terms of this License, and how they can obtain a copy of this License. You may not attempt to alter or restrict the recipients' rights in the Source Code Form.\n 3.2. Distribution of Executable Form\n If You distribute Covered Software in Executable Form then:\n (a) such Covered Software must also be made available in Source Code Form, as described in Section 3.1, and You must inform recipients of the Executable Form how they can obtain a copy of such Source Code Form by reasonable means in a timely manner, at a charge no more than the cost of distribution to the recipient; and\n (b) You may distribute such Executable Form under the terms of this License, or sublicense it under different terms, provided that the license for the Executable Form does not attempt to limit or alter the recipients' rights in the Source Code Form under this License.\n 3.3. Distribution of a Larger Work\n You may create and distribute a Larger Work under terms of Your choice, provided that You also comply with the requirements of this License for the Covered Software. If the Larger Work is a combination of Covered Software with a work governed by one or more Secondary Licenses, and the Covered Software is not Incompatible With Secondary Licenses, this License permits You to additionally distribute such Covered Software under the terms of such Secondary License(s), so that the recipient of the Larger Work may, at their option, further distribute the Covered Software under the terms of either this License or such Secondary License(s).\n 3.4. Notices\n You may not remove or alter the substance of any license notices (including copyright notices, patent notices, disclaimers of warranty, or limitations of liability) contained within the Source Code Form of the Covered Software, except that You may alter any license notices to the extent required to remedy known factual inaccuracies.\n 3.5. Application of Additional Terms\n You may choose to offer, and to charge a fee for, warranty, support, indemnity or liability obligations to one or more recipients of Covered Software. However, You may do so only on Your own behalf, and not on behalf of any Contributor. You must make it absolutely clear that any such warranty, support, indemnity, or liability obligation is offered by You alone, and You hereby agree to indemnify every Contributor for any liability incurred by such Contributor as a result of warranty, support, indemnity or liability terms You offer. You may include additional disclaimers of warranty and limitations of liability specific to any jurisdiction.\n 4. Inability to Comply Due to Statute or Regulation\n If it is impossible for You to comply with any of the terms of this License with respect to some or all of the Covered Software due to statute, judicial order, or regulation then You must: (a) comply with the terms of this License to the maximum extent possible; and (b) describe the limitations and the code they affect. Such description must be placed in a text file included with all distributions of the Covered Software under this License. Except to the extent prohibited by statute or regulation, such description must be sufficiently detailed for a recipient of ordinary skill to be able to understand it.\n 5. Termination\n 5.1. The rights granted under this License will terminate automatically if You fail to comply with any of its terms. However, if You become compliant, then the rights granted under this License from a particular Contributor are reinstated (a) provisionally, unless and until such Contributor explicitly and finally terminates Your grants, and (b) on an ongoing basis, if such Contributor fails to notify You of the non-compliance by some reasonable means prior to 60 days after You have come back into compliance. Moreover, Your grants from a particular Contributor are reinstated on an ongoing basis if such Contributor notifies You of the non-compliance by some reasonable means, this is the first time You have received notice of non-compliance with this License from such Contributor, and You become compliant prior to 30 days after Your receipt of the notice.\n 5.2. If You initiate litigation against any entity by asserting a patent infringement claim (excluding declaratory judgment actions, counter-claims, and cross-claims) alleging that a Contributor Version directly or indirectly infringes any patent, then the rights granted to You by any and all Contributors for the Covered Software under Section 2.1 of this License shall terminate.\n 5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user license agreements (excluding distributors and resellers) which have been validly granted by You or Your distributors under this License prior to termination shall survive termination.\n 6. Disclaimer of Warranty\n Covered Software is provided under this License on an \"as is\" basis, without warranty of any kind, either expressed, implied, or statutory, including, without limitation, warranties that the Covered Software is free of defects, merchantable, fit for a particular purpose or non-infringing. The entire risk as to the quality and performance of the Covered Software is with You. Should any Covered Software prove defective in any respect, You (not any Contributor) assume the cost of any necessary servicing, repair, or correction. This disclaimer of warranty constitutes an essential part of this License. No use of any Covered Software is authorized under this License except under this disclaimer.\n 7. Limitation of Liability\n Under no circumstances and under no legal theory, whether tort (including negligence), contract, or otherwise, shall any Contributor, or anyone who distributes Covered Software as permitted above, be liable to You for any direct, indirect, special, incidental, or consequential damages of any character including, without limitation, damages for lost profits, loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses, even if such party shall have been informed of the possibility of such damages. This limitation of liability shall not apply to liability for death or personal injury resulting from such party's negligence to the extent applicable law prohibits such limitation. Some jurisdictions do not allow the exclusion or limitation of incidental or consequential damages, so this exclusion and limitation may not apply to You.\n 8. Litigation\n Any litigation relating to this License may be brought only in the courts of a jurisdiction where the defendant maintains its principal place of business and such litigation shall be governed by laws of that jurisdiction, without reference to its conflict-of-law provisions. Nothing in this Section shall prevent a party's ability to bring cross-claims or counter-claims.\n 9. Miscellaneous\n This License represents the complete agreement concerning the subject matter hereof. If any provision of this License is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. Any law or regulation which provides that the language of a contract shall be construed against the drafter shall not be used to construe this License against a Contributor.\n 10. Versions of the License\n 10.1. New Versions\n Mozilla Foundation is the license steward. Except as provided in Section 10.3, no one other than the license steward has the right to modify or publish new versions of this License. Each version will be given a distinguishing version number.\n 10.2. Effect of New Versions\n You may distribute the Covered Software under the terms of the version of the License under which You originally received the Covered Software, or under the terms of any subsequent version published by the license steward.\n 10.3. Modified Versions\n If you create software not governed by this License, and you want to create a new license for such software, you may create and use a modified version of this License if you rename the license and remove any references to the name of the license steward (except to note that such modified license differs from this License).\n 10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses\n If You choose to distribute Source Code Form that is Incompatible With Secondary Licenses under the terms of this version of the License, the notice described in Exhibit B of this License must be attached.","name":"MPL-2.0"}],"package":"botocore","projectUrl":"https://github.com/boto/botocore","source":"pip","title":"botocore","version":"1.43.12"},{"authors":["The Python Cryptographic Authority and individual contributors "],"dependencyPaths":["cryptography"],"description":"cryptography is a package which provides cryptographic recipes and primitives to Python developers.","downloadUrl":"https://files.pythonhosted.org/packages/9f/a9/db8f313fdcd85d767d4973515e1db101f9c71f95fced83233de224673757/cryptography-48.0.0.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"Copyright (c) Individual contributors.\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are met:\n\n 1. Redistributions of source code must retain the above copyright notice,\n this list of conditions and the following disclaimer.\n\n 2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in the\n documentation and/or other materials provided with the distribution.\n\n 3. Neither the name of PyCA Cryptography nor the names of its contributors\n may be used to endorse or promote products derived from this software\n without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND\nANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED\nWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR\nANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES\n(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;\nLOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON\nANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS\nSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n","name":"BSD-3-Clause"},{"attribution":"This software is made available under the terms of *either* of the licenses\nfound in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made\nunder the terms of *both* these licenses.\n","name":"Apache-2.0"}],"notes":[],"otherLicenses":[{"attribution":"This repository relates to activities in the Internet Engineering Task Force (IETF). All material in this repository is considered Contributions to the IETF Standards Process, as defined in the intellectual property policies of IETF currently designated as BCP 78, BCP 79 and the IETF Trust Legal Provisions (TLP) Relating to IETF Documents.\n\nAny edit, commit, pull request, issue, comment or other change made to this repository constitutes Contributions to the IETF Standards Process (https://www.ietf.org/).\n\nYou agree to comply with all applicable IETF policies and procedures, including, BCP 78, 79, the TLP, and the TLP rules regarding code components (e.g. being subject to a Simplified BSD License) in Contributions.","name":"IETF"}],"package":"cryptography","projectUrl":"https://pypi.org/project/cryptography/","source":"pip","title":"cryptography","version":"48.0.0"},{"authors":[],"dependencyPaths":["numpy"],"description":null,"downloadUrl":"https://files.pythonhosted.org/packages/d0/ad/fed0499ce6a338d2a03ebae59cd15093910c8875328855781952abf6c2fe/numpy-2.4.6.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"Copyright (c) 2005-2020, NumPy Developers.\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer.\n\n * Redistributions in binary form must reproduce the above\n copyright notice, this list of conditions and the following\n disclaimer in the documentation and/or other materials provided\n with the distribution.\n\n * Neither the name of the NumPy Developers nor the names of any\n contributors may be used to endorse or promote products derived\n from this software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.","name":"BSD-3-Clause"}],"notes":[],"otherLicenses":[],"package":"numpy","projectUrl":null,"source":"pip","title":"numpy","version":"2.4.6"},{"authors":["Kenneth Reitz "],"dependencyPaths":["requests"],"description":"Python HTTP for Humans.","downloadUrl":"https://files.pythonhosted.org/packages/60/f3/26ff3767f099b73e0efa138a9998da67890793bfa475d8278f84a30fec77/requests-2.27.1.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n","name":"Apache-2.0"}],"notes":[],"otherLicenses":[],"package":"requests","projectUrl":"https://pypi.org/project/requests/","source":"pip","title":"requests","version":"2.27.1"},{"authors":["willmcgugan@gmail.com"],"dependencyPaths":["rich"],"description":"Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal","downloadUrl":"https://files.pythonhosted.org/packages/eb/be/bd5d6c37f5de55f31cb9432e0d926ceeab1b2ee774bd696557b53bc15012/rich-11.0.0.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"Copyright (c) 2020 Will McGugan\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n","name":"MIT"}],"notes":[],"otherLicenses":[],"package":"rich","projectUrl":"https://pypi.org/project/rich/","source":"pip","title":"rich","version":"11.0.0"},{"authors":["Andrey Petrov "],"dependencyPaths":["urllib3"],"description":"HTTP library with thread-safe connection pooling, file post, and more.","downloadUrl":"https://files.pythonhosted.org/packages/53/0c/06f8b233b8fd13b9e5ee11424ef85419ba0d8ba0b3138bf360be2ff56953/urllib3-2.7.0.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"MIT License\n\nCopyright (c) 2008-2020 Andrey Petrov and contributors.\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n","name":"MIT"}],"notes":[],"otherLicenses":[{"attribution":"1. Definitions\n 1.1. \"Contributor\" means each individual or legal entity that creates, contributes to the creation of, or owns Covered Software.\n 1.2. \"Contributor Version\" means the combination of the Contributions of others (if any) used by a Contributor and that particular Contributor's Contribution.\n 1.3. \"Contribution\" means Covered Software of a particular Contributor.\n 1.4. \"Covered Software\" means Source Code Form to which the initial Contributor has attached the notice in Exhibit A, the Executable Form of such Source Code Form, and Modifications of such Source Code Form, in each case including portions thereof.\n 1.5. \"Incompatible With Secondary Licenses\" means\n (a) that the initial Contributor has attached the notice described in Exhibit B to the Covered Software; or\n (b) that the Covered Software was made available under the terms of version 1.1 or earlier of the License, but not also under the terms of a Secondary License.\n 1.6. \"Executable Form\" means any form of the work other than Source Code Form.\n 1.7. \"Larger Work\" means a work that combines Covered Software with other material, in a separate file or files, that is not Covered Software.\n 1.8. \"License\" means this document.\n 1.9. \"Licensable\" means having the right to grant, to the maximum extent possible, whether at the time of the initial grant or subsequently, any and all of the rights conveyed by this License.\n 1.10. \"Modifications\" means any of the following:\n (a) any file in Source Code Form that results from an addition to, deletion from, or modification of the contents of Covered Software; or\n (b) any new file in Source Code Form that contains any Covered Software.\n 1.11. \"Patent Claims\" of a Contributor means any patent claim(s), including without limitation, method, process, and apparatus claims, in any patent Licensable by such Contributor that would be infringed, but for the grant of the License, by the making, using, selling, offering for sale, having made, import, or transfer of either its Contributions or its Contributor Version.\n 1.12. \"Secondary License\" means either the GNU General Public License, Version 2.0, the GNU Lesser General Public License, Version 2.1, the GNU Affero General Public License, Version 3.0, or any later versions of those licenses.\n 1.13. \"Source Code Form\" means the form of the work preferred for making modifications.\n 1.14. \"You\" (or \"Your\") means an individual or a legal entity exercising rights under this License. For legal entities, \"You\" includes any entity that controls, is controlled by, or is under common control with You. For purposes of this definition, \"control\" means (a) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (b) ownership of more than fifty percent (50%) of the outstanding shares or beneficial ownership of such entity.\n 2. License Grants and Conditions\n 2.1. Grants\n Each Contributor hereby grants You a world-wide, royalty-free, non-exclusive license:\n (a) under intellectual property rights (other than patent or trademark) Licensable by such Contributor to use, reproduce, make available, modify, display, perform, distribute, and otherwise exploit its Contributions, either on an unmodified basis, with Modifications, or as part of a Larger Work; and\n (b) under Patent Claims of such Contributor to make, use, sell, offer for sale, have made, import, and otherwise transfer either its Contributions or its Contributor Version.\n 2.2. Effective Date\n The licenses granted in Section 2.1 with respect to any Contribution become effective for each Contribution on the date the Contributor first distributes such Contribution.\n 2.3. Limitations on Grant Scope\n The licenses granted in this Section 2 are the only rights granted under this License. No additional rights or licenses will be implied from the distribution or licensing of Covered Software under this License. Notwithstanding Section 2.1(b) above, no patent license is granted by a Contributor:\n (a) for any code that a Contributor has removed from Covered Software; or\n (b) for infringements caused by: (i) Your and any other third party's modifications of Covered Software, or (ii) the combination of its Contributions with other software (except as part of its Contributor Version); or\n (c) under Patent Claims infringed by Covered Software in the absence of its Contributions.\n This License does not grant any rights in the trademarks, service marks, or logos of any Contributor (except as may be necessary to comply with the notice requirements in Section 3.4).\n 2.4. Subsequent Licenses\n No Contributor makes additional grants as a result of Your choice to distribute the Covered Software under a subsequent version of this License (see Section 10.2) or under the terms of a Secondary License (if permitted under the terms of Section 3.3).\n 2.5. Representation\n Each Contributor represents that the Contributor believes its Contributions are its original creation(s) or it has sufficient rights to grant the rights to its Contributions conveyed by this License.\n 2.6. Fair Use\n This License is not intended to limit any rights You have under applicable copyright doctrines of fair use, fair dealing, or other equivalents.\n 2.7. Conditions\n Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in Section 2.1.\n 3. Responsibilities\n 3.1. Distribution of Source Form\n All distribution of Covered Software in Source Code Form, including any Modifications that You create or to which You contribute, must be under the terms of this License. You must inform recipients that the Source Code Form of the Covered Software is governed by the terms of this License, and how they can obtain a copy of this License. You may not attempt to alter or restrict the recipients' rights in the Source Code Form.\n 3.2. Distribution of Executable Form\n If You distribute Covered Software in Executable Form then:\n (a) such Covered Software must also be made available in Source Code Form, as described in Section 3.1, and You must inform recipients of the Executable Form how they can obtain a copy of such Source Code Form by reasonable means in a timely manner, at a charge no more than the cost of distribution to the recipient; and\n (b) You may distribute such Executable Form under the terms of this License, or sublicense it under different terms, provided that the license for the Executable Form does not attempt to limit or alter the recipients' rights in the Source Code Form under this License.\n 3.3. Distribution of a Larger Work\n You may create and distribute a Larger Work under terms of Your choice, provided that You also comply with the requirements of this License for the Covered Software. If the Larger Work is a combination of Covered Software with a work governed by one or more Secondary Licenses, and the Covered Software is not Incompatible With Secondary Licenses, this License permits You to additionally distribute such Covered Software under the terms of such Secondary License(s), so that the recipient of the Larger Work may, at their option, further distribute the Covered Software under the terms of either this License or such Secondary License(s).\n 3.4. Notices\n You may not remove or alter the substance of any license notices (including copyright notices, patent notices, disclaimers of warranty, or limitations of liability) contained within the Source Code Form of the Covered Software, except that You may alter any license notices to the extent required to remedy known factual inaccuracies.\n 3.5. Application of Additional Terms\n You may choose to offer, and to charge a fee for, warranty, support, indemnity or liability obligations to one or more recipients of Covered Software. However, You may do so only on Your own behalf, and not on behalf of any Contributor. You must make it absolutely clear that any such warranty, support, indemnity, or liability obligation is offered by You alone, and You hereby agree to indemnify every Contributor for any liability incurred by such Contributor as a result of warranty, support, indemnity or liability terms You offer. You may include additional disclaimers of warranty and limitations of liability specific to any jurisdiction.\n 4. Inability to Comply Due to Statute or Regulation\n If it is impossible for You to comply with any of the terms of this License with respect to some or all of the Covered Software due to statute, judicial order, or regulation then You must: (a) comply with the terms of this License to the maximum extent possible; and (b) describe the limitations and the code they affect. Such description must be placed in a text file included with all distributions of the Covered Software under this License. Except to the extent prohibited by statute or regulation, such description must be sufficiently detailed for a recipient of ordinary skill to be able to understand it.\n 5. Termination\n 5.1. The rights granted under this License will terminate automatically if You fail to comply with any of its terms. However, if You become compliant, then the rights granted under this License from a particular Contributor are reinstated (a) provisionally, unless and until such Contributor explicitly and finally terminates Your grants, and (b) on an ongoing basis, if such Contributor fails to notify You of the non-compliance by some reasonable means prior to 60 days after You have come back into compliance. Moreover, Your grants from a particular Contributor are reinstated on an ongoing basis if such Contributor notifies You of the non-compliance by some reasonable means, this is the first time You have received notice of non-compliance with this License from such Contributor, and You become compliant prior to 30 days after Your receipt of the notice.\n 5.2. If You initiate litigation against any entity by asserting a patent infringement claim (excluding declaratory judgment actions, counter-claims, and cross-claims) alleging that a Contributor Version directly or indirectly infringes any patent, then the rights granted to You by any and all Contributors for the Covered Software under Section 2.1 of this License shall terminate.\n 5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user license agreements (excluding distributors and resellers) which have been validly granted by You or Your distributors under this License prior to termination shall survive termination.\n 6. Disclaimer of Warranty\n Covered Software is provided under this License on an \"as is\" basis, without warranty of any kind, either expressed, implied, or statutory, including, without limitation, warranties that the Covered Software is free of defects, merchantable, fit for a particular purpose or non-infringing. The entire risk as to the quality and performance of the Covered Software is with You. Should any Covered Software prove defective in any respect, You (not any Contributor) assume the cost of any necessary servicing, repair, or correction. This disclaimer of warranty constitutes an essential part of this License. No use of any Covered Software is authorized under this License except under this disclaimer.\n 7. Limitation of Liability\n Under no circumstances and under no legal theory, whether tort (including negligence), contract, or otherwise, shall any Contributor, or anyone who distributes Covered Software as permitted above, be liable to You for any direct, indirect, special, incidental, or consequential damages of any character including, without limitation, damages for lost profits, loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses, even if such party shall have been informed of the possibility of such damages. This limitation of liability shall not apply to liability for death or personal injury resulting from such party's negligence to the extent applicable law prohibits such limitation. Some jurisdictions do not allow the exclusion or limitation of incidental or consequential damages, so this exclusion and limitation may not apply to You.\n 8. Litigation\n Any litigation relating to this License may be brought only in the courts of a jurisdiction where the defendant maintains its principal place of business and such litigation shall be governed by laws of that jurisdiction, without reference to its conflict-of-law provisions. Nothing in this Section shall prevent a party's ability to bring cross-claims or counter-claims.\n 9. Miscellaneous\n This License represents the complete agreement concerning the subject matter hereof. If any provision of this License is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. Any law or regulation which provides that the language of a contract shall be construed against the drafter shall not be used to construe this License against a Contributor.\n 10. Versions of the License\n 10.1. New Versions\n Mozilla Foundation is the license steward. Except as provided in Section 10.3, no one other than the license steward has the right to modify or publish new versions of this License. Each version will be given a distinguishing version number.\n 10.2. Effect of New Versions\n You may distribute the Covered Software under the terms of the version of the License under which You originally received the Covered Software, or under the terms of any subsequent version published by the license steward.\n 10.3. Modified Versions\n If you create software not governed by this License, and you want to create a new license for such software, you may create and use a modified version of this License if you rename the license and remove any references to the name of the license steward (except to note that such modified license differs from this License).\n 10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses\n If You choose to distribute Source Code Form that is Incompatible With Secondary Licenses under the terms of this version of the License, the notice described in Exhibit B of this License must be attached.","name":"MPL-2.0"}],"package":"urllib3","projectUrl":"https://pypi.org/project/urllib3/","source":"pip","title":"urllib3","version":"2.7.0"}],"licenses":{"Apache-2.0":"This software is made available under the terms of *either* of the licenses\nfound in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made\nunder the terms of *both* these licenses.\n","BSD-3-Clause":"Copyright (c) Individual contributors.\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are met:\n\n 1. Redistributions of source code must retain the above copyright notice,\n this list of conditions and the following disclaimer.\n\n 2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in the\n documentation and/or other materials provided with the distribution.\n\n 3. Neither the name of PyCA Cryptography nor the names of its contributors\n may be used to endorse or promote products derived from this software\n without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND\nANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED\nWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR\nANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES\n(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;\nLOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON\nANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS\nSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n","CC-BY-SA-4.0":"Creative Commons Attribution-ShareAlike 4.0 International Creative Commons Corporation (\"Creative Commons\") is not a law firm and does not provide legal services or legal advice. Distribution of Creative Commons public licenses does not create a lawyer-client or other relationship. Creative Commons makes its licenses and related information available on an \"as-is\" basis. Creative Commons gives no warranties regarding its licenses, any material licensed under their terms and conditions, or any related information. Creative Commons disclaims all liability for damages resulting from their use to the fullest extent possible.\nUsing Creative Commons Public Licenses\nCreative Commons public licenses provide a standard set of terms and conditions that creators and other rights holders may use to share original works of authorship and other material subject to copyright and certain other rights specified in the public license below. The following considerations are for informational purposes only, are not exhaustive, and do not form part of our licenses.\nConsiderations for licensors: Our public licenses are intended for use by those authorized to give the public permission to use material in ways otherwise restricted by copyright and certain other rights. Our licenses are irrevocable. Licensors should read and understand the terms and conditions of the license they choose before applying it. Licensors should also secure all rights necessary before applying our licenses so that the public can reuse the material as expected. Licensors should clearly mark any material not subject to the license. This includes other CC-licensed material, or material used under an exception or limitation to copyright. More considerations for licensors : wiki.creativecommons.org/Considerations_for_licensors\nConsiderations for the public: By using one of our public licenses, a licensor grants the public permission to use the licensed material under specified terms and conditions. If the licensor's permission is not necessary for any reason–for example, because of any applicable exception or limitation to copyright–then that use is not regulated by the license. Our licenses grant only permissions under copyright and certain other rights that a licensor has authority to grant. Use of the licensed material may still be restricted for other reasons, including because others have copyright or other rights in the material. A licensor may make special requests, such as asking that all changes be marked or described.\nAlthough not required by our licenses, you are encouraged to respect those requests where reasonable. More considerations for the public : wiki.creativecommons.org/Considerations_for_licensees\nCreative Commons Attribution-ShareAlike 4.0 International Public License\nBy exercising the Licensed Rights (defined below), You accept and agree to be bound by the terms and conditions of this Creative Commons Attribution-ShareAlike 4.0 International Public License (\"Public License\"). To the extent this Public License may be interpreted as a contract, You are granted the Licensed Rights in consideration of Your acceptance of these terms and conditions, and the Licensor grants You such rights in consideration of benefits the Licensor receives from making the Licensed Material available under these terms and conditions.\nSection 1 – Definitions.\n a. Adapted Material means material subject to Copyright and Similar Rights that is derived from or based upon the Licensed Material and in which the Licensed Material is translated, altered, arranged, transformed, or otherwise modified in a manner requiring permission under the Copyright and Similar Rights held by the Licensor. For purposes of this Public License, where the Licensed Material is a musical work, performance, or sound recording, Adapted Material is always produced where the Licensed Material is synched in timed relation with a moving image.\n b. Adapter's License means the license You apply to Your Copyright and Similar Rights in Your contributions to Adapted Material in accordance with the terms and conditions of this Public License.\n c. BY-SA Compatible License means a license listed at creativecommons.org/compatiblelicenses, approved by Creative Commons as essentially the equivalent of this Public License.\n d. Copyright and Similar Rights means copyright and/or similar rights closely related to copyright including, without limitation, performance, broadcast, sound recording, and Sui Generis Database Rights, without regard to how the rights are labeled or categorized. For purposes of this Public License, the rights specified in Section 2(b)(1)-(2) are not Copyright and Similar Rights.\n e. Effective Technological Measures means those measures that, in the absence of proper authority, may not be circumvented under laws fulfilling obligations under Article 11 of the WIPO Copyright Treaty adopted on December 20, 1996, and/or similar international agreements.\n f. Exceptions and Limitations means fair use, fair dealing, and/or any other exception or limitation to Copyright and Similar Rights that applies to Your use of the Licensed Material.\n g. License Elements means the license attributes listed in the name of a Creative Commons Public License. The License Elements of this Public License are Attribution and ShareAlike.\n h. Licensed Material means the artistic or literary work, database, or other material to which the Licensor applied this Public License.\n i. Licensed Rights means the rights granted to You subject to the terms and conditions of this Public License, which are limited to all Copyright and Similar Rights that apply to Your use of the Licensed Material and that the Licensor has authority to license.\n j. Licensor means the individual(s) or entity(ies) granting rights under this Public License.\n k. Share means to provide material to the public by any means or process that requires permission under the Licensed Rights, such as reproduction, public display, public performance, distribution, dissemination, communication, or importation, and to make material available to the public including in ways that members of the public may access the material from a place and at a time individually chosen by them.\n l. Sui Generis Database Rights means rights other than copyright resulting from Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, as amended and/or succeeded, as well as other essentially equivalent rights anywhere in the world.\n m. You means the individual or entity exercising the Licensed Rights under this Public License. Your has a corresponding meaning.\nSection 2 – Scope.\n a. License grant.\n 1. Subject to the terms and conditions of this Public License, the Licensor hereby grants You a worldwide, royalty-free, non-sublicensable, non-exclusive, irrevocable license to exercise the Licensed Rights in the Licensed Material to:\n A. reproduce and Share the Licensed Material, in whole or in part; and\n B. produce, reproduce, and Share Adapted Material.\n 2. Exceptions and Limitations. For the avoidance of doubt, where Exceptions and Limitations apply to Your use, this Public License does not apply, and You do not need to comply with its terms and conditions.\n 3. Term. The term of this Public License is specified in Section 6(a).\n 4. Media and formats; technical modifications allowed. The Licensor authorizes You to exercise the Licensed Rights in all media and formats whether now known or hereafter created, and to make technical modifications necessary to do so. The Licensor waives and/or agrees not to assert any right or authority to forbid You from making technical modifications necessary to exercise the Licensed Rights, including technical modifications necessary to circumvent Effective Technological Measures. For purposes of this Public License, simply making modifications authorized by this Section 2(a)(4) never produces Adapted Material.\n 5. Downstream recipients.\n A. Offer from the Licensor – Licensed Material. Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License.\n B. Additional offer from the Licensor – Adapted Material. Every recipient of Adapted Material from You automatically receives an offer from the Licensor to exercise the Licensed Rights in the Adapted Material under the conditions of the Adapter's License You apply.\n C. No downstream restrictions. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material.\n 6. No endorsement. Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i).\n b. Other rights.\n 1. Moral rights, such as the right of integrity, are not licensed under this Public License, nor are publicity, privacy, and/or other similar personality rights; however, to the extent possible, the Licensor waives and/or agrees not to assert any such rights held by the Licensor to the limited extent necessary to allow You to exercise the Licensed Rights, but not otherwise.\n 2. Patent and trademark rights are not licensed under this Public License.\n 3. To the extent possible, the Licensor waives any right to collect royalties from You for the exercise of the Licensed Rights, whether directly or through a collecting society under any voluntary or waivable statutory or compulsory licensing scheme. In all other cases the Licensor expressly reserves any right to collect such royalties.\nSection 3 – License Conditions.\nYour exercise of the Licensed Rights is expressly made subject to the following conditions.\n a. Attribution.\n 1. If You Share the Licensed Material (including in modified form), You must:\n A. retain the following if it is supplied by the Licensor with the Licensed Material:\n i. identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated);\n ii. a copyright notice;\n iii. a notice that refers to this Public License;\n iv. a notice that refers to the disclaimer of warranties;\n v. a URI or hyperlink to the Licensed Material to the extent reasonably practicable;\n B. indicate if You modified the Licensed Material and retain an indication of any previous modifications; and\n C. indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License.\n 2. You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information.\n 3. If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable.\n b. ShareAlike.In addition to the conditions in Section 3(a), if You Share Adapted Material You produce, the following conditions also apply.\n 1. The Adapter's License You apply must be a Creative Commons license with the same License Elements, this version or later, or a BY-SA Compatible License.\n 2. You must include the text of, or the URI or hyperlink to, the Adapter's License You apply. You may satisfy this condition in any reasonable manner based on the medium, means, and context in which You Share Adapted Material.\n 3. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, Adapted Material that restrict exercise of the rights granted under the Adapter's License You apply.\nSection 4 – Sui Generis Database Rights.\nWhere the Licensed Rights include Sui Generis Database Rights that apply to Your use of the Licensed Material:\n a. for the avoidance of doubt, Section 2(a)(1) grants You the right to extract, reuse, reproduce, and Share all or a substantial portion of the contents of the database;\n b. if You include all or a substantial portion of the database contents in a database in which You have Sui Generis Database Rights, then the database in which You have Sui Generis Database Rights (but not its individual contents) is Adapted Material, including for purposes of Section 3(b); and\n c. You must comply with the conditions in Section 3(a) if You Share all or a substantial portion of the contents of the database.\n For the avoidance of doubt, this Section 4 supplements and does not replace Your obligations under this Public License where the Licensed Rights include other Copyright and Similar Rights.\nSection 5 – Disclaimer of Warranties and Limitation of Liability.\n a. Unless otherwise separately undertaken by the Licensor, to the extent possible, the Licensor offers the Licensed Material as-is and as-available, and makes no representations or warranties of any kind concerning the Licensed Material, whether express, implied, statutory, or other. This includes, without limitation, warranties of title, merchantability, fitness for a particular purpose, non-infringement, absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not known or discoverable. Where disclaimers of warranties are not allowed in full or in part, this disclaimer may not apply to You.\n b. To the extent possible, in no event will the Licensor be liable to You on any legal theory (including, without limitation, negligence) or otherwise for any direct, special, indirect, incidental, consequential, punitive, exemplary, or other losses, costs, expenses, or damages arising out of this Public License or use of the Licensed Material, even if the Licensor has been advised of the possibility of such losses, costs, expenses, or damages. Where a limitation of liability is not allowed in full or in part, this limitation may not apply to You.\n c. The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability.\nSection 6 – Term and Termination.\n a. This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically.\n b. Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates:\n 1. automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or\n 2. upon express reinstatement by the Licensor.\n c. For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License.\n d. For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License.\n e. Sections 1, 5, 6, 7, and 8 survive termination of this Public License.\nSection 7 – Other Terms and Conditions.\n a. The Licensor shall not be bound by any additional or different terms or conditions communicated by You unless expressly agreed.\n b. Any arrangements, understandings, or agreements regarding the Licensed Material not stated herein are separate from and independent of the terms and conditions of this Public License.\nSection 8 – Interpretation.\n a. For the avoidance of doubt, this Public License does not, and shall not be interpreted to, reduce, limit, restrict, or impose conditions on any use of the Licensed Material that could lawfully be made without permission under this Public License.\n b. To the extent possible, if any provision of this Public License is deemed unenforceable, it shall be automatically reformed to the minimum extent necessary to make it enforceable. If the provision cannot be reformed, it shall be severed from this Public License without affecting the enforceability of the remaining terms and conditions.\n c. No term or condition of this Public License will be waived and no failure to comply consented to unless expressly agreed to by the Licensor.\n d. Nothing in this Public License constitutes or may be interpreted as a limitation upon, or waiver of, any privileges and immunities that apply to the Licensor or You, including from the legal processes of any jurisdiction or authority.\nCreative Commons is not a party to its public licenses. Notwithstanding, Creative Commons may elect to apply one of its public licenses to material it publishes and in those instances will be considered the \"Licensor.\" The text of the Creative Commons public licenses is dedicated to the public domain under the CC0 Public Domain Dedication. Except for the limited purpose of indicating that material is shared under a Creative Commons public license or as otherwise permitted by the Creative Commons policies published at creativecommons.org/policies, Creative Commons does not authorize the use of the trademark \"Creative Commons\" or any other trademark or logo of Creative Commons without its prior written consent including, without limitation, in connection with any unauthorized modifications to any of its public licenses or any other arrangements, understandings, or agreements concerning use of licensed material. For the avoidance of doubt, this paragraph does not form part of the public licenses.\nCreative Commons may be contacted at creativecommons.org.","IETF":"This repository relates to activities in the Internet Engineering Task Force (IETF). All material in this repository is considered Contributions to the IETF Standards Process, as defined in the intellectual property policies of IETF currently designated as BCP 78, BCP 79 and the IETF Trust Legal Provisions (TLP) Relating to IETF Documents.\n\nAny edit, commit, pull request, issue, comment or other change made to this repository constitutes Contributions to the IETF Standards Process (https://www.ietf.org/).\n\nYou agree to comply with all applicable IETF policies and procedures, including, BCP 78, 79, the TLP, and the TLP rules regarding code components (e.g. being subject to a Simplified BSD License) in Contributions.","MIT":"MIT License\n\nCopyright (c) 2019 TAHRI Ahmed R.\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.","MPL-2.0":"This package contains a modified version of ca-bundle.crt:\n\nca-bundle.crt -- Bundle of CA Root Certificates\n\nThis is a bundle of X.509 certificates of public Certificate Authorities\n(CA). These were automatically extracted from Mozilla's root certificates\nfile (certdata.txt). This file can be found in the mozilla source tree:\nhttps://hg.mozilla.org/mozilla-central/file/tip/security/nss/lib/ckfw/builtins/certdata.txt\nIt contains the certificates in PEM format and therefore\ncan be directly used with curl / libcurl / php_curl, or with\nan Apache+mod_ssl webserver for SSL client authentication.\nJust configure this file as the SSLCACertificateFile.#\n\n***** BEGIN LICENSE BLOCK *****\nThis Source Code Form is subject to the terms of the Mozilla Public License,\nv. 2.0. If a copy of the MPL was not distributed with this file, You can obtain\none at http://mozilla.org/MPL/2.0/.\n\n***** END LICENSE BLOCK *****\n@(#) $RCSfile: certdata.txt,v $ $Revision: 1.80 $ $Date: 2011/11/03 15:11:58 $\n"},"project":{"name":"example-validation-project","revision":"12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux"}} diff --git a/tests/unit/test_cli_config.py b/tests/unit/test_cli_config.py index 045f0e4..27801ec 100644 --- a/tests/unit/test_cli_config.py +++ b/tests/unit/test_cli_config.py @@ -7,8 +7,15 @@ def test_api_token_from_env(self, monkeypatch): config = CliConfig.from_args([]) # Empty args list assert config.api_token == "test-token" - def test_required_args(self): + def test_required_args(self, monkeypatch): """Test that api token is required if not in environment""" + for env_var in ( + "SOCKET_SECURITY_API_KEY", + "SOCKET_SECURITY_API_TOKEN", + "SOCKET_API_KEY", + "SOCKET_API_TOKEN", + ): + monkeypatch.delenv(env_var, raising=False) with pytest.raises(ValueError, match="API token is required"): config = CliConfig.from_args([]) if not config.api_token: @@ -81,4 +88,42 @@ def test_workspace_is_independent_of_workspace_name(self): "--workspace-name", "monorepo-suffix", ]) assert config.workspace == "my-workspace" - assert config.workspace_name == "monorepo-suffix" \ No newline at end of file + assert config.workspace_name == "monorepo-suffix" + + def test_legal_flag_sets_default_artifact_files(self): + config = CliConfig.from_args(["--api-token", "test", "--legal"]) + assert config.legal is True + assert config.legal_format == "socket" + assert config.generate_license is True + assert config.json_file == "socket-report.json" + assert config.summary_file == "socket-summary.txt" + assert config.report_link_file == "socket-report-link.txt" + assert config.sbom_file == "socket-sbom.json" + assert config.license_file_name == "socket-license.json" + + def test_legal_flag_preserves_explicit_file_paths(self): + config = CliConfig.from_args([ + "--api-token", "test", + "--legal", + "--json-file", "custom-report.json", + "--summary-file", "custom-summary.txt", + "--report-link-file", "custom-link.txt", + "--sbom-file", "custom-sbom.json", + "--license-file-name", "custom-license.json", + ]) + assert config.json_file == "custom-report.json" + assert config.summary_file == "custom-summary.txt" + assert config.report_link_file == "custom-link.txt" + assert config.sbom_file == "custom-sbom.json" + assert config.license_file_name == "custom-license.json" + + def test_fossa_legal_format_enables_legal_defaults(self): + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + assert config.legal is True + assert config.legal_format == "fossa" + assert config.generate_license is True + assert config.json_file == "fossa-analyze.json" + assert config.summary_file == "fossa-test.txt" + assert config.report_link_file == "fossa-link.txt" + assert config.sbom_file is None + assert config.license_file_name == "fossa-sbom.json" diff --git a/tests/unit/test_fossa_compat.py b/tests/unit/test_fossa_compat.py new file mode 100644 index 0000000..fadaf03 --- /dev/null +++ b/tests/unit/test_fossa_compat.py @@ -0,0 +1,470 @@ +from socketsecurity.config import CliConfig +from socketsecurity.core.classes import Diff, Issue, Package +from socketsecurity.fossa_compat import ( + build_fossa_attribution_payload, + build_fossa_report_payload, +) + +EXPECTED_TOP_LEVEL_KEYS = ["project", "vulnerability", "licensing", "quality"] +EXPECTED_PROJECT_KEYS = ["branch", "id", "project", "projectId", "revision", "url"] +EXPECTED_VULNERABILITY_KEYS = [ + "affectedVersionRanges", + "containerLayers", + "cpes", + "createdAt", + "customRiskScore", + "cve", + "cveStatus", + "cwes", + "cvss", + "cvssVector", + "depths", + "details", + "epss", + "exploitability", + "id", + "metrics", + "patchedVersionRanges", + "projects", + "published", + "references", + "remediation", + "severity", + "source", + "statuses", + "title", + "type", + "url", + "vulnId", +] +EXPECTED_SOURCE_KEYS = ["id", "name", "packageManager", "url", "version"] +EXPECTED_DEPTH_KEYS = ["deep", "direct"] +EXPECTED_STATUS_KEYS = ["active", "ignored"] +EXPECTED_REMEDIATION_KEYS = [ + "completeFix", + "completeFixDistance", + "partialFix", + "partialFixDistance", +] +EXPECTED_EPSS_KEYS = ["percentile", "score"] + + +def test_fossa_report_payload_uses_expected_top_level_shape(): + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + diff = Diff(id="scan-123", report_url="https://socket.dev/report/123") + + payload = build_fossa_report_payload(diff, config) + + assert list(payload.keys()) == EXPECTED_TOP_LEVEL_KEYS + assert sorted(payload["project"].keys()) == sorted(EXPECTED_PROJECT_KEYS) + assert payload["vulnerability"] == [] + assert payload["licensing"] == [] + assert payload["quality"] == [] + + +def test_fossa_report_payload_vulnerability_shape_is_stable(): + config = CliConfig.from_args([ + "--api-token", "test", + "--legal-format", "fossa", + "--repo", "owner/repo", + "--branch", "refs/heads/main", + ]) + diff = Diff(id="scan-123", report_url="https://socket.dev/report/123") + diff.packages = { + "pkg-1": Package( + id="pkg-1", + name="requests", + version="2.31.0", + type="pypi", + score={}, + alerts=[], + direct=True, + url="https://requests.readthedocs.io/", + license="Apache-2.0", + purl="pkg:pypi/requests@2.31.0", + ) + } + diff.new_alerts = [ + Issue( + title="Insufficiently Protected Credentials", + severity="medium", + description="Requests may leak credentials for crafted URLs.", + error=True, + key="GHSA-9hjg-9r4m-mvj7", + type="vulnerability", + pkg_type="pypi", + pkg_name="requests", + pkg_version="2.31.0", + pkg_id="pkg-1", + purl="pkg:pypi/requests@2.31.0", + url="https://socket.dev/pypi/package/requests/alerts/2.31.0", + props={ + "id": 11088938, + "createdAt": "2025-10-08T10:41:05.933Z", + "ghsaId": "GHSA-9hjg-9r4m-mvj7", + "cveId": "CVE-2024-47081", + "cvssScore": 5.3, + "fixedVersion": "2.32.4", + "partialFixDistance": "MINOR", + "completeFixDistance": "MINOR", + "attackVector": "Network", + "attackComplexity": "High", + "privilegesRequired": "None", + "userInteraction": "Required", + "scope": "Unchanged", + "confidentialityImpact": "High", + "integrityImpact": "None", + "availabilityImpact": "None", + "cveStatus": "COMPLETED", + "cwes": ["CWE-522"], + "published": "2025-06-09T19:06:08Z", + "affectedVersionRanges": ["<2.32.4"], + "patchedVersionRanges": ["2.32.4"], + "references": ["https://github.com/advisories/GHSA-9hjg-9r4m-mvj7"], + "cvssVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", + "exploitability": "UNKNOWN", + "epssScore": 0.00154, + "epssPercentile": 0.35957, + "cpes": [], + }, + ) + ] + + payload = build_fossa_report_payload(diff, config) + generated_vulnerability = payload["vulnerability"][0] + + assert sorted(generated_vulnerability.keys()) == sorted(EXPECTED_VULNERABILITY_KEYS) + assert sorted(generated_vulnerability["source"].keys()) == sorted(EXPECTED_SOURCE_KEYS) + assert sorted(generated_vulnerability["depths"].keys()) == sorted(EXPECTED_DEPTH_KEYS) + assert sorted(generated_vulnerability["statuses"].keys()) == sorted(EXPECTED_STATUS_KEYS) + assert sorted(generated_vulnerability["remediation"].keys()) == sorted(EXPECTED_REMEDIATION_KEYS) + assert sorted(generated_vulnerability["epss"].keys()) == sorted(EXPECTED_EPSS_KEYS) + assert generated_vulnerability["source"]["packageManager"] == "pip" + assert generated_vulnerability["vulnId"] == "GHSA-9hjg-9r4m-mvj7" + assert generated_vulnerability["cve"] == "CVE-2024-47081" + + +def test_project_metadata_uses_dollar_revision_separator(): + """The composed FOSSA `project.id` is `$`.""" + from socketsecurity.fossa_compat import _build_project_metadata + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa", "--repo", "acme/widgets", "--branch", "refs/heads/main"]) + diff = Diff(id="scan-abc123", report_url="https://socket.dev/x") + project = _build_project_metadata(diff, config) + assert project == { + "branch": "refs/heads/main", + "id": "acme/widgets$scan-abc123", + "project": "acme/widgets", + "projectId": "acme/widgets", + "revision": "scan-abc123", + "url": "https://socket.dev/x", + } + + +def test_project_metadata_fallbacks_when_missing_fields(): + """Falls back to literal placeholders when config/diff are sparse.""" + from socketsecurity.fossa_compat import _build_project_metadata + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + # Force absent repo/branch: + config.repo = None + config.branch = None + diff = Diff() + project = _build_project_metadata(diff, config) + assert project["branch"] == "socket-default-branch" + assert project["project"] == "socket-default-repo" + assert project["revision"] == "unknown-revision" + assert project["id"] == "socket-default-repo$unknown-revision" + assert project["url"] is None + + +def test_dependency_entry_full_shape(): + """Per-dependency dict has the exact 14-key FOSSA attribution shape.""" + from socketsecurity.fossa_compat import _build_dependency_entry + package = Package( + type="pypi", + name="requests", + version="2.31.0", + id="pip+requests$2.31.0", + score={}, + alerts=[], + direct=True, + author=["Kenneth Reitz "], + license="Apache-2.0", + licenseAttrib=[{"attribText": "Apache License 2.0\n\nCopyright 2023 Kenneth Reitz", + "attribData": [{"spdxExpr": "Apache-2.0"}]}], + ) + entry = _build_dependency_entry(package, dependency_paths=["requests"]) + assert set(entry.keys()) == { + "authors", "dependencyPaths", "description", "downloadUrl", "hash", + "isGolang", "licenses", "notes", "otherLicenses", "package", + "projectUrl", "source", "title", "version", + } + assert entry["authors"] == ["Kenneth Reitz "] + assert entry["dependencyPaths"] == ["requests"] + assert entry["description"] == "" + assert entry["downloadUrl"] == "" + assert entry["hash"] is None + assert entry["isGolang"] is None + assert entry["licenses"] == [{ + "attribution": "Apache License 2.0\n\nCopyright 2023 Kenneth Reitz", + "name": "Apache-2.0", + }] + assert entry["notes"] == [] + assert entry["otherLicenses"] == [] + assert entry["package"] == "requests" + assert entry["projectUrl"] == "" + assert entry["source"] == "pip" + assert entry["title"] == "requests" + assert entry["version"] == "2.31.0" + + +def test_dependency_entry_falls_back_to_declared_license_when_no_attrib(): + """When licenseAttrib is empty, `licenses[]` falls back to a single name-only entry from Package.license.""" + from socketsecurity.fossa_compat import _build_dependency_entry + package = Package( + type="pypi", name="x", version="1.0", id="pip+x$1.0", + score={}, alerts=[], license="MIT", + ) + entry = _build_dependency_entry(package, dependency_paths=["x"]) + assert entry["licenses"] == [{"attribution": "", "name": "MIT"}] + + +def test_dependency_entry_unlicensed_package_emits_empty_licenses(): + from socketsecurity.fossa_compat import _build_dependency_entry + package = Package( + type="pypi", name="x", version="1.0", id="pip+x$1.0", + score={}, alerts=[], license=None, + ) + entry = _build_dependency_entry(package, dependency_paths=["x"]) + assert entry["licenses"] == [] + + +def test_analyze_payload_top_level_keys_exactly_four(): + """The composed FOSSA analyze artifact has exactly project/vulnerability/licensing/quality.""" + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + diff = Diff() # empty alerts + payload = build_fossa_report_payload(diff, config) + assert set(payload.keys()) == {"project", "vulnerability", "licensing", "quality"} + assert "risk" not in payload + + +def test_analyze_payload_empty_diff_yields_empty_arrays(): + """An empty diff still emits all 4 keys with `[]` arrays.""" + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + payload = build_fossa_report_payload(Diff(), config) + assert payload["vulnerability"] == [] + assert payload["licensing"] == [] + assert payload["quality"] == [] + + +def test_vulnerability_gap_fields_emit_known_defaults(): + """Fields with no Socket data source emit documented null/empty defaults.""" + from socketsecurity.fossa_compat import _build_vulnerability_entry + issue = Issue( + type="criticalCVE", + severity="high", + key="x", + pkg_type="pypi", + pkg_name="x", + pkg_version="1.0", + props={}, + ) + package = Package( + type="pypi", + name="x", + version="1.0", + id="pip+x$1.0", + score={}, + alerts=[], + direct=True, + ) + project = {"branch": "m", "id": "a$x", "project": "a", "projectId": "a", "revision": "x", "url": "u"} + entry = _build_vulnerability_entry(issue, package, project, index=1) + # Documented gap fields: + assert entry["epss"] == {"score": None, "percentile": None} + assert entry["cvssVector"] is None + assert entry["exploitability"] is None + assert entry["cveStatus"] is None + assert entry["published"] is None + assert entry["containerLayers"] == {"base": 0, "other": 0} + assert entry["remediation"]["partialFixDistance"] is None + assert entry["remediation"]["completeFixDistance"] is None + assert "customRiskScore" in entry + assert entry["customRiskScore"] is None + proj_entry = entry["projects"][0] + assert proj_entry["scannedAt"] is None + assert proj_entry["analyzedAt"] is None + assert proj_entry["firstFoundAt"] is None + + +def test_attribution_payload_top_level_is_5_keys(): + """fossa-sbom.json has exactly the 5 keys from `fossa report --json attribution`.""" + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + payload = build_fossa_attribution_payload(Diff(), config) + assert set(payload.keys()) == { + "copyrightsByLicense", + "deepDependencies", + "directDependencies", + "licenses", + "project", + } + + +def test_attribution_project_has_only_name_and_revision(): + """SBOM `project` is the 2-key subset, not the 6-key analyze project.""" + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa", "--repo", "acme/widgets"]) + diff = Diff(id="rev-x") + payload = build_fossa_attribution_payload(diff, config) + assert payload["project"] == {"name": "acme/widgets", "revision": "rev-x"} + + +def test_attribution_empty_diff_yields_empty_collections(): + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + payload = build_fossa_attribution_payload(Diff(), config) + assert payload["copyrightsByLicense"] == {} + assert payload["licenses"] == {} + assert payload["directDependencies"] == [] + assert payload["deepDependencies"] == [] + + +def test_attribution_partitions_direct_vs_deep(): + pkg_a = Package( + type="pypi", name="a", version="1.0", id="pip+a$1.0", + score={}, alerts=[], direct=True, + ) + pkg_b = Package( + type="pypi", name="b", version="1.0", id="pip+b$1.0", + score={}, alerts=[], direct=False, + ) + pkg_c = Package( + type="pypi", name="c", version="1.0", id="pip+c$1.0", + score={}, alerts=[], direct=True, + ) + diff = Diff(packages={"id-a": pkg_a, "id-b": pkg_b, "id-c": pkg_c}) + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + payload = build_fossa_attribution_payload(diff, config) + direct_names = sorted(d["package"] for d in payload["directDependencies"]) + deep_names = sorted(d["package"] for d in payload["deepDependencies"]) + assert direct_names == ["a", "c"] + assert deep_names == ["b"] + + +def test_dependency_paths_direct_package_is_name_only(): + from socketsecurity.fossa_compat import _compute_dependency_paths + pkg = Package( + type="pypi", name="requests", version="2.31.0", + id="pip+requests$2.31.0", score={}, alerts=[], direct=True, + ) + paths = _compute_dependency_paths(pkg, {"pip+requests$2.31.0": pkg}) + assert paths == ["requests"] + + +def test_dependency_paths_transitive_chains_through_ancestor_name(): + from socketsecurity.fossa_compat import _compute_dependency_paths + parent = Package( + type="pypi", name="requests", version="2.31.0", + id="parent-id", score={}, alerts=[], direct=True, + ) + child = Package( + type="pypi", name="certifi", version="2024.7.4", + id="child-id", score={}, alerts=[], direct=False, + topLevelAncestors=["parent-id"], + ) + lookup = {"parent-id": parent, "child-id": child} + assert _compute_dependency_paths(child, lookup) == ["requests > certifi"] + + +def test_dependency_paths_multi_ancestor_emits_one_per_root(): + from socketsecurity.fossa_compat import _compute_dependency_paths + p1 = Package(type="pypi", name="boto3", version="1.0", id="p1", + score={}, alerts=[], direct=True) + p2 = Package(type="pypi", name="botocore", version="1.0", id="p2", + score={}, alerts=[], direct=True) + child = Package( + type="pypi", name="jmespath", version="1.0", id="c", + score={}, alerts=[], direct=False, + topLevelAncestors=["p1", "p2"], + ) + lookup = {"p1": p1, "p2": p2, "c": child} + assert sorted(_compute_dependency_paths(child, lookup)) == [ + "boto3 > jmespath", + "botocore > jmespath", + ] + + +def test_dependency_paths_missing_ancestor_falls_back_to_name(): + from socketsecurity.fossa_compat import _compute_dependency_paths + pkg = Package( + type="pypi", name="orphan", version="1.0", id="o", + score={}, alerts=[], direct=False, + topLevelAncestors=["missing-id"], + ) + assert _compute_dependency_paths(pkg, {"o": pkg}) == ["orphan"] + + +def test_vulnerability_version_ranges_sourced_from_socket_fields(): + """affectedVersionRanges/patchedVersionRanges come from Socket's singular fields, wrapped.""" + from socketsecurity.fossa_compat import _build_vulnerability_entry + issue = Issue( + type="criticalCVE", + severity="high", + key="CVE-2024-12345_pip+requests", + pkg_type="pypi", + pkg_name="requests", + pkg_version="2.30.0", + props={ + "ghsaId": "GHSA-aaaa-bbbb-cccc", + "cveId": "CVE-2024-12345", + "cvss": 7.5, + "vulnerableVersionRange": ">=2.0.0,<2.31.1", + "firstPatchedVersionIdentifier": "2.31.1", + "cwes": ["CWE-200"], + }, + ) + package = Package( + type="pypi", + name="requests", + version="2.30.0", + id="pip+requests$2.30.0", + score={}, + alerts=[], + direct=True, + ) + project = {"branch": "main", "id": "acme$x", "project": "acme", "projectId": "acme", "revision": "x", "url": "u"} + entry = _build_vulnerability_entry(issue, package, project, index=1) + assert entry["affectedVersionRanges"] == [">=2.0.0,<2.31.1"] + assert entry["patchedVersionRanges"] == ["2.31.1"] + assert entry["remediation"]["partialFix"] == "2.31.1" + assert entry["remediation"]["completeFix"] == "2.31.1" + + +def test_fossa_payload_includes_unchanged_alerts_regardless_of_strict_blocking(): + """FOSSA emits all currently-present issues at the scan revision, not just + diff-new ones. So `unchanged_alerts` must always flow into the payload, + independent of the --strict-blocking flag.""" + new_issue = Issue( + type="criticalCVE", severity="high", key="NEW", + pkg_type="pypi", pkg_name="a", pkg_version="1.0", + props={"cveId": "CVE-2024-NEW", "ghsaId": "GHSA-new"}, + ) + unchanged_issue = Issue( + type="criticalCVE", severity="high", key="OLD", + pkg_type="pypi", pkg_name="b", pkg_version="1.0", + props={"cveId": "CVE-2024-OLD", "ghsaId": "GHSA-old"}, + ) + diff = Diff(new_alerts=[new_issue], unchanged_alerts=[unchanged_issue]) + + # strict_blocking off (default): + config_loose = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + payload_loose = build_fossa_report_payload(diff, config_loose) + loose_cves = sorted(v["cve"] for v in payload_loose["vulnerability"]) + assert loose_cves == ["CVE-2024-NEW", "CVE-2024-OLD"], ( + "FOSSA mode must include unchanged_alerts even without --strict-blocking" + ) + + # strict_blocking on — same result (always include both): + config_strict = CliConfig.from_args( + ["--api-token", "test", "--legal-format", "fossa", "--strict-blocking"] + ) + payload_strict = build_fossa_report_payload(diff, config_strict) + strict_cves = sorted(v["cve"] for v in payload_strict["vulnerability"]) + assert strict_cves == loose_cves diff --git a/tests/unit/test_fossa_parity.py b/tests/unit/test_fossa_parity.py new file mode 100644 index 0000000..2a408d8 --- /dev/null +++ b/tests/unit/test_fossa_parity.py @@ -0,0 +1,106 @@ +"""Structural parity tests: assert our FOSSA-shaped output matches real FOSSA artifact shapes. + +These tests load real FOSSA artifacts captured from a customer pipeline and compare them +against our --legal-format fossa output by shape (key sets + value types), not by value. +A value-level golden test would be too brittle; the goal is to catch structural drift. +""" +from __future__ import annotations + +import json +from pathlib import Path + +FIXTURE_DIR = Path(__file__).parent.parent / "fixtures" / "fossa" + + +def _load(name: str) -> dict: + return json.loads((FIXTURE_DIR / name).read_text()) + + +def test_fixtures_present_and_parseable(): + """Sanity: all four FOSSA reference fixtures load as JSON objects.""" + for name in ( + "fossa-analyze-populated.json", + "fossa-analyze-empty.json", + "fossa-sbom-populated.json", + "fossa-sbom-empty-deep.json", + ): + data = _load(name) + assert isinstance(data, dict), f"{name} should be a JSON object at the top level" + + +def test_analyze_fixture_top_level_shape(): + """The real FOSSA analyze artifact has exactly these top-level keys.""" + data = _load("fossa-analyze-populated.json") + assert set(data.keys()) == {"project", "vulnerability", "licensing", "quality"} + assert "risk" not in data # FOSSA API 400s on risk category; key never appears + + +def test_sbom_fixture_top_level_shape(): + """The real FOSSA attribution artifact has exactly these 5 top-level keys.""" + data = _load("fossa-sbom-populated.json") + assert set(data.keys()) == { + "copyrightsByLicense", + "deepDependencies", + "directDependencies", + "licenses", + "project", + } + + +def test_our_analyze_matches_fossa_analyze_top_level_keys(): + """Our build_fossa_report_payload top-level keyset matches the real fixture.""" + from socketsecurity.config import CliConfig + from socketsecurity.core.classes import Diff + from socketsecurity.fossa_compat import build_fossa_report_payload + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + ours = build_fossa_report_payload(Diff(), config) + theirs = _load("fossa-analyze-empty.json") + assert set(ours.keys()) == set(theirs.keys()) + + +def test_our_analyze_project_keys_match(): + from socketsecurity.config import CliConfig + from socketsecurity.core.classes import Diff + from socketsecurity.fossa_compat import build_fossa_report_payload + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + ours = build_fossa_report_payload(Diff(), config) + theirs = _load("fossa-analyze-empty.json") + assert set(ours["project"].keys()) == set(theirs["project"].keys()) + + +def test_our_sbom_matches_fossa_sbom_top_level_keys(): + from socketsecurity.config import CliConfig + from socketsecurity.core.classes import Diff + from socketsecurity.fossa_compat import build_fossa_attribution_payload + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + ours = build_fossa_attribution_payload(Diff(), config) + theirs = _load("fossa-sbom-populated.json") + assert set(ours.keys()) == set(theirs.keys()) + + +def test_our_sbom_project_keys_match(): + from socketsecurity.config import CliConfig + from socketsecurity.core.classes import Diff + from socketsecurity.fossa_compat import build_fossa_attribution_payload + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + ours = build_fossa_attribution_payload(Diff(), config) + theirs = _load("fossa-sbom-populated.json") + assert set(ours["project"].keys()) == set(theirs["project"].keys()) + + +def test_our_sbom_dependency_keys_match_when_populated(): + """When we have at least one dependency, its keyset matches a real FOSSA dependency entry.""" + from socketsecurity.config import CliConfig + from socketsecurity.core.classes import Diff, Package + from socketsecurity.fossa_compat import build_fossa_attribution_payload + pkg = Package( + type="pypi", name="x", version="1.0", id="pid", + score={}, alerts=[], direct=True, + ) + diff = Diff(packages={"pid": pkg}) + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + ours = build_fossa_attribution_payload(diff, config) + theirs = _load("fossa-sbom-populated.json") + our_dep = ours["directDependencies"][0] + their_dep = theirs["directDependencies"][0] + assert set(our_dep.keys()) == set(their_dep.keys()) diff --git a/tests/unit/test_output.py b/tests/unit/test_output.py index 0fe007e..c4271e7 100644 --- a/tests/unit/test_output.py +++ b/tests/unit/test_output.py @@ -1,13 +1,17 @@ +import json + import pytest + +from socketsecurity.core.classes import Diff, Issue, Package from socketsecurity.output import OutputHandler -from socketsecurity.core.classes import Diff, Issue -import json + class TestOutputHandler: @pytest.fixture def handler(self): - from socketsecurity.config import CliConfig from unittest.mock import Mock + + from socketsecurity.config import CliConfig config = Mock(spec=CliConfig) config.disable_blocking = False config.strict_blocking = False @@ -25,8 +29,9 @@ def test_report_pass_with_blocking_issues(self, handler): assert not handler.report_pass(diff) def test_report_pass_with_blocking_disabled(self): - from socketsecurity.config import CliConfig from unittest.mock import Mock + + from socketsecurity.config import CliConfig config = Mock(spec=CliConfig) config.disable_blocking = True config.strict_blocking = False @@ -65,9 +70,10 @@ def test_json_output_format(self, handler, caplog): def test_json_output_includes_unchanged_alerts_with_strict_blocking(self, caplog): import logging - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + config = Mock(spec=CliConfig) config.disable_blocking = False config.strict_blocking = True @@ -123,11 +129,228 @@ def test_sbom_file_saving(self, handler, tmp_path): handler.save_sbom_file(diff, str(sbom_path)) assert sbom_path.exists() + def test_sbom_file_saving_without_sbom_writes_empty_array(self, handler, tmp_path): + diff = Diff() + sbom_path = tmp_path / "empty.json" + handler.save_sbom_file(diff, str(sbom_path)) + assert sbom_path.exists() + assert json.loads(sbom_path.read_text()) == [] + + def test_json_file_saving(self, tmp_path): + from unittest.mock import Mock + + from socketsecurity.config import CliConfig + + json_path = tmp_path / "report.json" + + config = Mock(spec=CliConfig) + config.disable_blocking = False + config.strict_blocking = False + config.json_file = str(json_path) + config.summary_file = None + config.report_link_file = None + config.sbom_file = None + config.legal = True + config.legal_format = "socket" + config.repo = "owner/repo" + config.branch = "main" + config.commit_sha = "abc123" + config.enable_json = False + config.enable_sarif = False + config.enable_gitlab_security = False + config.enable_debug = False + + handler = OutputHandler(config, Mock()) + + diff = Diff() + diff.id = "scan-123" + diff.diff_url = "https://socket.dev/diff/123" + diff.report_url = "https://socket.dev/report/123" + diff.new_alerts = [ + Issue( + title="Test", + severity="high", + description="desc", + error=True, + key="test-key", + type="vulnerability", + pkg_type="npm", + pkg_name="test-package", + pkg_version="1.0.0", + purl="pkg:npm/test-package@1.0.0", + url="https://socket.dev/npm/package/test-package/alerts/1.0.0", + ) + ] + + handler.save_json_file(diff, str(json_path)) + + saved = json.loads(json_path.read_text()) + assert saved["full_scan_id"] == "scan-123" + assert saved["report_url"] == "https://socket.dev/report/123" + assert saved["repo"] == "owner/repo" + assert saved["branch"] == "main" + assert saved["commit_sha"] == "abc123" + assert saved["legal_mode"] is True + + def test_summary_and_report_link_files_are_written(self, tmp_path): + from unittest.mock import Mock + + from socketsecurity.config import CliConfig + + summary_path = tmp_path / "summary.txt" + report_link_path = tmp_path / "report-link.txt" + + config = Mock(spec=CliConfig) + config.disable_blocking = False + config.strict_blocking = False + config.json_file = None + config.summary_file = str(summary_path) + config.report_link_file = str(report_link_path) + config.sbom_file = None + config.legal = False + config.legal_format = "socket" + config.repo = None + config.branch = "" + config.commit_sha = "" + config.enable_json = False + config.enable_sarif = False + config.enable_gitlab_security = False + config.enable_debug = False + + handler = OutputHandler(config, Mock()) + + diff = Diff() + diff.id = "scan-123" + diff.diff_url = "https://socket.dev/diff/123" + diff.report_url = "https://socket.dev/report/123" + diff.new_alerts = [ + Issue( + title="Test", + severity="high", + description="desc", + error=True, + key="test-key", + type="vulnerability", + pkg_type="npm", + pkg_name="test-package", + pkg_version="1.0.0", + purl="pkg:npm/test-package@1.0.0", + url="https://socket.dev/npm/package/test-package/alerts/1.0.0", + ) + ] + + handler.save_summary_file(diff, str(summary_path)) + handler.save_report_link_file(diff, str(report_link_path)) + + assert "Security issues detected by Socket Security:" in summary_path.read_text() + assert report_link_path.read_text().strip() == "https://socket.dev/report/123" + + def test_json_file_saving_in_fossa_format(self, tmp_path): + from unittest.mock import Mock + + from socketsecurity.config import CliConfig + + json_path = tmp_path / "fossa-report.json" + + config = Mock(spec=CliConfig) + config.disable_blocking = False + config.strict_blocking = False + config.json_file = str(json_path) + config.summary_file = None + config.report_link_file = None + config.sbom_file = None + config.legal = True + config.legal_format = "fossa" + config.repo = "owner/repo" + config.branch = "refs/heads/main" + config.commit_sha = "abc123" + config.enable_json = False + config.enable_sarif = False + config.enable_gitlab_security = False + config.enable_debug = False + + handler = OutputHandler(config, Mock()) + + diff = Diff() + diff.id = "scan-123" + diff.report_url = "https://socket.dev/report/123" + diff.packages = { + "pkg-1": Package( + id="pkg-1", + name="requests", + version="2.31.0", + type="pypi", + score={}, + alerts=[], + direct=True, + url="https://socket.dev/pypi/package/requests/overview/2.31.0", + license="Apache-2.0", + purl="pkg:pypi/requests@2.31.0", + ) + } + diff.new_alerts = [ + Issue( + title="Prototype Pollution", + severity="high", + description="Upgrade to a fixed version.", + error=True, + key="alert-1", + type="vulnerability", + pkg_type="pypi", + pkg_name="requests", + pkg_version="2.31.0", + pkg_id="pkg-1", + purl="pkg:pypi/requests@2.31.0", + url="https://socket.dev/npm/package/requests/alerts/2.31.0", + props={ + "ghsaId": "GHSA-1234", + "cveId": "CVE-2026-1234", + "cvssScore": 8.2, + "fixedVersion": "2.31.1", + "references": ["https://github.com/advisories/GHSA-1234"], + }, + ), + Issue( + title="License Policy Violation", + severity="medium", + description="Package license violates policy.", + warn=True, + key="license-1", + type="licenseSpdxDisj", + pkg_type="pypi", + pkg_name="requests", + pkg_version="2.31.0", + pkg_id="pkg-1", + purl="pkg:pypi/requests@2.31.0", + url="https://socket.dev/pypi/package/requests/license/2.31.0", + ), + ] + + handler.save_json_file(diff, str(json_path)) + + saved = json.loads(json_path.read_text()) + assert saved["project"] == { + "branch": "refs/heads/main", + "id": "owner/repo$scan-123", + "project": "owner/repo", + "projectId": "owner/repo", + "revision": "scan-123", + "url": "https://socket.dev/report/123", + } + assert len(saved["vulnerability"]) == 1 + assert saved["vulnerability"][0]["vulnId"] == "GHSA-1234" + assert saved["vulnerability"][0]["cve"] == "CVE-2026-1234" + assert saved["vulnerability"][0]["source"]["packageManager"] == "pip" + assert saved["vulnerability"][0]["remediation"]["completeFix"] == "2.31.1" + assert saved["licensing"][0]["type"] == "policy_conflict" + assert saved["quality"] == [] + def test_report_pass_with_strict_blocking_new_alerts(self): """Test that strict-blocking fails on new blocking alerts""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + # Create config with strict_blocking config = Mock(spec=CliConfig) config.disable_blocking = False @@ -143,9 +366,10 @@ def test_report_pass_with_strict_blocking_new_alerts(self): def test_report_pass_with_strict_blocking_unchanged_alerts(self): """Test that strict-blocking fails on unchanged blocking alerts""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + config = Mock(spec=CliConfig) config.disable_blocking = False config.strict_blocking = True @@ -160,9 +384,10 @@ def test_report_pass_with_strict_blocking_unchanged_alerts(self): def test_report_pass_with_strict_blocking_both_alerts(self): """Test that strict-blocking fails when both new and unchanged alerts exist""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + config = Mock(spec=CliConfig) config.disable_blocking = False config.strict_blocking = True @@ -177,9 +402,10 @@ def test_report_pass_with_strict_blocking_both_alerts(self): def test_report_pass_with_strict_blocking_only_warnings(self): """Test that strict-blocking passes when only warnings (not errors) exist""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + config = Mock(spec=CliConfig) config.disable_blocking = False config.strict_blocking = True @@ -194,9 +420,10 @@ def test_report_pass_with_strict_blocking_only_warnings(self): def test_report_pass_strict_blocking_disabled(self): """Test that strict-blocking without the flag passes with unchanged alerts""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + config = Mock(spec=CliConfig) config.disable_blocking = False config.strict_blocking = False # Flag not set @@ -212,9 +439,10 @@ def test_report_pass_strict_blocking_disabled(self): def test_disable_blocking_overrides_strict_blocking(self): """Test that disable-blocking takes precedence over strict-blocking""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + config = Mock(spec=CliConfig) config.disable_blocking = True config.strict_blocking = True @@ -230,9 +458,10 @@ def test_disable_blocking_overrides_strict_blocking(self): def test_sarif_file_output(self, tmp_path): """Test that --sarif-file writes SARIF report to a file""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + sarif_path = tmp_path / "report.sarif" config = Mock(spec=CliConfig) @@ -268,9 +497,10 @@ def test_sarif_file_output(self, tmp_path): def test_sarif_reachability_reachable_filters_non_reachable(self, tmp_path): """Test that --sarif-reachability reachable uses .socket.facts.json reachability.""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + sarif_path = tmp_path / "report.sarif" facts_path = tmp_path / ".socket.facts.json" @@ -343,9 +573,10 @@ def make_issue(name, error, ghsa_id): def test_sarif_reachability_reachable_falls_back_to_blocking_when_facts_missing(self, tmp_path): """Test that missing facts file falls back to historical blocking filter.""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + sarif_path = tmp_path / "report.sarif" config = Mock(spec=CliConfig) @@ -382,9 +613,10 @@ def test_sarif_reachability_reachable_falls_back_to_blocking_when_facts_missing( def test_sarif_output_includes_unchanged_with_strict_blocking(self, tmp_path): """Strict blocking should include unchanged alerts in diff-scope SARIF output.""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + sarif_path_strict_false = tmp_path / "strict-false.sarif" sarif_path_strict_true = tmp_path / "strict-true.sarif" @@ -437,9 +669,10 @@ def build_diff(): def test_sarif_reachability_all_includes_all(self, tmp_path): """Test that --sarif-reachability all includes all alerts.""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + sarif_path = tmp_path / "report.sarif" config = Mock(spec=CliConfig) @@ -476,9 +709,10 @@ def test_sarif_reachability_all_includes_all(self, tmp_path): def test_sarif_no_file_when_not_configured(self, tmp_path): """Test that no file is written when --sarif-file is not set""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + config = Mock(spec=CliConfig) config.sarif_file = None config.sarif_scope = "diff" @@ -497,9 +731,10 @@ def test_sarif_no_file_when_not_configured(self, tmp_path): def test_sarif_file_nested_directory(self, tmp_path): """Test that --sarif-file creates parent directories if needed""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + sarif_path = tmp_path / "nested" / "dir" / "report.sarif" config = Mock(spec=CliConfig) @@ -522,9 +757,10 @@ def test_sarif_file_nested_directory(self, tmp_path): def test_sarif_scope_full_before_after_reachable_filtering_snapshot(self, tmp_path): """Full-scope SARIF should show before/after changes with reachable-only filtering.""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + facts_path = tmp_path / ".socket.facts.json" all_path = tmp_path / "full-all.sarif" reachable_path = tmp_path / "full-reachable.sarif" @@ -591,9 +827,10 @@ def build_handler(output_path, reachable_only): def test_sarif_scope_full_works_when_diff_not_run(self, tmp_path): """Full scope should still emit SARIF when diff id is NO_DIFF_RAN.""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + facts_path = tmp_path / ".socket.facts.json" out_path = tmp_path / "full-no-diff.sarif" @@ -636,9 +873,10 @@ def test_sarif_scope_full_works_when_diff_not_run(self, tmp_path): def test_sarif_scope_full_dedupes_duplicate_manifest_uris(self, tmp_path): """Full scope should not emit duplicate results for duplicate manifest entries.""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + facts_path = tmp_path / ".socket.facts.json" out_path = tmp_path / "full-dedup.sarif" @@ -678,9 +916,10 @@ def test_sarif_scope_full_dedupes_duplicate_manifest_uris(self, tmp_path): def test_sarif_scope_full_with_sarif_file_suppresses_stdout(self, tmp_path, capsys): """Full scope + --sarif-file should avoid printing massive SARIF JSON to stdout.""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + facts_path = tmp_path / ".socket.facts.json" out_path = tmp_path / "full-suppressed.sarif" @@ -718,9 +957,10 @@ def test_sarif_scope_full_with_sarif_file_suppresses_stdout(self, tmp_path, caps assert out_path.exists() def test_sarif_scope_full_alert_grouping_dedupes_versions(self, tmp_path): - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + out_path = tmp_path / "full-alert-grouping.sarif" facts_path = tmp_path / ".socket.facts.json" facts_path.write_text(json.dumps({ @@ -768,9 +1008,10 @@ def test_sarif_scope_full_alert_grouping_dedupes_versions(self, tmp_path): assert props["reachability"] == "reachable" def test_sarif_scope_full_potentially_filter(self, tmp_path): - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + out_path = tmp_path / "full-potentially.sarif" facts_path = tmp_path / ".socket.facts.json" facts_path.write_text(json.dumps({ diff --git a/tests/unit/test_socketcli.py b/tests/unit/test_socketcli.py new file mode 100644 index 0000000..e48788a --- /dev/null +++ b/tests/unit/test_socketcli.py @@ -0,0 +1,134 @@ +from socketsecurity.core.classes import Diff, Package +from socketsecurity.socketcli import build_license_artifact_payload + + +def test_build_license_artifact_payload_without_packages_returns_empty_dict(): + diff = Diff() + + payload = build_license_artifact_payload(diff) + + assert payload == {} + + +def test_build_license_artifact_payload_serializes_package_fields(): + diff = Diff() + diff.packages = { + "pypi/requests@2.31.0": Package( + id="pkg-1", + name="requests", + version="2.31.0", + type="pypi", + score={}, + alerts=[], + direct=True, + url="https://socket.dev/pypi/package/requests/overview/2.31.0", + license="Apache-2.0", + licenseDetails=[{"id": "Apache-2.0"}], + licenseAttrib=[{"id": "Apache-2.0"}], + purl="requests@2.31.0", + ) + } + + payload = build_license_artifact_payload(diff) + + assert payload == { + "pkg-1": { + "id": "pkg-1", + "name": "requests", + "version": "2.31.0", + "ecosystem": "pypi", + "direct": True, + "url": "https://socket.dev/pypi/package/requests/overview/2.31.0", + "license": "Apache-2.0", + "licenseDetails": [{"id": "Apache-2.0"}], + "licenseAttrib": [{"id": "Apache-2.0"}], + "purl": "requests@2.31.0", + } + } + + +def test_build_license_artifact_payload_fossa_format_without_packages(): + class Config: + repo = "owner/repo" + branch = "main" + + diff = Diff(id="scan-1", report_url="https://socket.dev/report/1") + + payload = build_license_artifact_payload(diff, legal_format="fossa", config=Config()) + + assert payload == { + "copyrightsByLicense": {}, + "deepDependencies": [], + "directDependencies": [], + "licenses": {}, + "project": {"name": "owner/repo", "revision": "scan-1"}, + } + + +def test_fossa_attribution_file_is_written_indented(tmp_path): + """fossa-sbom.json should be written with indent=2, matching fossa-analyze.json.""" + import json + from types import SimpleNamespace + + from socketsecurity import socketcli + + target = tmp_path / "fossa-sbom.json" + config = SimpleNamespace(license_file_name=str(target)) + payload = { + "copyrightsByLicense": {}, + "deepDependencies": [], + "directDependencies": [], + "licenses": {}, + "project": {"name": "x", "revision": "y"}, + } + socketcli._write_attribution_file(config, payload) + content = target.read_text() + assert "\n " in content, f"Expected indented JSON, got: {content!r}" + assert json.loads(content) == payload + + +def test_build_license_artifact_payload_fossa_format_serializes_dependencies(): + class Config: + repo = "owner/repo" + branch = "main" + + diff = Diff(id="scan-1", report_url="https://socket.dev/report/1") + diff.packages = { + "pkg:pypi/requests@2.31.0": Package( + id="pkg-1", + name="requests", + version="2.31.0", + type="pypi", + score={}, + alerts=[], + direct=True, + url="https://socket.dev/pypi/package/requests/overview/2.31.0", + license="Apache-2.0", + licenseDetails=[{"id": "Apache-2.0"}], + licenseAttrib=[{"id": "Apache-2.0"}], + purl="pkg:pypi/requests@2.31.0", + ) + } + + payload = build_license_artifact_payload(diff, legal_format="fossa", config=Config()) + + assert payload["project"] == {"name": "owner/repo", "revision": "scan-1"} + assert payload["directDependencies"] == [{ + "authors": [], + "dependencyPaths": ["requests"], + "description": "", + "downloadUrl": "", + "hash": None, + "isGolang": None, + "licenses": [{"attribution": "", "name": "Apache-2.0"}], + "notes": [], + "otherLicenses": [], + "package": "requests", + "projectUrl": "", + "source": "pip", + "title": "requests", + "version": "2.31.0", + }] + assert payload["deepDependencies"] == [] + assert payload["copyrightsByLicense"] == {} + assert payload["licenses"] == {} diff --git a/uv.lock b/uv.lock index ec4b94f..e47a62c 100644 --- a/uv.lock +++ b/uv.lock @@ -1168,7 +1168,7 @@ wheels = [ [[package]] name = "socketsecurity" -version = "2.2.90" +version = "2.2.91" source = { editable = "." } dependencies = [ { name = "bs4" }, @@ -1221,7 +1221,7 @@ requires-dist = [ { name = "python-dotenv" }, { name = "requests" }, { name = "ruff", marker = "extra == 'dev'", specifier = ">=0.3.0" }, - { name = "socketdev", specifier = ">=3.1.0,<4.0.0" }, + { name = "socketdev", specifier = ">=3.0.33,<4.0.0" }, { name = "twine", marker = "extra == 'dev'" }, { name = "uv", marker = "extra == 'dev'", specifier = ">=0.1.0" }, ]