-
Notifications
You must be signed in to change notification settings - Fork 980
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Generic interface for associating package releases with vulnerabilities #9407
Comments
Thanks for bringing up this issue Oliver. I strongly believe that a more visible security posture will significantly contribute to security awareness for both developers and maintainers. I'm a developer advocate at Snyk, which works in the open source security space, and have my own history and experience working within the Node.js Foundation's ecosystem security working group so I'm well excited about integrating security into PyPI and As a TL;DR, and with respect to Google's new vulnerability database, I'd like to propose and volunteer and make available Snyk's vulnerability database to the Python foundation, to power the security advisories of both PyPI and pip, and I'm confident we can sponsor any work involved for doing that. As for the "Why" -
We greatly appreciate working within communities and projects to create that security awareness and my DevRel team at Snyk have done some great projects on this, to name a few:
I'm excited to further discuss this and see a built-in security integration in Python related tooling as discussed here. |
@lirantal Thanks for responding!
This is great to hear. To add some additional clarity, there's three separate things here that I want to tease apart:
It sounds like Snyk's database could easily be a part of any one of these:
Would love to hear about which point in that pipeline you think would be best for Snyk to be involved! |
You've outlined that well Dustin, all are indeed viable options. Snyk would be happy to volunteer its database to the Python community but I think the wording and semantics matter, as in, I don't think there's an actual one-time "contribution", but rather the Snyk team is actively committed to surfacing, traiging and collaborating with maintainers about security vulnerabilities, and so volunteering in terms of creating some sort of integration for the database feed, is more appropriate. That's semantics, and also details, but I thought it's worth mentioning. To add to that, I think that while the database's quality, quantity and first-to-know properties are super important, the tooling also matters in order to leverage it. So, whatever database integration decided here, making sure that it is integrated natively in Python's developer tooling is going to make the real change we'd like to see in the world, in terms of awareness. I'll reiterate my JS example here with I'd be happy to drill down into the details of working with the Snyk vulnerabilities database and we to start poc-ing that as needed. |
Would be great to get the conversation going :-) |
As part of Red Hat's project Thoth we use PyPA's advisory-db in a server side/cloud Python resolver. A demonstration of this feature is available in this recording. The resolution engine has a pluggable interface (see also adviser repo) so we can eventually plug what @lirantal and Snyk have - let's see how we can combine efforts in this area. We are releasing the resolver/recommendation engine publicly. @di could this be considerred as a topic for the planned SIG efforts (based on the call we had earlier)? |
@fridex that looks awesome! I'd also like to follow up on how we might be able to move forward with getting Snyk (and others) to contribute its database and how that might look like. Out of the options that @di outlined in #9407 (comment), I think these two options would be ideal:
The above don't necessarily have to be mutually exclusive. For example, I think the ideal scenario would be for Snyk could export vulnerabilities into an independent place, and then we could have a pipeline to auto-merge/deduplicate entries into https://github.com/pypa/advisory-db. My team at Google is trying to get vulnerability databases to agree on an export/interchange format, so that sharing and aggregating across databases is easy and we reduce potential duplicate triage work. This is the same format that the current python advisory-db uses. See our blog post released today for details! @lirantal WDYT? Would it make sense to have a call or start an email thread with interested folks on your side to discuss this? I think the collaboration details here could span beyond Python :) |
This seems closely related to #798; is it a duplicate? |
I think this is maybe a pre-requisite for #798, which seems to be mostly about creating a notification mechanism, whereas this issue is about PyPI collecting vulnerability data (which was implemented in #9552) surfacing it in the JSON API (which was implemented in #10197) and surfacing this in the UI (which has not been implemented) |
What's the problem this feature will solve?
PyPI currently does not associate any vulnerability information for projects hosted on it.
It would be a huge security benefit for users of PyPI if there was a way project releases can be associated with vulnerabilities.
Describe the solution you'd like
Implement an interface that can be called by vulnerability sources to POST vulnerability information for a package to PyPI. Requests can be signed in a similar way to how the existing GitHub token scanning integration does it.
The details provided would would be fairly minimal and just include:
This information can then be displayed in the PyPI UI and returned in the PyPI API. The
pip install
command can also make use of this information to notify users of vulnerable packages they’re installing.This will be built in a generic way that can support other vulnerability sources as well.
Additional context
Google (where I work) is working on an open source vulnerability database for open source packages. In particular we’re working on building a community owned vulnerability database for Python packages. This will be ready soon and we’d like to make this information more readily accessible.
We’d be able to contribute the necessary patches here for this web hook as well.
The text was updated successfully, but these errors were encountered: