gnx/Hotel-Booking
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Iliyan Angelov
2025-12-01 06:50:10 +02:00
parent 91f51bc6fe
commit 62c1fe5951
4682 changed files with 544807 additions and 31208 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
Backend/venv/lib/python3.12/site-packages/pip_audit-2.9.0.dist-info/INSTALLER Normal file
View File

@@ -0,0 +1 @@
pip

676
Backend/venv/lib/python3.12/site-packages/pip_audit-2.9.0.dist-info/METADATA Normal file
View File

@@ -0,0 +1,676 @@
Metadata-Version: 2.4
Name: pip_audit
Version: 2.9.0
Summary: A tool for scanning Python environments for known vulnerabilities
Author-email: Alex Cameron <alex.cameron@trailofbits.com>, Dustin Ingram <di@python.org>, William Woodruff <william@trailofbits.com>
Requires-Python: >=3.9
Description-Content-Type: text/markdown
Classifier: Development Status :: 5 - Production/Stable
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: Apache Software License
Classifier: Programming Language :: Python :: 3 :: Only
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Topic :: Security
License-File: LICENSE
Requires-Dist: CacheControl[filecache] >= 0.13.0
Requires-Dist: cyclonedx-python-lib >= 5,< 10
Requires-Dist: packaging>=23.0.0
Requires-Dist: pip-api>=0.0.28
Requires-Dist: pip-requirements-parser>=32.0.0
Requires-Dist: requests >= 2.31.0
Requires-Dist: rich>=12.4
Requires-Dist: toml>=0.10
Requires-Dist: platformdirs>=4.2.0
Requires-Dist: build ; extra == "dev"
Requires-Dist: pip-audit[doc, test, lint] ; extra == "dev"
Requires-Dist: pdoc ; extra == "doc"
Requires-Dist: ruff ~= 0.9 ; extra == "lint"
Requires-Dist: interrogate ~= 1.6 ; extra == "lint"
Requires-Dist: mypy ; extra == "lint"
Requires-Dist: types-requests ; extra == "lint"
Requires-Dist: types-toml ; extra == "lint"
Requires-Dist: coverage[toml] ~= 7.0, != 7.3.3 ; extra == "test"
Requires-Dist: pretend ; extra == "test"
Requires-Dist: pytest ; extra == "test"
Requires-Dist: pytest-cov ; extra == "test"
Project-URL: Homepage, https://pypi.org/project/pip-audit/
Project-URL: Issues, https://github.com/pypa/pip-audit/issues
Project-URL: Source, https://github.com/pypa/pip-audit
Provides-Extra: dev
Provides-Extra: doc
Provides-Extra: lint
Provides-Extra: test
pip-audit
=========
<!--- BADGES: START --->
[![CI](https://github.com/pypa/pip-audit/workflows/CI/badge.svg)](https://github.com/pypa/pip-audit/actions/workflows/ci.yml)
[![PyPI version](https://badge.fury.io/py/pip-audit.svg)](https://pypi.org/project/pip-audit)
[![Packaging status](https://repology.org/badge/tiny-repos/python:pip-audit.svg)](https://repology.org/project/python:pip-audit/versions)
[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/pypa/pip-audit/badge)](https://api.securityscorecards.dev/projects/github.com/pypa/pip-audit)
<!--- BADGES: END --->
`pip-audit` is a tool for scanning Python environments for packages
with known vulnerabilities. It uses the Python Packaging Advisory Database
(https://github.com/pypa/advisory-database) via the
[PyPI JSON API](https://warehouse.pypa.io/api-reference/json.html) as a source
of vulnerability reports.
This project is maintained in part by [Trail of Bits](https://www.trailofbits.com/)
with support from Google. This is not an official Google or Trail of Bits product.
## Index
* [Features](#features)
* [Installation](#installation)
* [Third-party packages](#third-party-packages)
* [GitHub Actions](#github-actions)
* [`pre-commit` support](#pre-commit-support)
* [Usage](#usage)
* [Environment variables](#environment-variables)
* [Exit codes](#exit-codes)
* [Dry runs](#dry-runs)
* [Examples](#examples)
* [Troubleshooting](#troubleshooting)
* [Tips and Tricks](#tips-and-tricks)
* [Security model](#security-model)
* [Licensing](#licensing)
* [Contributing](#contributing)
* [Code of Conduct](#code-of-conduct)
## Features
* Support for auditing local environments and requirements-style files
* Support for multiple vulnerability services
([PyPI](https://warehouse.pypa.io/api-reference/json.html#known-vulnerabilities),
[OSV](https://osv.dev/docs/))
* Support for emitting
[SBOMs](https://en.wikipedia.org/wiki/Software_bill_of_materials) in
[CycloneDX](https://cyclonedx.org/) XML or JSON
* Support for automatically fixing vulnerable dependencies (`--fix`)
* Human and machine-readable output formats (columnar, Markdown, JSON)
* Seamlessly reuses your existing local `pip` caches
## Installation
`pip-audit` requires Python 3.9 or newer, and can be installed directly via `pip`:
```bash
python -m pip install pip-audit
```
### Third-party packages
There are multiple **third-party** packages for `pip-audit`. The matrices and badges below
list some of them:
[![Packaging status](https://repology.org/badge/vertical-allrepos/python:pip-audit.svg)](https://repology.org/project/python:pip-audit/versions)
[![Packaging status](https://repology.org/badge/vertical-allrepos/pip-audit.svg)](https://repology.org/project/pip-audit/versions)
[![Conda - Platform](https://img.shields.io/conda/pn/conda-forge/pip-audit?logo=anaconda&style=flat)][#conda-forge-package]
[![Conda (channel only)](https://img.shields.io/conda/vn/conda-forge/pip-audit?logo=anaconda&style=flat&color=orange)][#conda-forge-package]
[#conda-forge-package]: https://anaconda.org/conda-forge/pip-audit
In particular, `pip-audit` can be installed via `conda`:
```bash
conda install -c conda-forge pip-audit
```
Third-party packages are **not** directly supported by this project. Please consult your package manager's
documentation for more detailed installation guidance.
### GitHub Actions
`pip-audit` has [an official GitHub Action](https://github.com/pypa/gh-action-pip-audit)!
You can install it from the
[GitHub Marketplace](https://github.com/marketplace/actions/gh-action-pip-audit), or
add it to your CI manually:
```yaml
jobs:
pip-audit:
steps:
- uses: pypa/gh-action-pip-audit@v1.0.0
with:
inputs: requirements.txt
```
See the
[action documentation](https://github.com/pypa/gh-action-pip-audit/blob/main/README.md)
for more details and usage examples.
### `pre-commit` support
`pip-audit` has [`pre-commit`](https://pre-commit.com/) support.
For example, using `pip-audit` via `pre-commit` to audit a requirements file:
```yaml
- repo: https://github.com/pypa/pip-audit
rev: v2.9.0
hooks:
- id: pip-audit
args: ["-r", "requirements.txt"]
ci:
# Leave pip-audit to only run locally and not in CI
# pre-commit.ci does not allow network calls
skip: [pip-audit]
```
Any `pip-audit` arguments documented below can be passed.
## Usage
You can run `pip-audit` as a standalone program, or via `python -m`:
```bash
pip-audit --help
python -m pip_audit --help
```
<!-- @begin-pip-audit-help@ -->
```
usage: pip-audit [-h] [-V] [-l] [-r REQUIREMENT] [--locked] [-f FORMAT]
[-s SERVICE] [-d] [-S] [--desc [{on,off,auto}]]
[--aliases [{on,off,auto}]] [--cache-dir CACHE_DIR]
[--progress-spinner {on,off}] [--timeout TIMEOUT]
[--path PATH] [-v] [--fix] [--require-hashes]
[--index-url INDEX_URL] [--extra-index-url URL]
[--skip-editable] [--no-deps] [-o FILE] [--ignore-vuln ID]
[--disable-pip]
[project_path]
audit the Python environment for dependencies with known vulnerabilities
positional arguments:
project_path audit a local Python project at the given path
(default: None)
optional arguments:
-h, --help show this help message and exit
-V, --version show program's version number and exit
-l, --local show only results for dependencies in the local
environment (default: False)
-r REQUIREMENT, --requirement REQUIREMENT
audit the given requirements file; this option can be
used multiple times (default: None)
--locked audit lock files from the local Python project. This
flag only applies to auditing from project paths
(default: False)
-f FORMAT, --format FORMAT
the format to emit audit results in (choices: columns,
json, cyclonedx-json, cyclonedx-xml, markdown)
(default: columns)
-s SERVICE, --vulnerability-service SERVICE
the vulnerability service to audit dependencies
against (choices: osv, pypi) (default: pypi)
-d, --dry-run without `--fix`: collect all dependencies but do not
perform the auditing step; with `--fix`: perform the
auditing step but do not perform any fixes (default:
False)
-S, --strict fail the entire audit if dependency collection fails
on any dependency (default: False)
--desc [{on,off,auto}]
include a description for each vulnerability; `auto`
defaults to `on` for the `json` format. This flag has
no effect on the `cyclonedx-json` or `cyclonedx-xml`
formats. (default: auto)
--aliases [{on,off,auto}]
includes alias IDs for each vulnerability; `auto`
defaults to `on` for the `json` format. This flag has
no effect on the `cyclonedx-json` or `cyclonedx-xml`
formats. (default: auto)
--cache-dir CACHE_DIR
the directory to use as an HTTP cache for PyPI; uses
the `pip` HTTP cache by default (default: None)
--progress-spinner {on,off}
display a progress spinner (default: on)
--timeout TIMEOUT set the socket timeout (default: 15)
--path PATH restrict to the specified installation path for
auditing packages; this option can be used multiple
times (default: [])
-v, --verbose run with additional debug logging; supply multiple
times to increase verbosity (default: 0)
--fix automatically upgrade dependencies with known
vulnerabilities (default: False)
--require-hashes require a hash to check each requirement against, for
repeatable audits; this option is implied when any
package in a requirements file has a `--hash` option.
(default: False)
--index-url INDEX_URL
base URL of the Python Package Index; this should
point to a repository compliant with PEP 503 (the
simple repository API); this will be resolved by pip
if not specified (default: None)
--extra-index-url URL
extra URLs of package indexes to use in addition to
`--index-url`; should follow the same rules as
`--index-url` (default: [])
--skip-editable don't audit packages that are marked as editable
(default: False)
--no-deps don't perform any dependency resolution; requires all
requirements are pinned to an exact version (default:
False)
-o FILE, --output FILE
output results to the given file (default: stdout)
--ignore-vuln ID ignore a specific vulnerability by its vulnerability
ID; this option can be used multiple times (default:
[])
--disable-pip don't use `pip` for dependency resolution; this can
only be used with hashed requirements files or if the
`--no-deps` flag has been provided (default: False)
```
<!-- @end-pip-audit-help@ -->
### Environment variables
`pip-audit` allows users to configure some flags via environment variables
instead:
| Flag | Environment equivalent | Example |
| ------------------------- | --------------------------------- | ------------------------------------- |
| `--format` | `PIP_AUDIT_FORMAT` | `PIP_AUDIT_FORMAT=markdown` |
| `--vulnerability-service` | `PIP_AUDIT_VULNERABILITY_SERVICE` | `PIP_AUDIT_VULNERABILITY_SERVICE=osv` |
| `--desc` | `PIP_AUDIT_DESC` | `PIP_AUDIT_DESC=off` |
| `--progress-spinner` | `PIP_AUDIT_PROGRESS_SPINNER` | `PIP_AUDIT_PROGRESS_SPINNER=off` |
| `--output` | `PIP_AUDIT_OUTPUT` | `PIP_AUDIT_OUTPUT=/tmp/example` |
### Exit codes
On completion, `pip-audit` will exit with a code indicating its status.
The current codes are:
* `0`: No known vulnerabilities were detected.
* `1`: One or more known vulnerabilities were found.
`pip-audit`'s exit code cannot be suppressed.
See [Suppressing exit codes from `pip-audit`](#suppressing-exit-codes-from-pip-audit)
for supported alternatives.
### Dry runs
`pip-audit` supports the `--dry-run` flag, which can be used to control whether
an audit (or fix) step is actually performed.
* On its own, `pip-audit --dry-run` skips the auditing step and prints
the number of dependencies that *would have been* audited.
* In fix mode, `pip-audit --fix --dry-run` performs the auditing step and prints
out the fix behavior (i.e., which dependencies would be upgraded or skipped)
that *would have been performed*.
## Examples
Audit dependencies for the current Python environment:
```console
$ pip-audit
No known vulnerabilities found
```
Audit dependencies for a given requirements file:
```console
$ pip-audit -r ./requirements.txt
No known vulnerabilities found
```
Audit dependencies for a requirements file, excluding system packages:
```console
$ pip-audit -r ./requirements.txt -l
No known vulnerabilities found
```
Audit dependencies for a local Python project:
```console
$ pip-audit .
No known vulnerabilities found
```
Audit lockfiles for a local Python project:
```console
$ pip-audit --locked .
No known vulnerabilities found
```
`pip-audit` searches the provided path for various Python "project" files.
At the moment, only `pyproject.toml` and `pylock.*.toml` are supported.
Audit dependencies when there are vulnerabilities present:
```console
$ pip-audit
Found 2 known vulnerabilities in 1 package
Name Version ID Fix Versions
---- ------- -------------- ------------
Flask 0.5 PYSEC-2019-179 1.0
Flask 0.5 PYSEC-2018-66 0.12.3
```
Audit dependencies including aliases:
```console
$ pip-audit --aliases
Found 2 known vulnerabilities in 1 package
Name Version ID Fix Versions Aliases
---- ------- -------------- ------------ -------------------------------------
Flask 0.5 PYSEC-2019-179 1.0 CVE-2019-1010083, GHSA-5wv5-4vpf-pj6m
Flask 0.5 PYSEC-2018-66 0.12.3 CVE-2018-1000656, GHSA-562c-5r94-xh97
```
Audit dependencies including descriptions:
```console
$ pip-audit --desc
Found 2 known vulnerabilities in 1 package
Name Version ID Fix Versions Description
---- ------- -------------- ------------ --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Flask 0.5 PYSEC-2019-179 1.0 The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656.
Flask 0.5 PYSEC-2018-66 0.12.3 The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083.
```
Audit dependencies in JSON format:
```console
$ pip-audit -f json | python -m json.tool
Found 2 known vulnerabilities in 1 package
[
{
"name": "flask",
"version": "0.5",
"vulns": [
{
"id": "PYSEC-2019-179",
"fix_versions": [
"1.0"
],
"aliases": [
"CVE-2019-1010083",
"GHSA-5wv5-4vpf-pj6m"
],
"description": "The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656."
},
{
"id": "PYSEC-2018-66",
"fix_versions": [
"0.12.3"
],
"aliases": [
"CVE-2018-1000656",
"GHSA-562c-5r94-xh97"
],
"description": "The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083."
}
]
},
{
"name": "jinja2",
"version": "3.0.2",
"vulns": []
},
{
"name": "pip",
"version": "21.3.1",
"vulns": []
},
{
"name": "setuptools",
"version": "57.4.0",
"vulns": []
},
{
"name": "werkzeug",
"version": "2.0.2",
"vulns": []
},
{
"name": "markupsafe",
"version": "2.0.1",
"vulns": []
}
]
```
Audit and attempt to automatically upgrade vulnerable dependencies:
```console
$ pip-audit --fix
Found 2 known vulnerabilities in 1 package and fixed 2 vulnerabilities in 1 package
Name Version ID Fix Versions Applied Fix
----- ------- -------------- ------------ ----------------------------------------
flask 0.5 PYSEC-2019-179 1.0 Successfully upgraded flask (0.5 => 1.0)
flask 0.5 PYSEC-2018-66 0.12.3 Successfully upgraded flask (0.5 => 1.0)
```
## Troubleshooting
Have you resolved a problem with `pip-audit`? Help us by contributing to this
section!
### `pip-audit` shows irrelevant vulnerability reports!
In a perfect world, vulnerability feeds would have an infinite signal-to-noise
ratio: every vulnerability report would be (1) correct, and (2) applicable to
every use of every dependency.
Unfortunately, neither of these is guaranteed: vulnerability feeds are not
immune to extraneous or spam reports, and not all uses of a particular
dependency map to all potential classes of vulnerabilities.
If your `pip-audit` runs produce vulnerability reports that aren't actionable
for your particular application or use case, you can use the `--ignore-vuln ID`
option to ignore specific vulnerability reports. `--ignore-vuln` supports
aliases, so you can use a `GHSA-xxx` or `CVE-xxx` ID instead of a `PYSEC-xxx`
ID if the report in question does not have a PYSEC ID.
For example, here is how you might ignore GHSA-w596-4wvx-j9j6, which is a
common source of noisy vulnerability reports and false positives for users of
[`pytest`](https://github.com/pytest-dev/pytest):
```console
# Run the audit as normal, but exclude any reports that match GHSA-w596-4wvx-j9j6
$ pip-audit --ignore-vuln GHSA-w596-4wvx-j9j6
```
The `--ignore-vuln ID` option works with all other dependency resolution
and auditing options, meaning that it should function correctly with
requirements-style inputs, alternative vulnerability feeds, and so forth.
It can also be passed multiple times, to ignore multiple reports:
```console
# Run the audit as normal, but exclude any reports that match these IDs
$ pip-audit --ignore-vuln CVE-XXX-YYYY --ignore-vuln CVE-ZZZ-AAAA
```
### `pip-audit` takes longer than I expect!
Depending on how you're using it, `pip-audit` may have to perform its
own dependency resolution, which can take roughly as long as `pip install`
does for a project. See the [security model](#security-model) for an explanation.
You have two options for avoiding dependency resolution: *audit a pre-installed
environment*, or *ensure that your dependencies are already fully resolved*.
If you know that you've already fully configured an environment equivalent
to the one that `pip-audit -r requirements.txt` would audit, you can simply
reuse it:
```console
# Note the absence of any "input" arguments, indicating that the environment is used.
$ pip-audit
# Optionally filter out non-local packages, for virtual environments:
$ pip-audit --local
```
Alternatively, if your input is fully pinned (and optionally hashed), you
can tell `pip-audit` to skip dependency resolution with either `--no-deps`
(pinned without hashes) or `--require-hashes` (pinned including hashes).
The latter is equivalent to `pip`'s
[hash-checking mode](https://pip.pypa.io/en/stable/cli/pip_install/#hash-checking-mode)
and is preferred, since it offers additional integrity.
```console
# fails if any dependency is not fully pinned
$ pip-audit --no-deps -r requirements.txt
# fails if any dependency is not fully pinned *or* is missing hashes
$ pip-audit --require-hashes -r requirements.txt
```
### `pip-audit` can't authenticate to my third-party index!
### Authenticated third-party or private indices
`pip-audit` supports `--index-url` and `--extra-index-url` for configuring an alternate
or supplemental package indices, just like `pip`.
When *unauthenticated*, these indices should work as expected. However, when a third-party
index requires authentication, `pip-audit` has a few additional restrictions on top of
ordinary `pip`:
* Interactive authentication is **not** supported. In other words: `pip-audit` will **not**
prompt you for a username/password for the index.
* [`pip`'s `keyring` authentication](https://pip.pypa.io/en/stable/topics/authentication/#keyring-support)
**is** supported, but in a limited fashion: `pip-audit` uses the `subprocess` keyring provider,
since audits happen in isolated virtual environments. The `subprocess` provider in turn
is subject to additional restrictions (such as a required username);
[`pip`'s documentation](https://pip.pypa.io/en/stable/topics/authentication/#using-keyring-as-a-command-line-application)
explains these in depth.
In addition to the above, some third-party indices have required, hard-coded usernames.
For example, for Google Artifact registry, the hard-coded username is `oauth2accesstoken`.
See [#742](https://github.com/pypa/pip-audit/issues/742) and
[pip#11971](https://github.com/pypa/pip/issues/11971) for additional context.
## Tips and Tricks
### Running against a `pipenv` project
`pipenv` uses both a `Pipfile` and `Pipfile.lock` file to track and freeze dependencies
instead of a `requirements.txt` file. `pip-audit` cannot process the `Pipfile[.lock]`
files directly, however, these can be converted to a supported `requirements.txt` file
that `pip-audit` can run against. `pipenv` has a built-in command to convert dependencies
to a `requirements.txt` file (as of [`v2022.4.8`](https://pipenv.pypa.io/en/latest/changelog/#id206)):
```console
$ pipenv run pip-audit -r <(pipenv requirements)
```
### Suppressing exit codes from `pip-audit`
`pip-audit` intentionally does not support internally suppressing its own
exit codes.
Users who need to suppress a failing `pip-audit` invocation can use
one of the standard shell idioms for doing so:
```bash
pip-audit || true
```
or, to exit entirely:
```bash
pip-audit || exit 0
```
The exit code can also be captured and handled explicitly:
```bash
pip-audit
exitcode="${?}"
# do something with ${exitcode}
```
See [Exit codes](#exit-codes) for a list of potential codes that need handling.
### Reporting only fixable vulnerabilities
In development workflows, you may want to ignore the vulnerabilities that haven't been remediated yet and only investigate them in your release process. `pip-audit` does not support ignoring unfixed vulnerabilities. However, you can export its output in JSON format and externally process it. For example, if you want to exit with a non-zero code only when the detected vulnerabilities have known fix versions, you can process the output using [jq](https://github.com/jqlang/jq) as:
```shell
test -z "$(pip-audit -r requirements.txt --format=json 2>/dev/null | jq '.dependencies[].vulns[].fix_versions[]')"
```
A simple (and inefficient) example of using this method would be:
```shell
test -z "$(pip-audit -r requirements.txt --format=json 2>/dev/null | jq '.dependencies[].vulns[].fix_versions[]')" || pip-audit -r requirements.txt
```
which runs `pip-audit` as usual and exits with a non-zero code only if there are fixed versions for the known vulnerabilities.
## Security Model
This section exists to describe the security assumptions you **can** and **must not**
make when using `pip-audit`.
TL;DR: **If you wouldn't `pip install` it, you should not `pip audit` it.**
`pip-audit` is a tool for auditing Python environments for packages with
*known vulnerabilities*. A "known vulnerability" is a publicly reported flaw in
a package that, if uncorrected, *might* allow a malicious actor to perform
unintended actions.
`pip-audit` **can** protect you against known vulnerabilities by telling
you when you have them, and how you should upgrade them. For example,
if you have `somepackage==1.2.3` in your environment, `pip-audit` **can** tell
you that it needs to be upgraded to `1.2.4`.
You **can** assume that `pip-audit` will make a best effort to *fully resolve*
all of your Python dependencies and *either* fully audit each *or* explicitly
state which ones it has skipped, as well as why it has skipped them.
`pip-audit` is **not** a static code analyzer. It analyzes dependency trees,
not code, and it **cannot** guarantee that arbitrary dependency resolutions
occur statically. To understand why this is, refer to Dustin Ingram's
[excellent post on dependency resolution in Python](https://dustingram.com/articles/2018/03/05/why-pypi-doesnt-know-dependencies/).
As such: you **must not** assume that `pip-audit` will **defend** you against
malicious packages. In particular, it is **incorrect** to treat
`pip-audit -r INPUT` as a "more secure" variant of `pip-audit`. For all intents
and purposes, `pip-audit -r INPUT` is functionally equivalent to
`pip install -r INPUT`, with a small amount of **non-security isolation** to
avoid conflicts with any of your local environments.
`pip-audit` is first and foremost a auditing tool for *Python* packages.
You **must not** assume that `pip-audit` will detect or flag "transitive"
vulnerabilities that might be exposed through Python packages, but are not
actually part of the package itself. For example, `pip-audit`'s vulnerability
information sources are unlikely to include an advisory for a vulnerable shared
library that a popular Python package *might* use, since the Python package's
version is not strongly connected to the shared library's version.
## Licensing
`pip-audit` is licensed under the Apache 2.0 License.
`pip-audit` reuses and modifies examples from
[`resolvelib`](https://github.com/sarugaku/resolvelib), which is licensed under
the ISC license.
## Contributing
See [the contributing docs](CONTRIBUTING.md) for details.
## Code of Conduct
Everyone interacting with this project is expected to follow the
[PSF Code of Conduct](https://github.com/pypa/.github/blob/main/CODE_OF_CONDUCT.md).

60
Backend/venv/lib/python3.12/site-packages/pip_audit-2.9.0.dist-info/RECORD Normal file
View File

@@ -0,0 +1,60 @@
../../../bin/pip-audit,sha256=FpH8mRymhVLDAKqsuDjOARmO25Ccvpa4gro5GdbAVf8,227
pip_audit-2.9.0.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4
pip_audit-2.9.0.dist-info/METADATA,sha256=jF92PFeWN4cWzK-ZbpmwbxmvnCeQwdYrVik6dEqBI74,27910
pip_audit-2.9.0.dist-info/RECORD,,
pip_audit-2.9.0.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
pip_audit-2.9.0.dist-info/WHEEL,sha256=G2gURzTEtmeR8nrdXUJfNiB3VYVxigPQ-bEQujpNiNs,82
pip_audit-2.9.0.dist-info/entry_points.txt,sha256=VjOcNswj8jG25jScQCt9aFcxVJu0Dixf2jomUjMH0d4,50
pip_audit-2.9.0.dist-info/licenses/LICENSE,sha256=DVQuDIgE45qn836wDaWnYhSdxoLXgpRRKH4RuTjpRZQ,10174
pip_audit/__init__.py,sha256=Ydvqqc_nj4e66iGB8hnqERrHBQ5AyYt1iGJ7ZtG4oMI,53
pip_audit/__main__.py,sha256=OVSU-HVk5l97ZLWD5h0wTHsxndVDlI5hVxnZQRmFTnQ,144
pip_audit/__pycache__/__init__.cpython-312.pyc,,
pip_audit/__pycache__/__main__.cpython-312.pyc,,
pip_audit/__pycache__/_audit.cpython-312.pyc,,
pip_audit/__pycache__/_cache.cpython-312.pyc,,
pip_audit/__pycache__/_cli.cpython-312.pyc,,
pip_audit/__pycache__/_fix.cpython-312.pyc,,
pip_audit/__pycache__/_state.cpython-312.pyc,,
pip_audit/__pycache__/_subprocess.cpython-312.pyc,,
pip_audit/__pycache__/_util.cpython-312.pyc,,
pip_audit/__pycache__/_virtual_env.cpython-312.pyc,,
pip_audit/_audit.py,sha256=4gqvDDWTDCKWLhMAGUPJ185Bdhci8LQJDtgm8iGgV9A,3172
pip_audit/_cache.py,sha256=HNn5pb8gvsebNpIDjvDjrHG_QyILZcMQBTc9FLHTv9w,6716
pip_audit/_cli.py,sha256=BolhvPwjDqxy25KUHXK0ocldDXTfV7JI-EeahH9GsTA,22456
pip_audit/_dependency_source/__init__.py,sha256=3Y8jJRyaktZ8yhoARymZoU6nHWM9c7-7VnsLWRaIrvc,632
pip_audit/_dependency_source/__pycache__/__init__.cpython-312.pyc,,
pip_audit/_dependency_source/__pycache__/interface.cpython-312.pyc,,
pip_audit/_dependency_source/__pycache__/pip.cpython-312.pyc,,
pip_audit/_dependency_source/__pycache__/pylock.cpython-312.pyc,,
pip_audit/_dependency_source/__pycache__/pyproject.cpython-312.pyc,,
pip_audit/_dependency_source/__pycache__/requirement.cpython-312.pyc,,
pip_audit/_dependency_source/interface.py,sha256=MqN1biOXo51rC00M5TR74rUPi6lT42wPySYOgm6E_5Y,1748
pip_audit/_dependency_source/pip.py,sha256=AOldz9IOILhaMKcqjSG5bQhRHmqpTDcDYW6esD--QYU,6928
pip_audit/_dependency_source/pylock.py,sha256=f3A-_psrL57jb8dYoY_1bxsf5-QoBkJFJe_6kUTEAFo,3631
pip_audit/_dependency_source/pyproject.py,sha256=6mm1yWQ65UZNtkUo5TK-gs7U2Yve1isPPM1y0ZQU7Ek,5719
pip_audit/_dependency_source/requirement.py,sha256=c1PUCmN-Pn-ZtOtuSl4M_0G2R1cD3N25euGe2jlFZ9Q,16057
pip_audit/_fix.py,sha256=J4XABlLHa71kh8sBAkbhNy6g9Fi1C6pAuPYZYBEa9Po,3711
pip_audit/_format/__init__.py,sha256=NqRYMJLsByp4v8RExprUkkAa8UdKkjFf0cngCUx9oks,380
pip_audit/_format/__pycache__/__init__.cpython-312.pyc,,
pip_audit/_format/__pycache__/columns.cpython-312.pyc,,
pip_audit/_format/__pycache__/cyclonedx.cpython-312.pyc,,
pip_audit/_format/__pycache__/interface.cpython-312.pyc,,
pip_audit/_format/__pycache__/json.cpython-312.pyc,,
pip_audit/_format/__pycache__/markdown.cpython-312.pyc,,
pip_audit/_format/columns.py,sha256=WA0vrV2A-3YCQ6tH2Fo0kawKZC6cUbIehmkG97l-O2A,5712
pip_audit/_format/cyclonedx.py,sha256=gPLOQpeza1oISfgofGqPJSmCUOiDusPKjIbzOViPgZ8,2804
pip_audit/_format/interface.py,sha256=KX3Bsi79Gla6B5D91Z5GQ9DpOWR0mQ28g7iwDJ2DvbM,1120
pip_audit/_format/json.py,sha256=au0dnxxRwTSJyC1PnJU6DE6oDhiSIoZWg46POaQQH9w,3459
pip_audit/_format/markdown.py,sha256=T_kXjjDKc6ZE1rm36hM0vueEEca-T3JVBGVormdqogM,5155
pip_audit/_service/__init__.py,sha256=MKUV1pdOdKatNjDQAcRuQlJUQVR1e3fHH5BJv9KQZgE,536
pip_audit/_service/__pycache__/__init__.cpython-312.pyc,,
pip_audit/_service/__pycache__/interface.cpython-312.pyc,,
pip_audit/_service/__pycache__/osv.cpython-312.pyc,,
pip_audit/_service/__pycache__/pypi.cpython-312.pyc,,
pip_audit/_service/interface.py,sha256=a5wGf_j_2HuxqDRDZ7TlQ_2PNVmBiqMxGNj8oFaR-gM,5292
pip_audit/_service/osv.py,sha256=t5_UQv8CzbVRLWPjZClKxBQ81JYM_hgMqaU9w8WfclA,5899
pip_audit/_service/pypi.py,sha256=mk7KWpoW3SAytUO6XqNw7-gXC_UqRzFqEZp11TXLfQY,5048
pip_audit/_state.py,sha256=3cxpcKr15Jp2pDPzaNTzUSq38dC1QrUgiAxLxIglaA8,8744
pip_audit/_subprocess.py,sha256=xygRz8Cdlx6QqxTrK0_wEnGmwtNtGn9hwl-fC3oe2kc,2349
pip_audit/_util.py,sha256=3XiJA0JJXCK2lAnIRnNTR-BnNiDniTHVvsihQx8B1zE,662
pip_audit/_virtual_env.py,sha256=snGNWstW7MhfmG_z1yjXOEIkH2E7Se1xdf4W43SSQt4,8415

0
Backend/venv/lib/python3.12/site-packages/pip_audit-2.9.0.dist-info/REQUESTED Normal file
View File

4
Backend/venv/lib/python3.12/site-packages/pip_audit-2.9.0.dist-info/WHEEL Normal file
View File

@@ -0,0 +1,4 @@
Wheel-Version: 1.0
Generator: flit 3.12.0
Root-Is-Purelib: true
Tag: py3-none-any

3
Backend/venv/lib/python3.12/site-packages/pip_audit-2.9.0.dist-info/entry_points.txt Normal file
View File

@@ -0,0 +1,3 @@
[console_scripts]
pip-audit=pip_audit._cli:audit

177
Backend/venv/lib/python3.12/site-packages/pip_audit-2.9.0.dist-info/licenses/LICENSE Normal file
View File

@@ -0,0 +1,177 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS