Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/pypa/advisory-database
Advisory database for Python packages published on pypi.org
https://github.com/pypa/advisory-database
Last synced: 9 days ago
JSON representation
Advisory database for Python packages published on pypi.org
- Host: GitHub
- URL: https://github.com/pypa/advisory-database
- Owner: pypa
- License: cc-by-4.0
- Created: 2021-06-01T21:03:32.000Z (over 3 years ago)
- Default Branch: main
- Last Pushed: 2024-10-29T17:03:42.000Z (about 1 month ago)
- Last Synced: 2024-10-29T18:30:27.687Z (about 1 month ago)
- Homepage:
- Size: 5.9 MB
- Stars: 260
- Watchers: 30
- Forks: 60
- Open Issues: 13
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-software-supply-chain-security - pypa/advisory-database - ![GitHub stars](https://img.shields.io/github/stars/pypa/advisory-database?style=flat-square) - Advisory database for Python packages published on pypi.org (Vulnerabilities Database & Tools)
README
# Python Packaging Advisory Database
This is community owned repository of advisories for packages published on
.Advisories live in the [vulns](vulns/) directory and use a YAML encoding of
a [simple format](https://ossf.github.io/osv-schema/).## Contributing advisories
### Making a pull request
Existing entries can be edited by simply creating a pull request.
To introduce a new entry, create a pull request with a new file that has a name
matching `PYSEC-0000-.yaml`. This will be later picked up by
automation to allocate a proper ID once merged.You can validate the structure of your YAML file by running:
```bash
pipx run check-jsonschema --schemafile https://raw.githubusercontent.com/ossf/osv-schema/main/validation/schema.json
```### Triage process
Much of the existing set of vulnerabilities are collected from the
[NVD CVE](https://nvd.nist.gov/vuln/data-feeds) feed.We use [this tool](https://github.com/google/osv/tree/master/vulnfeeds), which
performs a lot of heuristics to match CVEs with exact Python packages and
versions (which is a difficult problem!) and a small amount of human triage to
generate the `.yaml` entries here.## Using this data
### Marking specific attributes as vulnerable
To help with reducing false positive matches, entries in this database can include details on specific code elements of a package that are vulnerable.
OSV entries in this database have the following [`ecosystem_specific`](https://ossf.github.io/osv-schema/#affectedecosystem_specific-field) definition to encode this:```json
"ecosystem_specific": {
"imports": [
{
"attribute": string,
"modules": [ string ],
}
]
}
```"imports" is a JSON array containing the modules and attributes affected by the vulnerability...
For example, a vulnerability that affects PIL::ImageFont can be represented as...```json
"imports": [
{
"attribute": "ImageFont",
"modules": ["PIL"]
}
]
```which is equivalent to `PIL:ImageFont`. If a second attribute `ImageFont2` is also affected, then a second import entry needs to be added to the `imports` array.
```json
"imports": [
{ "attribute": "ImageFont", "modules": ["PIL"] },
{ "attribute": "ImageFont2", "modules": ["PIL"] }
]
```Attributes which are accessible via multiple paths may be represented in a condensed form. Consider the attribute `django.db.models:JSONField` from the [django project](https://github.com/django/django/blob/0ee2b8c326d47387bacb713a3ab369fa9a7a22ee/django/db/models/__init__.py#L99).
The attribute `django.db.models:JSONField` is a re-export of `django.db.models.fields.json:JSONField` and both are valid paths.
These can be condensed to a more compact OSV representation as:```json
{
"attribute": "JSONField",
"modules": ["django.db.models", "django.db.models.fields.json"]
}
```### Tooling
This data is exposed by [`pip-audit`](https://github.com/pypa/pip-audit),
which provides a CLI for resolving Python dependencies in an environment
or project and identifying known vulnerabilities:```bash
python -m pip install pip-audit
python -m pip-audit -r requirements.txt
```You can also use [`pypa/gh-action-pip-audit`](https://github.com/pypa/gh-action-pip-audit)
on GitHub Actions:```yaml
jobs:
pip-audit:
steps:
- uses: pypa/[email protected]
with:
inputs: requirements.txt
```### APIs
Vulnerabilities are integrated into the
[Open Source Vulnerabilities](https://osv.dev) project, which provides an API to
query for vulnerabilities like so:```bash
$ curl -X POST -d \
'{"version": "2.4.1", "package": {"name": "jinja2", "ecosystem": "PyPI"}}' \
"https://api.osv.dev/v1/query"
```This data has also been integrated into the
[PyPI JSON API](https://warehouse.pypa.io/api-reference/json.html#known-vulnerabilities).## Code of Conduct
Everyone interacting with this project is expected to follow the
[PSF Code of Conduct](https://github.com/pypa/.github/blob/main/CODE_OF_CONDUCT.md).