Connect with us

Business

Pip-audit: Google-backed tool probes Python environments for vulnerable packages

Published

on

UPDATED A tool has been launched with support from Google that scans Python environments for packages with known vulnerabilities.

‘Pip-audit’ leverages the PyPI JSON API to compare dependencies against the Python Packaging Advisory Database – a repository of security advisories that in turn collects much of its data from the NVD CVE feed.

Users can alternatively audit dependencies against the Open Source Vulnerabilities (OSV) database.

Dependencies can be audited with system packages included or excluded from the scan, with or without CVE descriptions, and for a given requirements file.

Scan results, which can be presented in JSON format, include package names, version IDs, fixed versions, and CVE descriptions.

The project was developed by William Woodruff and Alex Cameron of Trail of Bits, a New York-based cybersecurity company, with funding from Google and support from Dustin Ingram, senior developer advocate at Google.

Pip-audit 1.0.0 was launched on Wednesday (December 1).

No strings attached

The tool is not the only application that scans for flaws in Python environments, with existing alternatives including SafetySnyk for Python, GitHub’s Dependabot, and OWASP Dependency Check.

Woodruff, the project lead, told The Daily Swig: “We wanted to build a tool that didn’t have any financial or licensing strings attached. Snyk and Safety are wonderful additions to the security ecosystem, but both require some level of paid subscription for their functionality (e.g. access to Safety’s more complete private vulnerability DB).”

They also “wanted something that works well for both humans and machines: a lot of tools (like Dependabot, which is also great) lock tightly into either user or automated workflows”.

Moreover, they wanted pip-audit to eventually be integrated into ‘pip’ itself. “Pip’s support guarantees (e.g., for older Pythons), stringent dependency requirements, and CLI design would have made adapting a previous tool into a serious undertaking,” he explains.

“Finally, we wanted a high quality ‘reference’ tool that consumes PyPI’s recently added vulnerability information. As far as we know, we’re the only tool to do so currently.”

Commenting on a NetSec subreddit unveiling pip-audit, ‘brainphreeze’ praised the tool as “quick and easy to set up and run”. They added: “Good initial results too.”

However, they also observed that “the lack of a severity rating does make the verification step more involved, but this looks to be based on how [the Python Packaging Advisory Database] stores its results”.

Acknowledging this shortcoming, Woodruff said: “We’re looking into being able to better connect PYSEC identifiers to their upstream CVE/NVD/similar records.”

Pip-audit project is one of many open source security initiatives being supported by Google. In recent months, for instance, Google has sponsored security reviews of eight open source projects, and contributed to a National Institute of Standards and Technology (NIST) project focused on creating federal government guidelines for procuring secure software, among other examples.

Source: https://portswigger.net/daily-swig/pip-audit-google-backed-tool-probes-python-environments-for-vulnerable-packages

Advertisement
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2023 Cyber Reports Cyber Security News All Rights Reserved Website by Top Search SEO