Python Packaging Advisory Database
This is community owned repository of advisories for packages published on https://pypi.org.
Advisories live in the vulns directory and use a YAML encoding of a simple format.
Contributing advisories
Making a pull request
Existing entries can be edited by simply creating a pull request.
To introduce a new entry, create a pull request with a new file that has a name
matching PYSEC-0000-<anything>.yaml. This will be later picked up by
automation to allocate a proper ID once merged.
Triage process
Much of the existing set of vulnerabilities are collected from the NVD CVE feed.
We use this tool, which
performs a lot of heuristics to match CVEs with exact Python packages and
versions (which is a difficult problem!) and a small amount of human triage to
generate the .yaml entries here.
Using this data
Marking specific attributes
It can be helpful to know which specific code elements of a package are vulnerable and this is done by appending an attribute and list of module paths starting from the top level module of a package to the OSV payload. Eg. OSV entries in this database have the following ecosystem_specific definition:
"ecosystem_specific": {
"imports": [
{
"attribute": string,
"modules": [ string ],
}
]
}"imports" is a JSON array containing the modules and attributes affected by the vulnerability... For example, a vulnerability that affects PIL::ImageFont can be represented as...
"imports": [
{
"attribute": "ImageFont",
"modules": ["PIL"]
}
]which is equivalent to PIL:ImageFont. If a second attribute ImageFont2 is also affected, then a second import entry needs to be added to the imports array.
"imports": [
{ "attribute": "ImageFont", "modules": ["PIL"] },
{ "attribute": "ImageFont2", "modules": ["PIL"] }
]Attributes which are accessible via multiple paths may be represented in a condensed form. Consider the attribute django.db.models:JSONField from the django project
The attribute django.db.models:JSONField is a re-export of django.db.models.fields.json:JSONField and both are valid paths.
These can be condensed to a more compact OSV representation as
{
attribute: "JSONField",
modules: ["django.db.models", "django.db.models.fields.json"]
}
Tooling
This data is exposed by pip-audit,
which provides a CLI for resolving Python dependencies in an environment
or project and identifying known vulnerabilities:
python -m pip install pip-audit
python -m pip-audit -r requirements.txtYou can also use pypa/gh-action-pip-audit
on GitHub Actions:
jobs:
pip-audit:
steps:
- uses: pypa/gh-action-pip-audit@v1.0.8
with:
inputs: requirements.txtAPIs
Vulnerabilities are integrated into the Open Source Vulnerabilities project, which provides an API to query for vulnerabilities like so:
$ curl -X POST -d \
'{"version": "2.4.1", "package": {"name": "jinja2", "ecosystem": "PyPI"}}' \
"https://api.osv.dev/v1/query"This data has also been integrated into the PyPI JSON API.
Code of Conduct
Everyone interacting with this project is expected to follow the PSF Code of Conduct.