Note: This database is currently in it's early stages. It's possible that there are false positives and missing packages.
This is an effort to collect all known security vulnerabilities in Python packages and make them available to consume for humans and automated tools.
The data is collected by filtering CVEs and changelogs for certain keywords and then manually reviewing them. Take a look at previous pull requests to see how that looks like.
For humans:
- There's a small website available that lets you browse the data: https://pyupio.github.io/safety-db/
For robots:
Check out the data
directory:
- insecure.json contains just the package name and all insecure releases as a plain list.
- insecure_full.json additionally contains the CVE description and URLs, or the relevant part of the changelog.
The database is licensed under CC BY-NC-SA 4.0. This allows you to use the data in any non commercial project as long as you link back to this repo. If you need a license for a commercial project, please get in touch.
- safety checks your installed dependencies for known security vulnerabilities. To use it, install it in the virtualenv you want to check with
pip install safety
and then runsafety check
. - pyup.io coming soon
- your tool?
If you find this useful, please consider getting a paid pyup.io account. This is what makes projects like this possible.