Scan Requirement File
pyraider check -f requirements.txtcommand will find the packages inside the file, then finds known security vulnerabilities.
Scan requirement file.
pyraider check -f requirements.txt
pyraider check -f Pipfile.lock
Scan requirement file from other directory
pyraider check -f /raidersource/Documents/application/requirements.txt
Scan requirement file in the same directory
pyraider check -f .
You should get a result like this.
_____ _____ _ _
| __ \ | __ \ (_) | |
| |__) | _| |__) |__ _ _ __| | ___ _ __
| ___/ | | | _ // _` | |/ _` |/ _ \ '__|
| | | |_| | | \ \ (_| | | (_| | __/ |
|_| \__, |_| \_\__,_|_|\__,_|\___|_|
__/ |
|___/
by RaiderSource version 1.0.19
Started Scanning .....
+-----------------+------------------------------------------------------------+
| Package | flask |
+-----------------+------------------------------------------------------------+
| Severity | MEDIUM |
+-----------------+------------------------------------------------------------+
| CWE | 399 |
+-----------------+------------------------------------------------------------+
| CVE | CVE-2019-1010083 |
+-----------------+------------------------------------------------------------+
| Current version | 1.0.19 |
+-----------------+------------------------------------------------------------+
| Update To | 1.1.2 |
+-----------------+------------------------------------------------------------+
| Description | The Pallets Project Flask before 1.0 is affected by: unexp |
| | ected memory usage. The impact is: denial of service. The |
| | attack vector is: crafted encoded JSON data. The fixed ver |
| | sion is: 1. NOTE: this may overlap CVE-2018-1000656. |
+-----------------+------------------------------------------------------------+
| Resolve | pip install flask==1.1.2 |
+-----------------+------------------------------------------------------------+
| More Info | https://nvd.nist.gov/vuln/detail/CVE-2019-1010083 |
+-----------------+------------------------------------------------------------+
+-----------------+------------------------------------------------------------+
| Package | jinja2 |
+-----------------+------------------------------------------------------------+
| Severity | HIGH |
+-----------------+------------------------------------------------------------+
| CWE | 94 |
+-----------------+------------------------------------------------------------+
| CVE | CVE-2019-8341 |
+-----------------+------------------------------------------------------------+
| Current version | 2.10 |
+-----------------+------------------------------------------------------------+
| Update To | 3.0.0a1 |
+-----------------+------------------------------------------------------------+
| Description | ** DISPUTED ** An issue was discovered in Jinja2 2.10. The |
| | from_string function is prone to Server Side Template Inj |
| | ection (SSTI) where it takes the "source" parameter as a t |
| | emplate object, renders it, and then returns it. The attac |
| | ker can exploit it with {{INJECTION COMMANDS}} in a URI. N |
| | OTE: The maintainer and multiple third parties believe tha |
| | t this vulnerability isn't valid because users shouldn't u |
| | se untrusted templates without sandboxing. |
+-----------------+------------------------------------------------------------+
| Resolve | pip install jinja2==3.0.0a1 |
+-----------------+------------------------------------------------------------+
| More Info | https://nvd.nist.gov/vuln/detail/CVE-2019-8341 |
+-----------------+------------------------------------------------------------+