OSV integration and updates to safety (#305)

* OSV integration and updates to safety

* Updates for new APIs

* Annotate 2022 support

* Upgrade to the official mockito-kotlin package

* API update

Author: tonybaloney

.github/actions/Dockerfile

@@ -2,7 +2,7 @@ FROM anthonypjshaw/pycharm-security:latest
 COPY action.sh /action.sh
 COPY parse.py /code/parse.py
 COPY project.iml /code/project.iml
-COPY jdk.table.xml /root/.config/JetBrains/PyCharm2021.2/jdk.table.xml
+COPY jdk.table.xml /root/.config/JetBrains/PyCharm2021.3/jdk.table.xml
 RUN apt-get -y update && apt-get -y install python3 python3-pip python3-venv && python3 -m pip install setuptools
 RUN ["chmod", "+x", "/action.sh"]
 ENTRYPOINT ["/action.sh"]

.github/actions/jdk.table.xml

@@ -12,7 +12,7 @@
                         <root url="file:///usr/lib/python3.6/lib-dynload" type="simple" />
                         <root url="file:///usr/local/lib/python3.6/dist-packages" type="simple" />
                         <root url="file:///usr/lib/python3/dist-packages" type="simple" />
-                        <root url="file://$USER_HOME$/Library/Caches/JetBrains/PyCharm2021.2/python_stubs/-1506223722" type="simple" />
+                        <root url="file://$USER_HOME$/Library/Caches/JetBrains/PyCharm2021.3/python_stubs/-1506223722" type="simple" />
                         <root url="file://$APPLICATION_HOME_DIR$/plugins/python/helpers/python-skeletons" type="simple" />
                         <root url="file://$APPLICATION_HOME_DIR$/plugins/python/helpers/typeshed/stdlib/3.6" type="simple" />
                         <root url="file://$APPLICATION_HOME_DIR$/plugins/python/helpers/typeshed/stdlib/3" type="simple" />

.github/workflows/build.yml

@@ -7,7 +7,7 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
-        pycharm-version: ['2021.2']
+        pycharm-version: ['2021.3']
     runs-on: ${{ matrix.os }}
     steps:
     - uses: actions/checkout@v1
@@ -27,7 +27,7 @@ jobs:
         java-version: 11
     - uses: eskatos/gradle-command-action@v1
       with:
-        arguments: jacocoTestReport -PintellijPublishToken=FAKE_TOKEN -PintellijVersion=2021.2
+        arguments: jacocoTestReport -PintellijPublishToken=FAKE_TOKEN -PintellijVersion=2021.3
     - name: Codecov
       uses: codecov/[email protected]
       with:

Dockerfile

@@ -1,4 +1,4 @@
-ARG PYCHARM_VERSION=2021.2
+ARG PYCHARM_VERSION=2021.3
 FROM ubuntu:18.04
 ARG PYCHARM_VERSION
 RUN echo "Building PyCharm $PYCHARM_VERSION with python-security"

HISTORY.md

@@ -1,5 +1,11 @@
 # Release History
 
+## 1.25.0
+
+* Added a PyPi API option for package security checking that uses the new PyPI vulnerability API
+* Support for 2021.3
+* Update safety DB to december 
+
 ## 1.24.3
 
 * Update safety db to october 2021

README.md

@@ -42,6 +42,10 @@ This plugin will check the installed packages in your Python projects against th
 
 ![](doc/_static/safetydb-screenshot.png)
 
+## PyPi vulnerability API
+
+This plugin will check the installed packages in your Python projects against the OSV database in PyPi and raise a warning for any vulnerabilities.
+
 ## Current checks
 
 See [Supported Checks](https://pycharm-security.readthedocs.io/en/latest/checks/index.html) for a current list.

build.gradle

@@ -7,7 +7,7 @@ plugins {
 }
 
 group 'org.tonybaloney.security'
-version '1.24.3'
+version '1.25.0'
 
 def ktor_version = "1.6.6"
 def kotlin_version = "1.6.0"
@@ -21,9 +21,9 @@ repositories {
 
 dependencies {
     testCompile group: 'org.junit.jupiter', name: 'junit-jupiter', version: '5.8.2'
-    testImplementation "com.nhaarman.mockitokotlin2:mockito-kotlin:2.2.0"
-    testImplementation "net.bytebuddy:byte-buddy:1.12.2"
-    testImplementation "net.bytebuddy:byte-buddy-agent:1.12.2"
+    testImplementation "org.mockito.kotlin:mockito-kotlin:4.0.0"
+    testImplementation 'net.bytebuddy:byte-buddy:1.12.2'
+    testImplementation 'net.bytebuddy:byte-buddy-agent:1.12.2'
     implementation "org.jetbrains.kotlin:kotlin-stdlib:$kotlin_version"
     implementation "org.jetbrains.kotlin:kotlin-stdlib-jdk8:$kotlin_version"
     compile "io.ktor:ktor-client-core:$ktor_version"
@@ -39,7 +39,7 @@ test {
 
 // See https://github.com/JetBrains/gradle-intellij-plugin/
 // Make the intellij version overridable on the command line to support multiple build versions..
-def intellijversion = project.hasProperty('intellijVersion') ? project.getProperty('intellijVersion') : '2021.2'
+def intellijversion = project.hasProperty('intellijVersion') ? project.getProperty('intellijVersion') : '2021.3'
 
 intellij {
     type = 'PC'
@@ -50,9 +50,11 @@ intellij {
 
 patchPluginXml {
     changeNotes = """
-      <h2>1.24.3</h2>
+      <h2>1.25.0</h2>
       <ul>
-        <li>Safety db update</li>
+        <li>Added a PyPi API option for package security checking that uses the new PyPI vulnerability API</li>
+        <li>Support for 2021.3</li>
+        <li>Update safety DB to december </li>
       </ul>
       """
 }

src/main/java/security/fixes/FixUtil.kt

@@ -8,19 +8,19 @@ import com.jetbrains.python.psi.*
 
 
 fun getPyExpressionAtCaret(file: PsiFile, editor: Editor): PyExpression? {
-    return PsiTreeUtil.getParentOfType(file.findElementAt(editor.caretModel.offset), PyExpression::class.java) ?: return null
+    return PsiTreeUtil.getParentOfType(file.findElementAt(editor.caretModel.offset), PyExpression::class.java)
 }
 
 fun getPyCallExpressionAtCaret(file: PsiFile, editor: Editor): PyCallExpression? {
-    return PsiTreeUtil.getTopmostParentOfType(file.findElementAt(editor.caretModel.offset), PyCallExpression::class.java) ?: return null
+    return PsiTreeUtil.getTopmostParentOfType(file.findElementAt(editor.caretModel.offset), PyCallExpression::class.java)
 }
 
 fun getListLiteralExpressionAtCaret(file: PsiFile, editor: Editor): PyListLiteralExpression? {
-    return PsiTreeUtil.getParentOfType(file.findElementAt(editor.caretModel.offset), PyListLiteralExpression::class.java) ?: return null
+    return PsiTreeUtil.getParentOfType(file.findElementAt(editor.caretModel.offset), PyListLiteralExpression::class.java)
 }
 
 fun getBinaryExpressionElementAtCaret(file: PsiFile, editor: Editor): PyBinaryExpression? {
-    return PsiTreeUtil.getParentOfType(file.findElementAt(editor.caretModel.offset), PyBinaryExpression::class.java) ?: return null
+    return PsiTreeUtil.getParentOfType(file.findElementAt(editor.caretModel.offset), PyBinaryExpression::class.java)
 }
 
 fun getNewCallExpressiontAtCaret(file: PsiFile, editor: Editor, project: Project, old: String, new: String): PyCallExpression ? {

src/main/java/security/fixes/ShellEscapeFixer.kt

@@ -11,6 +11,7 @@ import com.intellij.psi.PsiElement
 import com.intellij.psi.PsiFile
 import com.intellij.util.IncorrectOperationException
 import com.jetbrains.python.psi.*
+import com.jetbrains.python.psi.types.TypeEvalContext
 import security.helpers.QualifiedNameHelpers.getQualifiedName
 
 
@@ -56,11 +57,11 @@ class ShellEscapeFixer : LocalQuickFix, IntentionAction, HighPriorityAction {
         val list = elementGenerator.createListLiteral()
         for (item in oldElement.elements){
             if (item is PyReferenceExpression){
-                list.add(getNewEscapedExpression(file, project, item) as @org.jetbrains.annotations.NotNull PsiElement)
+                list.add(getNewEscapedExpression(file, project, item) as PsiElement)
                 continue
             } else if (item is PyCallExpression) {
-                if (getQualifiedName(item) != "shlex.quote") {
-                    list.add(getNewEscapedExpression(file, project, item) as @org.jetbrains.annotations.NotNull PsiElement)
+                if (getQualifiedName(item, TypeEvalContext.codeAnalysis(project, file)) != "shlex.quote") {
+                    list.add(getNewEscapedExpression(file, project, item) as PsiElement)
                     continue
                 }
             }

src/main/java/security/helpers/InspectionVisitorExtensions.kt

@@ -3,10 +3,17 @@ package security.helpers
 import com.intellij.codeInspection.LocalInspectionToolSession
 import com.intellij.codeInspection.ProblemsHolder
 import com.jetbrains.python.inspections.PyInspectionVisitor
+import com.jetbrains.python.psi.types.TypeEvalContext
+import security.helpers.TypeEvalContextHelper.getTypeEvalContext
 
 
-open class SecurityVisitor(holder: ProblemsHolder, session: LocalInspectionToolSession) : PyInspectionVisitor(holder, session) {
+open class SecurityVisitor(holder: ProblemsHolder, val session: LocalInspectionToolSession) : PyInspectionVisitor(holder, getTypeEvalContext(session)) {
     override fun getHolder(): ProblemsHolder {
         return super.getHolder()!!
     }
+
+    val typeEvalContext: TypeEvalContext
+        get() {
+            return getTypeEvalContext(session)
+        }
 }