A curated database of insecure Python packages
Project description
[![safety](https://raw.githubusercontent.com/pyupio/safety-db/master/safety-db.jpg)](https://pyup.io/safety/)
## What is Safety DB?
Safety DB is a database of known security vulnerabilities in Python packages. The data is made available by [pyup.io](https://pyup.io/) and synced with this repository once per month. Most of the entries are found by filtering CVEs and changelogs for certain keywords and then manually reviewing them.
## Tools
- [Safety CI](https://pyup.io/safety/ci/) is a deep GitHub integration that's available on pyup.io. It checks your commits and Pull Requests.
- [Safety](https://pyup.io/safety/) is a command line tool that checks virtualenvironments and requirement files either locally or on a CI server.
- [Safety Django](https://pyup.io/safety/django/) is a package for Django that warns you in the admin area if your installed Django release is insecure.
- [Safety Bar](https://github.com/pyupio/safety-bar) (alpha) is a macOS menubar application.
- A [pre-commit hook](https://github.com/Lucas-C/pre-commit-hooks-safety) by Lucas Cimon.
- [`pipenv check`](https://pipenv.readthedocs.io/en/latest/advanced/#detection-of-security-vulnerabilities) relies on `safety` and Safety-DB to check for known vulnerabilities in locked components
- *your tool?*
## Installation
```sh
pip install safety-db
```
## Usage
```python
from safety_db import INSECURE, INSECURE_FULL
```
## What is this not?
This is not a hall of shame, or a list of packages to avoid. The package maintainers show a great responsibility by documenting and fixing security issues in such a way that they can be listed here. That's extremely valuable when considering using a package in production.
## Using this data
For humans:
- There's a small website available that lets you browse the data: https://pyupio.github.io/safety-db/
For robots:
Check out the `data` directory:
- [insecure.json](https://github.com/pyupio/safety-db/blob/master/data/insecure.json) contains just the package name and all insecure releases as a plain list.
- [insecure_full.json](https://github.com/pyupio/safety-db/blob/master/data/insecure_full.json) additionally contains the CVE description and URLs, or the relevant part of the changelog.
The database is licensed under [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). This allows you to use the data in any non commercial project as long as you link back to this repo. If you need a license for a commercial project, please contact support@pyup.io.
## What is Safety DB?
Safety DB is a database of known security vulnerabilities in Python packages. The data is made available by [pyup.io](https://pyup.io/) and synced with this repository once per month. Most of the entries are found by filtering CVEs and changelogs for certain keywords and then manually reviewing them.
## Tools
- [Safety CI](https://pyup.io/safety/ci/) is a deep GitHub integration that's available on pyup.io. It checks your commits and Pull Requests.
- [Safety](https://pyup.io/safety/) is a command line tool that checks virtualenvironments and requirement files either locally or on a CI server.
- [Safety Django](https://pyup.io/safety/django/) is a package for Django that warns you in the admin area if your installed Django release is insecure.
- [Safety Bar](https://github.com/pyupio/safety-bar) (alpha) is a macOS menubar application.
- A [pre-commit hook](https://github.com/Lucas-C/pre-commit-hooks-safety) by Lucas Cimon.
- [`pipenv check`](https://pipenv.readthedocs.io/en/latest/advanced/#detection-of-security-vulnerabilities) relies on `safety` and Safety-DB to check for known vulnerabilities in locked components
- *your tool?*
## Installation
```sh
pip install safety-db
```
## Usage
```python
from safety_db import INSECURE, INSECURE_FULL
```
## What is this not?
This is not a hall of shame, or a list of packages to avoid. The package maintainers show a great responsibility by documenting and fixing security issues in such a way that they can be listed here. That's extremely valuable when considering using a package in production.
## Using this data
For humans:
- There's a small website available that lets you browse the data: https://pyupio.github.io/safety-db/
For robots:
Check out the `data` directory:
- [insecure.json](https://github.com/pyupio/safety-db/blob/master/data/insecure.json) contains just the package name and all insecure releases as a plain list.
- [insecure_full.json](https://github.com/pyupio/safety-db/blob/master/data/insecure_full.json) additionally contains the CVE description and URLs, or the relevant part of the changelog.
The database is licensed under [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). This allows you to use the data in any non commercial project as long as you link back to this repo. If you need a license for a commercial project, please contact support@pyup.io.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
safety-db-2018.7.24.tar.gz
(118.1 kB
view hashes)
Built Distribution
Close
Hashes for safety_db-2018.7.24-py2.py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | ac5cef5b72ba9c8eecb4f2ab4951f09af3fa0c94fc725c0fe4b7d1299d1baa66 |
|
MD5 | 9646c4f01fd777e1fbadb97b8532ab60 |
|
BLAKE2b-256 | d8af5e95ab5b5618faca1072cf4b5554ab8019e4c09688c7db3ec611c547d33f |