Auditing your python environment

An image of a padlock with chains
Photo by John Salvino on Unsplash

safety

The first one is safety. It is maintained by the pyup team which uses their custom safety database. It comes in two flavors:

  • An open source version that we can freely use. It is updated once a month.
  • A paid version that is updated frequently (more than once a month).

installation

To install the package, type the following command in your terminal:

$ pip install safety
$ poetry add -D safety
- uses: pyupio/safety@v1
# if you subscribed to a paid plan, you can insert your key like the following snippet
# it assumes that you have a secret key called SAFETY_API_KEY and define under
# Settings -> Secrets -> Actions in GitHub admin.
with:
api-key: ${{ secrets.SAFETY_API_KEY }}

usage

To test safety, we will install flask with version 0.5.

$ pip install flask==0.5
# or
$ poetry add flask==0.5
$ safety check
...
REPORT
Safety v2.1.1 is scanning for Vulnerabilities...
Scanning dependencies in your environment:
-> /home/kevin/.cache/pypoetry/virtualenvs/orm-L9juRWWT-py3.8/lib/python3.8/site-packages Using non-commercial database
Found and scanned 64 packages
Timestamp 2022-08-17 22:52:00
3 vulnerabilities found
0 vulnerabilities ignored
+=======================================================================================================================+
VULNERABILITIES FOUND
+=======================================================================================================================+
-> Vulnerability found in flask version 0.5
Vulnerability ID: 38654
Affected spec: <0.12.3
ADVISORY: Flask 0.12.3 includes a fix for CVE-2019-1010083: Unexpected memory usage. The impact is denial of service.
The attack vector is crafted encoded JSON data.
NOTE: this may overlap CVE-2018-1000656.https://github.com/pallets/flask/pull/2695/commits/0e1e9a04aaf29ab78f721cfc79ac2a691f6e3929
CVE-2019-1010083
For more information, please visit https://pyup.io/vulnerabilities/CVE-2019-1010083/38654/
Scan was completed. 3 vulnerabilities were found.
...
+=======================================================================================================================+
REMEDIATIONS
3 vulnerabilities were found in 1 package. For detailed remediation & fix recommendations, upgrade to a commercial license.
...
$ safety check --full-report
$ safety check --bare
flask
$ safety check -r requirements.txt
$ echo "package-to-check==0.1" | safety check --stdin
$ safety check --output json

pip-audit

The second tool I want to introduce to you is pip-audit. Folks maintain it at Trails of Bit with some Google support. It uses the Pypa Advisory Database via the PyPI JSON API as a source of vulnerability reports.

installation

You can install it using pip or poetry like the following:

$ pip install pip-audit
# or
$ poetry add -D pip-audit
jobs:
pip-audit:
steps:
- uses: trailofbits/gh-action-pip-audit@v0.0.4
# if you use a requirements file, you can add the following
with:
inputs: requirements.txt
- repo: https://github.com/trailofbits/pip-audit
rev: v2.4.3
hooks:
- id: pip-audit
args: [ "-r", "requirements.txt" ]
ci:
# Leave pip-audit to only run locally and not in CI
# pre-commit.ci does not allow network calls
skip: [ pip-audit ]

usage

We will still consider having the flask package with version 0.5 in our environment. To run pip-audit in our current python environment, we can type:

$ pip-audit
Found 2 known vulnerabilities in 1 package
Name Version ID Fix Versions
----- ------- -------------- ------------
flask 0.5 PYSEC-2019-179 1.0
flask 0.5 PYSEC-2018-66 0.12.3
$ pip-audit --desc
$ pip-audit --fix --dry-run
INFO:pip_audit._cli:Dry run: would have upgraded Flask to 1.0
Found 2 known vulnerabilities in 1 package and fixed 0 vulnerabilities in 0 packages
Name Version ID Fix Versions
----- ------- -------------- ------------
flask 0.5 PYSEC-2019-179 1.0
flask 0.5 PYSEC-2018-66 0.12.3
$ poetry update flask
$ pip-audit -r ./requirements.txt
# this assumes pyproject.toml is in the current directory
$ pip-audit .
$ pip-audit -f json | python -m json.tool

which audit tool to use in your project?

The answer to this question depends on your needs and constraints. Here are some considerations to take into account when making your decision.

  • safety has a company behind it that dedicates its time finding vulnerabilities in python packages ahead of official CVE.
  • To make the best use of safety i.e. have the best up-to-date vulnerability database, you should use a paid plan. You need to be sure you or your company has the budget for that.
  • pip-audit is more open source than safety since the management of the database is transparent for all users.
  • pip-audit provides a hint to fix a found vulnerability, safety doesn’t do that unless you subscribed to a paid plan.
  • pip-audit may be integrated into pip in the future.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Kevin Tewouda

Kevin Tewouda

69 Followers

Déserteur camerounais résidant désormais en France. Passionné de programmation, sport, de cinéma et mangas. J’écris en français et en anglais dû à mes origines.