bettercheck


Namebettercheck JSON
Version 0.0.1 PyPI version JSON
download
home_pageNone
SummaryA CLI tool that helps evaluate Python packages for security concerns
upload_time2024-12-11 05:45:09
maintainerNone
docs_urlNone
authorNone
requires_python>=3.8
licenseNone
keywords security package dependency check vulnerability
VCS
bugtrack_url
requirements No requirements were recorded.
Travis-CI No Travis.
coveralls test coverage No coveralls. 
            # BETTERCHECK

Better than nothing.

## What is it?

A CLI tool that helps evaluate Python packages for security concerns before installing them. Performs checks against multiple vulnerability databases and provides useful metrics about package health.

### bettercheck Analysis of bettercheck
```sh
(.venv) % bettercheck-yourself

Analyzing requests...

Analyzing click...

Analyzing packaging...

Analyzing pygithub...

Analyzing pypistats...

Analyzing jsonschema...

Analyzing aiohttp...

Analyzing dataclasses...

Report saved to: ./reports/bettercheck-20241210_170638.json

=== Dependencies Security Analysis ===

Total packages analyzed: 8
Total vulnerabilities found: 33


requests:
-------------------
Version: 2.32.3
Monthly downloads: 580,975,452
Vulnerabilities: 11
- [OSV] GHSA-652x-xj99-gmcc
- [OSV] GHSA-9wx4-h78v-vm56
- [OSV] GHSA-cfj3-7x9c-4p3h
- [OSV] GHSA-j8r2-6x86-q33q
- [OSV] GHSA-pg2w-x9wp-vw92
- [OSV] GHSA-x84v-xcm2-53pg
- [OSV] PYSEC-2014-13
- [OSV] PYSEC-2014-14
- [OSV] PYSEC-2015-17
- [OSV] PYSEC-2018-28
- [OSV] PYSEC-2023-74

GitHub Metrics:
Stars: 52,266
Forks: 9,339
Open Issues: 254
Last Update: 2024-11-10 16:18:37+00:00

click:
-------------------
Version: 8.1.7
Monthly downloads: 259,210,862
No known vulnerabilities

GitHub Metrics:
Stars: 15,848
Forks: 1,405
Open Issues: 104
Last Update: 2024-12-07 20:10:36+00:00

packaging:
-------------------
Version: 24.2
Monthly downloads: 513,411,357
No known vulnerabilities

GitHub Metrics:
Stars: 628
Forks: 251
Open Issues: 104
Last Update: 2024-12-01 15:33:46+00:00

pygithub:
-------------------
Version: 2.5.0
Monthly downloads: 35,947,481
No known vulnerabilities

GitHub Metrics:
Stars: 7,072
Forks: 1,792
Open Issues: 354
Last Update: 2024-12-04 08:56:01+00:00

pypistats:
-------------------
Version: 1.7.0
Monthly downloads: 26,193
No known vulnerabilities

GitHub Metrics:
Stars: 200
Forks: 28
Open Issues: 9
Last Update: 2024-12-08 11:29:21+00:00

jsonschema:
-------------------
Version: 4.23.0
Monthly downloads: 183,583,243
No known vulnerabilities

GitHub Metrics:
Stars: 4,643
Forks: 582
Open Issues: 38
Last Update: 2024-12-09 19:57:02+00:00

aiohttp:
-------------------
Version: 3.11.10
Monthly downloads: 209,496,974
Vulnerabilities: 22
- [OSV] GHSA-27mf-ghqm-j3j8
- [OSV] GHSA-45c4-8wx5-qw6w
- [OSV] GHSA-5h86-8mv2-jq9f
- [OSV] GHSA-5m98-qgg9-wh84
- [OSV] GHSA-7gpw-8wmc-pm8g
- [OSV] GHSA-8495-4g3g-x7pr
- [OSV] GHSA-8qpw-xqxj-h4r2
- [OSV] GHSA-gfw2-4jvh-wgfg
- [OSV] GHSA-jwhx-xcg6-8xhj
- [OSV] GHSA-pjjw-qhg8-p2p9
- [OSV] GHSA-q3qx-c6g2-7pw2
- [OSV] GHSA-qvrw-v9rv-5rjx
- [OSV] GHSA-v6wp-4m6f-gcjg
- [OSV] GHSA-xx9p-xxvh-7g8j
- [OSV] PYSEC-2021-76
- [OSV] PYSEC-2023-120
- [OSV] PYSEC-2023-246
- [OSV] PYSEC-2023-247
- [OSV] PYSEC-2023-250
- [OSV] PYSEC-2023-251
- [OSV] PYSEC-2024-24
- [OSV] PYSEC-2024-26

GitHub Metrics:
Stars: 15,204
Forks: 2,027
Open Issues: 249
Last Update: 2024-12-09 20:12:28+00:00

dataclasses:
-------------------
Version: 0.8
Monthly downloads: 18,805,604
No known vulnerabilities

GitHub Metrics:
Stars: 586
Forks: 53
Open Issues: 8
Last Update: 2024-07-11 16:14:35+00:00
```

Full report: [bettercheck-yourself.json](bettercheck-yourself.json)

## Installation


```bash
git clone https://github.com/rayking99/bettercheck
cd bettercheck
pip install -e .
```

## Usage

To get the commands automatically, you can run:
```bash
# View available commands and options
python -m bettercheck --help  
python -m bettercheck.check_yourself --help

# Example usage - check a package
python -m bettercheck requests --json
python -m bettercheck pandas --report md --with-deps
python -m bettercheck flask --debug

# Check this project
python -m bettercheck.check_yourself
python -m bettercheck.check_yourself --direct-only
```


Or more easily: 

```bash
# View available commands and options
bettercheck --help  

# Main security/package analysis command
bettercheck <package_name> [--json] [--debug] [--report {txt,md}] [--with-deps]
# For example
bettercheck pandas --report md --with-deps
# Also possible - but with mixed results 
bettercheck package-name --github-url https://github.com/owner/repo

# Check bettercheck project dependencies
bettercheck-yourself [--direct-only]

# Analyze dependency tree
bettercheck-deps <package_name>
bettercheck-deps pandas 
```


There is also a single file / directory scanner that looks for common vulnerabilities. Obviously there are some ways to scan this code in a sage environment. 

```bash
# Security scan for Python files/directories
bettercheck-scan scan-file <file_path> [-o OUTPUT_DIR]
bettercheck-scan scan-dir <directory>
```

## Development

### Installation
```bash
git clone https://github.com/rayking99/bettercheck
cd bettercheck
pip install -e .
# or 
pip install -e ".[dev]"
```

### Testing
```bash
# Run tests with coverage report
pytest

# Run style checks
black .
flake8 .
```

### Platform Support
Supported on:

Linux
macOS
Windows


### Potential Extensions

`Examples/package_report.py` can create package reports that include studies on dependencies. [requests report](Examples/requests_package_report-recursive.md)

Passing this information through to Claude - we get: 

![Claude's recommendation](assets/ClaudeRecommends.png)


## Features

- Vulnerability scanning via OSV and CVE databases
- Package download statistics
- GitHub repository metrics
- Report generation (markdown/text)
- Detailed vulnerability descriptions
- Project dependency analysis

## License

MIT

## Roadmap

- Various tools to help understand open-source software development and dependencies. 

## Disclaimer

This is only a research tool. 

## Acknowledgements

This idea started with the video: Russ Cox at ACM SCORED: Open Source Supply Chain Security at Google [YouTube Video](https://www.youtube.com/watch?v=6H-V-0oQvCA)

Claude, Gemini, Llama and o1 all made contributions with the scope, code and understanding. 

## TODO

Recursive check to encompass entire supply-chain (including contributors stats) + visualisations.

Raw data

            {
    "_id": null,
    "home_page": null,
    "name": "bettercheck",
    "maintainer": null,
    "docs_url": null,
    "requires_python": ">=3.8",
    "maintainer_email": null,
    "keywords": "security, package, dependency, check, vulnerability",
    "author": null,
    "author_email": "Jason Pickup <therayking99@gmail.com>",
    "download_url": "https://files.pythonhosted.org/packages/b7/09/e0273c9d25779476315e76353199fc8f0e42d40c623114c7b1b053008754/bettercheck-0.0.1.tar.gz",
    "platform": null,
    "description": "# BETTERCHECK\n\nBetter than nothing.\n\n## What is it?\n\nA CLI tool that helps evaluate Python packages for security concerns before installing them. Performs checks against multiple vulnerability databases and provides useful metrics about package health.\n\n### bettercheck Analysis of bettercheck\n```sh\n(.venv) % bettercheck-yourself\n\nAnalyzing requests...\n\nAnalyzing click...\n\nAnalyzing packaging...\n\nAnalyzing pygithub...\n\nAnalyzing pypistats...\n\nAnalyzing jsonschema...\n\nAnalyzing aiohttp...\n\nAnalyzing dataclasses...\n\nReport saved to: ./reports/bettercheck-20241210_170638.json\n\n=== Dependencies Security Analysis ===\n\nTotal packages analyzed: 8\nTotal vulnerabilities found: 33\n\n\nrequests:\n-------------------\nVersion: 2.32.3\nMonthly downloads: 580,975,452\nVulnerabilities: 11\n- [OSV] GHSA-652x-xj99-gmcc\n- [OSV] GHSA-9wx4-h78v-vm56\n- [OSV] GHSA-cfj3-7x9c-4p3h\n- [OSV] GHSA-j8r2-6x86-q33q\n- [OSV] GHSA-pg2w-x9wp-vw92\n- [OSV] GHSA-x84v-xcm2-53pg\n- [OSV] PYSEC-2014-13\n- [OSV] PYSEC-2014-14\n- [OSV] PYSEC-2015-17\n- [OSV] PYSEC-2018-28\n- [OSV] PYSEC-2023-74\n\nGitHub Metrics:\nStars: 52,266\nForks: 9,339\nOpen Issues: 254\nLast Update: 2024-11-10 16:18:37+00:00\n\nclick:\n-------------------\nVersion: 8.1.7\nMonthly downloads: 259,210,862\nNo known vulnerabilities\n\nGitHub Metrics:\nStars: 15,848\nForks: 1,405\nOpen Issues: 104\nLast Update: 2024-12-07 20:10:36+00:00\n\npackaging:\n-------------------\nVersion: 24.2\nMonthly downloads: 513,411,357\nNo known vulnerabilities\n\nGitHub Metrics:\nStars: 628\nForks: 251\nOpen Issues: 104\nLast Update: 2024-12-01 15:33:46+00:00\n\npygithub:\n-------------------\nVersion: 2.5.0\nMonthly downloads: 35,947,481\nNo known vulnerabilities\n\nGitHub Metrics:\nStars: 7,072\nForks: 1,792\nOpen Issues: 354\nLast Update: 2024-12-04 08:56:01+00:00\n\npypistats:\n-------------------\nVersion: 1.7.0\nMonthly downloads: 26,193\nNo known vulnerabilities\n\nGitHub Metrics:\nStars: 200\nForks: 28\nOpen Issues: 9\nLast Update: 2024-12-08 11:29:21+00:00\n\njsonschema:\n-------------------\nVersion: 4.23.0\nMonthly downloads: 183,583,243\nNo known vulnerabilities\n\nGitHub Metrics:\nStars: 4,643\nForks: 582\nOpen Issues: 38\nLast Update: 2024-12-09 19:57:02+00:00\n\naiohttp:\n-------------------\nVersion: 3.11.10\nMonthly downloads: 209,496,974\nVulnerabilities: 22\n- [OSV] GHSA-27mf-ghqm-j3j8\n- [OSV] GHSA-45c4-8wx5-qw6w\n- [OSV] GHSA-5h86-8mv2-jq9f\n- [OSV] GHSA-5m98-qgg9-wh84\n- [OSV] GHSA-7gpw-8wmc-pm8g\n- [OSV] GHSA-8495-4g3g-x7pr\n- [OSV] GHSA-8qpw-xqxj-h4r2\n- [OSV] GHSA-gfw2-4jvh-wgfg\n- [OSV] GHSA-jwhx-xcg6-8xhj\n- [OSV] GHSA-pjjw-qhg8-p2p9\n- [OSV] GHSA-q3qx-c6g2-7pw2\n- [OSV] GHSA-qvrw-v9rv-5rjx\n- [OSV] GHSA-v6wp-4m6f-gcjg\n- [OSV] GHSA-xx9p-xxvh-7g8j\n- [OSV] PYSEC-2021-76\n- [OSV] PYSEC-2023-120\n- [OSV] PYSEC-2023-246\n- [OSV] PYSEC-2023-247\n- [OSV] PYSEC-2023-250\n- [OSV] PYSEC-2023-251\n- [OSV] PYSEC-2024-24\n- [OSV] PYSEC-2024-26\n\nGitHub Metrics:\nStars: 15,204\nForks: 2,027\nOpen Issues: 249\nLast Update: 2024-12-09 20:12:28+00:00\n\ndataclasses:\n-------------------\nVersion: 0.8\nMonthly downloads: 18,805,604\nNo known vulnerabilities\n\nGitHub Metrics:\nStars: 586\nForks: 53\nOpen Issues: 8\nLast Update: 2024-07-11 16:14:35+00:00\n```\n\nFull report: [bettercheck-yourself.json](bettercheck-yourself.json)\n\n## Installation\n\n\n```bash\ngit clone https://github.com/rayking99/bettercheck\ncd bettercheck\npip install -e .\n```\n\n## Usage\n\nTo get the commands automatically, you can run:\n```bash\n# View available commands and options\npython -m bettercheck --help  \npython -m bettercheck.check_yourself --help\n\n# Example usage - check a package\npython -m bettercheck requests --json\npython -m bettercheck pandas --report md --with-deps\npython -m bettercheck flask --debug\n\n# Check this project\npython -m bettercheck.check_yourself\npython -m bettercheck.check_yourself --direct-only\n```\n\n\nOr more easily: \n\n```bash\n# View available commands and options\nbettercheck --help  \n\n# Main security/package analysis command\nbettercheck <package_name> [--json] [--debug] [--report {txt,md}] [--with-deps]\n# For example\nbettercheck pandas --report md --with-deps\n# Also possible - but with mixed results \nbettercheck package-name --github-url https://github.com/owner/repo\n\n# Check bettercheck project dependencies\nbettercheck-yourself [--direct-only]\n\n# Analyze dependency tree\nbettercheck-deps <package_name>\nbettercheck-deps pandas \n```\n\n\nThere is also a single file / directory scanner that looks for common vulnerabilities. Obviously there are some ways to scan this code in a sage environment. \n\n```bash\n# Security scan for Python files/directories\nbettercheck-scan scan-file <file_path> [-o OUTPUT_DIR]\nbettercheck-scan scan-dir <directory>\n```\n\n## Development\n\n### Installation\n```bash\ngit clone https://github.com/rayking99/bettercheck\ncd bettercheck\npip install -e .\n# or \npip install -e \".[dev]\"\n```\n\n### Testing\n```bash\n# Run tests with coverage report\npytest\n\n# Run style checks\nblack .\nflake8 .\n```\n\n### Platform Support\nSupported on:\n\nLinux\nmacOS\nWindows\n\n\n### Potential Extensions\n\n`Examples/package_report.py` can create package reports that include studies on dependencies. [requests report](Examples/requests_package_report-recursive.md)\n\nPassing this information through to Claude - we get: \n\n![Claude's recommendation](assets/ClaudeRecommends.png)\n\n\n## Features\n\n- Vulnerability scanning via OSV and CVE databases\n- Package download statistics\n- GitHub repository metrics\n- Report generation (markdown/text)\n- Detailed vulnerability descriptions\n- Project dependency analysis\n\n## License\n\nMIT\n\n## Roadmap\n\n- Various tools to help understand open-source software development and dependencies. \n\n## Disclaimer\n\nThis is only a research tool. \n\n## Acknowledgements\n\nThis idea started with the video: Russ Cox at ACM SCORED: Open Source Supply Chain Security at Google [YouTube Video](https://www.youtube.com/watch?v=6H-V-0oQvCA)\n\nClaude, Gemini, Llama and o1 all made contributions with the scope, code and understanding. \n\n## TODO\n\nRecursive check to encompass entire supply-chain (including contributors stats) + visualisations.\n",
    "bugtrack_url": null,
    "license": null,
    "summary": "A CLI tool that helps evaluate Python packages for security concerns",
    "version": "0.0.1",
    "project_urls": {
        "Homepage": "https://github.com/rayking99/bettercheck",
        "Repository": "https://github.com/rayking99/bettercheck.git"
    },
    "split_keywords": [
        "security",
        " package",
        " dependency",
        " check",
        " vulnerability"
    ],
    "urls": [
        {
            "comment_text": "",
            "digests": {
                "blake2b_256": "a3e5b9ef9b92c90afdc72e82fd6abfcc9eb07b7da57514dafab5a85073ebdd0e",
                "md5": "13bb88d97ecf36d28d7bc51cfde7881d",
                "sha256": "5e0eab2e8917d7c400e7e8f53fb5cc9a4c7bcd4dcca614b21549da2c63b9837d"
            },
            "downloads": -1,
            "filename": "bettercheck-0.0.1-py3-none-any.whl",
            "has_sig": false,
            "md5_digest": "13bb88d97ecf36d28d7bc51cfde7881d",
            "packagetype": "bdist_wheel",
            "python_version": "py3",
            "requires_python": ">=3.8",
            "size": 23195,
            "upload_time": "2024-12-11T05:45:06",
            "upload_time_iso_8601": "2024-12-11T05:45:06.850645Z",
            "url": "https://files.pythonhosted.org/packages/a3/e5/b9ef9b92c90afdc72e82fd6abfcc9eb07b7da57514dafab5a85073ebdd0e/bettercheck-0.0.1-py3-none-any.whl",
            "yanked": false,
            "yanked_reason": null
        },
        {
            "comment_text": "",
            "digests": {
                "blake2b_256": "b709e0273c9d25779476315e76353199fc8f0e42d40c623114c7b1b053008754",
                "md5": "9694d985ec56e48255da63f5ac2717be",
                "sha256": "eba444d6c7a28d49e54e4004abe7385e9b7ce3267267bac2c12ae9dde5232584"
            },
            "downloads": -1,
            "filename": "bettercheck-0.0.1.tar.gz",
            "has_sig": false,
            "md5_digest": "9694d985ec56e48255da63f5ac2717be",
            "packagetype": "sdist",
            "python_version": "source",
            "requires_python": ">=3.8",
            "size": 24037,
            "upload_time": "2024-12-11T05:45:09",
            "upload_time_iso_8601": "2024-12-11T05:45:09.787621Z",
            "url": "https://files.pythonhosted.org/packages/b7/09/e0273c9d25779476315e76353199fc8f0e42d40c623114c7b1b053008754/bettercheck-0.0.1.tar.gz",
            "yanked": false,
            "yanked_reason": null
        }
    ],
    "upload_time": "2024-12-11 05:45:09",
    "github": true,
    "gitlab": false,
    "bitbucket": false,
    "codeberg": false,
    "github_user": "rayking99",
    "github_project": "bettercheck",
    "travis_ci": false,
    "coveralls": false,
    "github_actions": true,
    "lcname": "bettercheck"
}
None
Elapsed time: 0.40086s