Skip to main content

Fetches security vulnerabilities and creates pip-constraints based on them.

Project description

security-constraints

Security-constraints is a command-line application used to fetch security vulnerabilities in Python packages from external sources and from them generate version constraints for the packages.

The constraints can then be given to pip install with the -c option, either on the command line or in a requirements file.

Installation

Just install it with pip:

pip install security-constraints

Usage

The environment variable SC_GITHUB_TOKEN needs to be set to a valid GitHub token which provides read access to public repositories. This is needed in order to access GitHub Security Advisory. Once this is set, you can simply run the program to output safe pip constraints to stdout.

>security-constraints
# Generated by security-constraints 1.0.0 on 2022-11-04T08:33:54.523625Z
# Data sources: Github Security Advisory
# Configuration: {'ignore_ids': [], 'min_severity': 'CRITICAL'}
...
vncauthproxy>=1.2.0  # CVE-2022-36436 (ID: GHSA-237r-mx84-7x8c)
waitress!=1.4.2  # CVE-2020-5236 (ID: GHSA-73m2-3pwg-5fgc)
waitress>=1.4.0  # GHSA-4ppp-gpcr-7qf6 (ID: GHSA-4ppp-gpcr-7qf6)
ymlref>0.1.1  # CVE-2018-20133 (ID: GHSA-8r8j-xvfj-36f9)
>

You can use --output to instead output to a file.

>security-constraints --output constraints.txt
>cat constraints.txt
# Generated by security-constraints 1.0.0 on 2022-11-04T08:33:54.523625Z
# Data sources: Github Security Advisory
# Configuration: {'ignore_ids': [], 'min_severity': 'CRITICAL'}
...
vncauthproxy>=1.2.0  # CVE-2022-36436 (ID: GHSA-237r-mx84-7x8c)
waitress!=1.4.2  # CVE-2020-5236 (ID: GHSA-73m2-3pwg-5fgc)
waitress>=1.4.0  # GHSA-4ppp-gpcr-7qf6 (ID: GHSA-4ppp-gpcr-7qf6)
ymlref>0.1.1  # CVE-2018-20133 (ID: GHSA-8r8j-xvfj-36f9)
>

You can provide a space-separated list of IDs of vulnerabilities that should be ignored. The IDs in question are those that appear in after ID: in the comments in the output.

>security-constraints --ignore-ids GHSA-4ppp-gpcr-7qf6 GHSA-8r8j-xvfj-36f9
# Generated by security-constraints 1.0.0 on 2022-11-04T08:33:54.523625Z
# Data sources: Github Security Advisory
# Configuration: {'ignore_ids': ['GHSA-4ppp-gpcr-7qf6', 'GHSA-8r8j-xvfj-36f9'], 'min_severity': 'CRITICAL'}
...
vncauthproxy>=1.2.0  # CVE-2022-36436 (ID: GHSA-237r-mx84-7x8c)
waitress!=1.4.2  # CVE-2020-5236 (ID: GHSA-73m2-3pwg-5fgc)
>

The IDs to ignore can also be given in a configuration file using --config. To create an initial configuration file, you can use --dump-config. This will dump the current configuration (including any --ignore-ids passed) to stdout and then exit. You can redirect this into a file to create an initial configuration file. The configuration file is in yaml format.

>security-constraints --ignore-ids GHSA-4ppp-gpcr-7qf6 GHSA-8r8j-xvfj-36f9 --dump-config > sc_config.yaml
>cat sc_config.yaml
ignore_ids:
- GHSA-4ppp-gpcr-7qf6
- GHSA-8r8j-xvfj-36f9
min_severity: CRITICAL
>security-constraints --config sc_config.yaml
# Generated by security-constraints 1.0.0 on 2022-11-04T08:33:54.523625Z
# Data sources: Github Security Advisory
# Configuration: {'ignore_ids': ['GHSA-4ppp-gpcr-7qf6', 'GHSA-8r8j-xvfj-36f9'], 'min_severity': 'CRITICAL'}
...
vncauthproxy>=1.2.0  # CVE-2022-36436 (ID: GHSA-237r-mx84-7x8c)
waitress!=1.4.2  # CVE-2020-5236 (ID: GHSA-73m2-3pwg-5fgc)
>

By default, security-constraints fetches all security vulnerabilities with severity "CRITICAL" or higher (as understood by Github Security Advisory). The minimum severity can be configured using the option --min-severity or by setting min_severity in the config file (if both are set, their common minimum will be used).

>security-constraints --min-severity high

Contributing

Pull requests as well as new issues are welcome.

Code style: black CI

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

security-constraints-1.2.1.tar.gz (30.5 kB view details)

Uploaded Source

Built Distribution

security_constraints-1.2.1-py3-none-any.whl (19.3 kB view details)

Uploaded Python 3

File details

Details for the file security-constraints-1.2.1.tar.gz.

File metadata

  • Download URL: security-constraints-1.2.1.tar.gz
  • Upload date:
  • Size: 30.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/5.0.0 CPython/3.12.2

File hashes

Hashes for security-constraints-1.2.1.tar.gz
Algorithm Hash digest
SHA256 dc341663b850dea3ebaef10e554a10ccf00366625cb8ea05e95fc25209687293
MD5 b0285a082f1ab837e561c97392ff023b
BLAKE2b-256 a06721ea235f14d539e6de557acb9d9caa738a5f6a4a46eaa2e0c0378f1f59c9

See more details on using hashes here.

File details

Details for the file security_constraints-1.2.1-py3-none-any.whl.

File metadata

File hashes

Hashes for security_constraints-1.2.1-py3-none-any.whl
Algorithm Hash digest
SHA256 a8c6bed200d2364cd6e23ef3420d836286f742e5c5fd5c7274d1348fedfb8194
MD5 5d525bfb45324de6e80ee9d4c62ddcec
BLAKE2b-256 bf56046c1b0560a4e85630f703f1efc60d9741110b9a397afbf10bcac87f305b

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page