Home

Awesome

Python Packaging Advisory Database

This is community owned repository of advisories for packages published on https://pypi.org.

Advisories live in the vulns directory and use a YAML encoding of a simple format.

Contributing advisories

Making a pull request

Existing entries can be edited by simply creating a pull request.

To introduce a new entry, create a pull request with a new file that has a name matching PYSEC-0000-<anything>.yaml. This will be later picked up by automation to allocate a proper ID once merged.

You can validate the structure of your YAML file by running:

pipx run check-jsonschema --schemafile https://raw.githubusercontent.com/ossf/osv-schema/main/validation/schema.json <PATH TO YAML FILE>

Triage process

Much of the existing set of vulnerabilities are collected from the NVD CVE feed.

We use this tool, which performs a lot of heuristics to match CVEs with exact Python packages and versions (which is a difficult problem!) and a small amount of human triage to generate the .yaml entries here.

Using this data

Marking specific attributes as vulnerable

To help with reducing false positive matches, entries in this database can include details on specific code elements of a package that are vulnerable. OSV entries in this database have the following ecosystem_specific definition to encode this:

"ecosystem_specific": {
  "imports": [
    { 
       "attribute": string,
       "modules": [ string ],
    }
  ]
}

"imports" is a JSON array containing the modules and attributes affected by the vulnerability... For example, a vulnerability that affects PIL::ImageFont can be represented as...

"imports": [
  {
    "attribute": "ImageFont",
    "modules": ["PIL"]
  }
]

which is equivalent to PIL:ImageFont. If a second attribute ImageFont2 is also affected, then a second import entry needs to be added to the imports array.

"imports": [
  { "attribute": "ImageFont", "modules": ["PIL"] },
  { "attribute": "ImageFont2", "modules": ["PIL"] }
]

Attributes which are accessible via multiple paths may be represented in a condensed form. Consider the attribute django.db.models:JSONField from the django project. The attribute django.db.models:JSONField is a re-export of django.db.models.fields.json:JSONField and both are valid paths. These can be condensed to a more compact OSV representation as:

{
  "attribute": "JSONField",
  "modules": ["django.db.models", "django.db.models.fields.json"]
}

Tooling

This data is exposed by pip-audit, which provides a CLI for resolving Python dependencies in an environment or project and identifying known vulnerabilities:

python -m pip install pip-audit
python -m pip-audit -r requirements.txt

You can also use pypa/gh-action-pip-audit on GitHub Actions:

jobs:
  pip-audit:
    steps:
      - uses: pypa/gh-action-pip-audit@v1.0.8
        with:
          inputs: requirements.txt

APIs

Vulnerabilities are integrated into the Open Source Vulnerabilities project, which provides an API to query for vulnerabilities like so:

$ curl -X POST -d \
          '{"version": "2.4.1", "package": {"name": "jinja2", "ecosystem": "PyPI"}}' \
          "https://api.osv.dev/v1/query"

This data has also been integrated into the PyPI JSON API.

Code of Conduct

Everyone interacting with this project is expected to follow the PSF Code of Conduct.