A curated database of insecure Python packages
Python
Latest commit c789593 Dec 28, 2016 @jayfk jayfk committed on GitHub Merge pull request #1856 from pyupio/changelog-mr.migrator-version-1.2
Changelog mr.migrator version 1.2

README.md

Note: This database is currently in its early stages. It's possible that there are false positives and missing packages.

What is this?

This is an effort to collect all known security vulnerabilities in Python packages and make them available to consume for humans and automated tools.

The data is collected by filtering CVEs and changelogs for certain keywords and then manually reviewing them. Take a look at previous pull requests to see how that looks like.

What is this not?

This is not a hall of shame, or a list of packages to avoid. The package maintainers show a great responsibility by documenting and fixing security issues in such a way that they can be listed here. That's extremely valuable when considering using a package in production.

Tools

  • pyup.io shows installed packages and can send you pull requests if one of your dependencies receives a security fix.
  • safety checks your installed dependencies for known security vulnerabilities.
  • safety-django warns you in the admin area if you have insecure dependencies installed.
  • A Twitter Bot that tweets about what's added to the DB.
  • A pre-commit hook by Lucas Cimon.
  • your tool?

Using this data

For humans:

For robots:

Check out the data directory:

  • insecure.json contains just the package name and all insecure releases as a plain list.
  • insecure_full.json additionally contains the CVE description and URLs, or the relevant part of the changelog.

The database is licensed under CC BY-NC-SA 4.0. This allows you to use the data in any non commercial project as long as you link back to this repo. If you need a license for a commercial project, please contact support@pyup.io.

Support this project

If you find this useful, please consider getting a paid pyup.io account. This is what makes projects like this possible.