,
Dan Rollo [aut],
Josiah Parry [aut] ,
Sonatype [cph]| Title: | Scans R Projects for Vulnerable Third Party Dependencies |
|---|---|
| Description: | Collects a list of your third party R packages, and scans them with the 'OSS' Index provided by 'Sonatype', reporting back on any vulnerabilities that are found in the third party packages you use. |
| Authors: | Jeffry Hesse [aut],
Brittany Belle [aut],
Colin Gillespie [aut, cre] ,
Dan Rollo [aut],
Josiah Parry [aut] ,
Sonatype [cph] |
| Maintainer: | Colin Gillespie <[email protected]> |
| License: | Apache License 2.0 | file LICENSE |
| Version: | 0.1.3.9001 |
| Built: | 2024-09-13 06:40:52 UTC |
| Source: | https://github.com/sonatype-nexus-community/oyster |
Search the OSS Index for known package vulnerabilities in any of the supported ecosystems— e.g. CRAN, PyPI, Conda, NPM, Maven, etc. see https://ossindex.sonatype.org/ecosystems for full list.
audit(pkg, version, type, verbose = TRUE)audit(pkg, version, type, verbose = TRUE)
pkg |
A vector of package names to search in the OSS Index. |
version |
The specific package version to search for.
By default it will search all known versions. If not |
type |
The package management environment. For R packages, set equal to "cran".
This defaults to |
verbose |
Default |
pkg = c("abind", "acepack") version = c("1.4-5", "1.4.1") audit(pkg, version, type = "cran")pkg = c("abind", "acepack") version = c("1.4-5", "1.4.1") audit(pkg, version, type = "cran")
This function searches the OSS index for vulnerabilities recorded for packages listed
in a Conda environment file typically called environment.yml but are subject to varied names.
Conda environment can contain packages from both Conda and PyPI. All packages will be audited.
audit_conda(dir = ".", fname = "environment.yml", verbose = TRUE)audit_conda(dir = ".", fname = "environment.yml", verbose = TRUE)
dir |
The directory containing a Conda environment yaml file. |
fname |
The file name of conda environment yaml file. |
verbose |
Default |
## Not run: # Looks for a environment.yml file in dir audit_conda(dir = ".") ## End(Not run)## Not run: # Looks for a environment.yml file in dir audit_conda(dir = ".") ## End(Not run)
Collects R dependencies and checks them against OSS Index. Returns a tibble of results.
audit_deps(pkgs = NULL, verbose = TRUE)audit_deps(pkgs = NULL, verbose = TRUE)
pkgs |
Default |
verbose |
Default |
This function is deprecated. See
By default, packages listed in installed.packages() are scanned by sonatype.
However, you can pass your own data frame of packages. This data frame should have two columns,
version and package.
A tibble/data.frame.
Looks for a DESCRIPTION file in dir, then extract
the packages in the fields & calculates the dependency tree.
audit_description( dir = ".", fields = c("Depends", "Imports", "Suggests"), verbose = TRUE )audit_description( dir = ".", fields = c("Depends", "Imports", "Suggests"), verbose = TRUE )
dir |
The file path of an renv.lock file. |
fields |
The DESCRIPTION field to parse. Default is Depends, Import, & Suggests. |
verbose |
Default |
## Not run: # Looks for a DESCRIPTION file in dir audit_description(dir = ".") ## End(Not run)## Not run: # Looks for a DESCRIPTION file in dir audit_description(dir = ".") ## End(Not run)
Audits all installed packages by calling installed.packages()
and checking them against the OSS Index.
audit_installed_r_pkgs(verbose = TRUE)audit_installed_r_pkgs(verbose = TRUE)
verbose |
Default |
A tibble/data.frame.
## Not run: # Audit installed packages # This calls installed.packages() pkgs = audit_installed_r_pkgs() ## End(Not run)## Not run: # Audit installed packages # This calls installed.packages() pkgs = audit_installed_r_pkgs() ## End(Not run)
This function searches the OSS index for vulnerabilities recorded for packages listed in
an renv.lock file.
An renv.lock file is created by the {renv} package
which is used for project level package management in R.
audit_renv_lock(dir = ".", verbose = TRUE)audit_renv_lock(dir = ".", verbose = TRUE)
dir |
The file path of an renv.lock file. |
verbose |
Default |
## Not run: # Looks for renv.lock file in dir audit_renv_lock(dir = ".") ## End(Not run)## Not run: # Looks for renv.lock file in dir audit_renv_lock(dir = ".") ## End(Not run)
This function searches the OSS index for vulnerabilities recorded for packages listed in a requirements.txt file based on PyPi.
audit_req_txt(dir = ".", verbose = TRUE)audit_req_txt(dir = ".", verbose = TRUE)
dir |
The file path of a requirements.txt file. |
verbose |
Default |
pip is a standard of python package management based on the Python Package Index (PyPI). pip uses a requirements.txt file to manage of Python libraries. The requirements.txt file contains package names and versions (often used to manage a virtual environment).
## Not run: # Looks for a requirements.txt file in dir audit_description(dir = ".") ## End(Not run)## Not run: # Looks for a requirements.txt file in dir audit_description(dir = ".") ## End(Not run)
A testthat version for detecting vulnerabilities.
This function is used within the testthat framework.
As testthat strips out the repositories from options,
we have to set the value locally in the function, i.e. the
value you have in getOption("repos") is not used.
expect_secure(pkg, repo = "https://cran.rstudio.com", verbose = FALSE)expect_secure(pkg, repo = "https://cran.rstudio.com", verbose = FALSE)
pkg |
The pkg to check |
repo |
The CRAN repository, used to get version numbers |
verbose |
Default |
An important proviso is that we are only testing packages for specific versions.
By default, this will be the latest version on CRAN.
This may differ for users or if you are using a CRAN snapshot.
For the latter, simply change the repo parameter.
## Not run: # Typically used inside testthat oysteR::expect_secure("oysteR") ## End(Not run)## Not run: # Typically used inside testthat oysteR::expect_secure("oysteR") ## End(Not run)
Parse the audit data frame (obtained via audit_deps), and extract
the vulnerabilities.
get_vulnerabilities(audit)get_vulnerabilities(audit)
audit |
Output from |
## Not run: # Audit installed packages # This calls installed.packages() # pkgs = audit_deps() # Or pass your own packages pkgs = data.frame(package = c("abind", "acepack"), version = c("1.4-5", "1.4.1")) #deps = audit_deps(pkgs) #get_vulnerabilities(deps) ## End(Not run)## Not run: # Audit installed packages # This calls installed.packages() # pkgs = audit_deps() # Or pass your own packages pkgs = data.frame(package = c("abind", "acepack"), version = c("1.4-5", "1.4.1")) #deps = audit_deps(pkgs) #get_vulnerabilities(deps) ## End(Not run)
The OSS cache is located at tools::R_user_dir("oysteR", which = "cache").
The function R_user_dir() is only available for R >= 4.0.0.
Packages are cached for 12 hours, then refreshed at the next audit
remove_cache()remove_cache()