Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Provide example schema for PyPI vulnerability service

See original GitHub issue

The current plan is to extend the release endpoint to provide vulnerability information for a given release. We should provide an example schema that has all the information that we need for pip-audit.

Issue Analytics

State:
Created 2 years ago
Comments:10 (10 by maintainers)

Top GitHub Comments

1reaction

dicommented, Oct 20, 2021

This is now live:

$ curl -s https://pypi.org/pypi/blackduck/0.0.25/json | jq ".vulnerabilities"
[
  {
    "aliases": [
      "CVE-2020-27589"
    ],
    "details": "Synopsys hub-rest-api-python (aka blackduck on PyPI) version 0.0.25 - 0.0.52 does not validate SSL certificates in certain cases.",
    "fixed_in": [
      "0.0.53"
    ],
    "id": "PYSEC-2020-26",
    "link": "https://osv.dev/vulnerability/PYSEC-2020-26",
    "source": "osv"
  }
]

1reaction

dicommented, Oct 13, 2021

This is probably going to look more like:

{
  "vulns": {
    "1.0": [],
    "1.2.0": [
      {
        "id": "PYSEC-1",
        "details": "The first vulnerability",
        "link": "https://osv.dev/vulnerability/PYSEC-1",
        "aliases": [
          "CVE-2020-36242"
        ],
        "ranges": [
          {
            "introduced": "3.1",
            "fixed": "3.3.2"
          }
        ]
      }
    ]
  }
}

Will that work?

Top Results From Across the Web

PyPI security pitfalls and steps towards a secure Python ...

PSF is improving Python supply chain security, but gaps still exist. Learn the tools and techniques to avoid PyPI security pitfalls.

safety - PyPI

Safety checks Python dependencies for known security vulnerabilities and suggests the proper remediations for vulnerabilities detected. Safety can be run on ...

How to find third-party vulnerabilities in your Python code

Learn how to use the pip-audit tool to find CVE advisories issued for Python modules you're using in your project.

Phony PyPi package imitates known developer - Snyk

A recent interesting finding in the Python Package Index (PyPi) attempted to imitate a known open source developer through identity spoofing.

Proposing a community maintained database of PyPI package ...

Hi! I'm from Google and my team has been working on some efforts to improve vulnerability management for open source packages.