security-dependency-pinning 1.0.2

A repository dedicated to maintaining a secure, stable environment by pinning critical library versions

security_dependency_pinning

Version v1.0.2 as of 2024-10-02 see Changelog

A repository dedicated to maintaining a secure, stable environment by pinning critical library versions to protect against vulnerabilities and ensure compatibility.

Purpose

The repository is specifically designed to:

• Ensure a Secure Environment: By pinning specific versions of critical libraries, the repository helps in safeguarding against potential security threats by avoiding the use of versions known to have vulnerabilities.

• Maintain Stability: Stability in the software environment is ensured by using tested and proven versions of libraries, reducing the risk of crashes or errors due to incompatible library updates.

• Prevent Compatibility Issues: Compatibility among various libraries and dependencies is crucial for the smooth operation of software projects. Pinning versions help in avoiding conflicts that might arise from updates in dependencies.

• Protect Against Vulnerabilities: The focus on pinning critical libraries is also to protect the software from vulnerabilities that could be exploited if newer, untested versions of the libraries are used.

Key Considerations

• The practice of pinning should be applied judiciously, focusing on libraries that are critical for security and operational stability.

• Regular review of pinned versions is necessary to ensure that updates addressing security vulnerabilities are incorporated in a timely manner, without compromising the stability of the software environment.

• Coordination among team members is essential to manage the pinned versions effectively and to ensure that all aspects of the software’s dependencies are considered.

Conclusion

Security dependency pinning is a foundational practice in maintaining the integrity, security, and reliability of software projects. By adhering to this practice, developers can significantly reduce the risk of introducing security vulnerabilities and compatibility issues into their projects.

---

automated tests, Github Actions, Documentation, Badges, etc. are managed with PizzaCutter (cookiecutter on steroids)

Python version required: 3.8.0 or newer

tested on recent linux with python 3.8, 3.9, 3.10, 3.11, 3.12, pypy-3.9, pypy-3.10 - architectures: amd64

100% code coverage, flake8 style checking ,mypy static type checking ,tested under Linux, macOS, Windows, automatic daily builds and monitoring

---

• Usage

• Usage from Commandline

• Installation and Upgrade

• Requirements

• Acknowledgements

• Contribute

• Report Issues

• Pull Request

• Code of Conduct

• License

• Changelog

---

Usage

Incorporate the security_dependency_pinning library into your project’s requirements. As a result, the versions of the following libraries will be explicitly specified and maintained:

## Project Requirements
click
toml
## security pinnings
# not directly required, pinned to avoid vulnerability CVE-2023-37920
certifi>=2024.2.2
# not directly required, pinned to avoid vulnerability CVE-2023-5752
pip>=24.0
# not directly required, pinned to avoid vulnerability CVE-2023-43804, CVE-2023-45803
urllib3>=2.2.0
# not directly required, pinned to avoid vulnerability CVE-2023-27522
uwsgi>=2.0.21 ; sys_platform != 'win32'
# not directly required, pinned to avoid vulnerability CVE-2024-5569
zipp>=3.19.1
# not directly required, pinned to avoid Always-Incorrect Control Flow Implementation
requests[security]>=2.32.0

Usage from Commandline

Usage: security_dependency_pinning [OPTIONS] COMMAND [ARGS]...

  A repository dedicated to maintaining a secure, stable environment by
  pinning critical library versions

Options:
  --version                     Show the version and exit.
  --traceback / --no-traceback  return traceback information on cli
  -h, --help                    Show this message and exit.

Commands:
  info  get program information

Installation and Upgrade

• Before You start, its highly recommended to update pip:

python -m pip --upgrade pip

• to install the latest release from PyPi via pip (recommended):

python -m pip install --upgrade security_dependency_pinning

• to install the latest release from PyPi via pip, including test dependencies:

python -m pip install --upgrade security_dependency_pinning[test]

• to install the latest version from github via pip:

python -m pip install --upgrade git+https://github.com/bitranox/security_dependency_pinning.git

• include it into Your requirements.txt:

# Insert following line in Your requirements.txt:
# for the latest Release on pypi:
security_dependency_pinning

# for the latest development version :
security_dependency_pinning @ git+https://github.com/bitranox/security_dependency_pinning.git

# to install and upgrade all modules mentioned in requirements.txt:
python -m pip install --upgrade -r /<path>/requirements.txt

• to install the latest development version, including test dependencies from source code:

# cd ~
$ git clone https://github.com/bitranox/security_dependency_pinning.git
$ cd security_dependency_pinning
python -m pip install -e .[test]

• via makefile: makefiles are a very convenient way to install. Here we can do much more, like installing virtual environments, clean caches and so on.

# from Your shell's homedirectory:
$ git clone https://github.com/bitranox/security_dependency_pinning.git
$ cd security_dependency_pinning

# to run the tests:
$ make test

# to install the package
$ make install

# to clean the package
$ make clean

# uninstall the package
$ make uninstall

Requirements

following modules will be automatically installed :

## Project Requirements
click
toml
## security pinnings
# not directly required, pinned to avoid vulnerability CVE-2023-37920
certifi>=2024.2.2
# not directly required, pinned to avoid vulnerability CVE-2023-5752
pip>=24.0
# not directly required, pinned to avoid vulnerability CVE-2023-43804, CVE-2023-45803
urllib3>=2.2.0
# not directly required, pinned to avoid vulnerability CVE-2023-27522
uwsgi>=2.0.21 ; sys_platform != 'win32'
# not directly required, pinned to avoid vulnerability CVE-2024-5569
zipp>=3.19.1
# not directly required, pinned to avoid Always-Incorrect Control Flow Implementation
requests[security]>=2.32.0

Acknowledgements

• special thanks to “uncle bob” Robert C. Martin, especially for his books on “clean code” and “clean architecture”

Contribute

I would love for you to fork and send me pull request for this project. - please Contribute

License

This software is licensed under the MIT license

—

Changelog

• new MAJOR version for incompatible API changes,

• new MINOR version for added functionality in a backwards compatible manner

• new PATCH version for backwards compatible bug fixes

v1.0.2

2024-10-01:

• zipp>=3.19.1

• requests>=2.32.0

• setup python@v5

• codecov token

• graalpy and jupyter is not supported because of uwsgi pinning

v1.0.1

2024-10-01:

• do not import uwsgi on windows and platform implementations other then cpython, for graalpy 24.1 and jupyter

• zipp>=3.19.1

• requests>=2.32.0

• add graalpy tests

• setup python@v5

• codecov token

v1.0.0

2024-03-01: Initial release

certifi>=2024.2.2 # pinned to avoid vulnerability CVE-2023-37920 pip>=24.0 # pinned to avoid vulnerability CVE-2023-5752 uwsgi>=2.0.21; sys_platform != ‘win32’ # pinned to avoid vulnerability CVE-2023-27522 urllib3>=2.2.0 # pinned to avoid vulnerability CVE-2023-43804, CVE-2023-45803