Fetches security vulnerabilities and creates pip-constraints based on them.
Project description
security-constraints
Security-constraints is a command-line application used to fetch security vulnerabilities in Python packages from external sources and from them generate version constraints for the packages.
The constraints can then be given to pip install
with the -c
option,
either on the command line or in a requirements file.
Installation
Just install it with pip
:
pip install security-constraints
Usage
The environment variable SC_GITHUB_TOKEN
needs to be set
to a valid GitHub token which provides read access to public
repositories. This is needed in order to access GitHub Security
Advisory. Once this is set, you can simply run the program to
output safe pip constraints to stdout.
>security-constraints
# Generated by security-constraints on 2022-11-04T08:33:54.523625
# Data sources: Github Security Advisory
# Configuration: {'ignore_ids': []}
...
vncauthproxy<0,>=1.2.0 # CVE-2022-36436 (ID: GHSA-237r-mx84-7x8c)
waitress!=1.4.2 # CVE-2020-5236 (ID: GHSA-73m2-3pwg-5fgc)
waitress>=1.4.0 # GHSA-4ppp-gpcr-7qf6 (ID: GHSA-4ppp-gpcr-7qf6)
ymlref>0.1.1 # CVE-2018-20133 (ID: GHSA-8r8j-xvfj-36f9)
>
You can use --output
to instead output to a file.
>security-constraints --output constraints.txt
>cat constraints.txt
# Generated by security-constraints on 2022-11-04T08:33:54.523625
# Data sources: Github Security Advisory
# Configuration: {'ignore_ids': []}
...
vncauthproxy<0,>=1.2.0 # CVE-2022-36436 (ID: GHSA-237r-mx84-7x8c)
waitress!=1.4.2 # CVE-2020-5236 (ID: GHSA-73m2-3pwg-5fgc)
waitress>=1.4.0 # GHSA-4ppp-gpcr-7qf6 (ID: GHSA-4ppp-gpcr-7qf6)
ymlref>0.1.1 # CVE-2018-20133 (ID: GHSA-8r8j-xvfj-36f9)
>
You can provide a space-separated list of IDs of vulnerabilities that
should be ignored. The IDs in question are those that appear in after
ID:
in the comments in the output.
>security-constraints --ignore-ids GHSA-4ppp-gpcr-7qf6 GHSA-8r8j-xvfj-36f9
# Generated by security-constraints on 2022-11-04T08:33:54.523625
# Data sources: Github Security Advisory
# Configuration: {'ignore_ids': ['GHSA-4ppp-gpcr-7qf6', 'GHSA-8r8j-xvfj-36f9']}
...
vncauthproxy<0,>=1.2.0 # CVE-2022-36436 (ID: GHSA-237r-mx84-7x8c)
waitress!=1.4.2 # CVE-2020-5236 (ID: GHSA-73m2-3pwg-5fgc)
>
The IDs to ignore can also be given in a configuration file using --config
.
To create an initial configuration file, you can use --dump-config
. This
will dump the current configuration (including any --ignore-ids
passed) to
stdout and then exit. You can redirect this into a file to create an
initial configuration file. The configuration file is in yaml format.
>security-constraints --ignore-ids GHSA-4ppp-gpcr-7qf6 GHSA-8r8j-xvfj-36f9 --dump-config > sc_config.yaml
>cat sc_config.yaml
ignore_ids:
- GHSA-4ppp-gpcr-7qf6
- GHSA-8r8j-xvfj-36f9
>security-constraints --config sc_config.yaml
# Generated by security-constraints on 2022-11-04T08:33:54.523625
# Data sources: Github Security Advisory
# Configuration: {'ignore_ids': ['GHSA-4ppp-gpcr-7qf6', 'GHSA-8r8j-xvfj-36f9']}
...
vncauthproxy<0,>=1.2.0 # CVE-2022-36436 (ID: GHSA-237r-mx84-7x8c)
waitress!=1.4.2 # CVE-2020-5236 (ID: GHSA-73m2-3pwg-5fgc)
>
Contributing
Pull requests as well as new issues are welcome.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for security-constraints-1.0.0.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | f8e83d5b000508fbdbf2bde86b3ccd6c2ccd54600b0c8ad22de538ddbe97215c |
|
MD5 | 44183acbecf93cc008b98a66d24c29e1 |
|
BLAKE2b-256 | 83e379293e62ea3480916e8a4040b5013214ef7bd4f927050dfeb461e986fd3b |
Hashes for security_constraints-1.0.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 3bd40a6e34a773adf15051050d4edca31d6912e5603949aa0b3d16860a113cf3 |
|
MD5 | 096905a4752c7d077d6f74d9577ddae3 |
|
BLAKE2b-256 | f52673d0bba30ea5df92a7e825ace1a5e4c9a8f45961eab75600dd53fa078865 |