pypa/advisory-database pypa/advisory-database

  • Stars
    star
    236
  • Rank 164,691 (Top 4 %)
  • Language
  • License
    Creative Commons ...
  • Created almost 3 years ago
  • Updated 2 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
pypa/advisory-database
github

pypa

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Advisory database for Python packages published on pypi.org

Python Packaging Advisory Database

This is community owned repository of advisories for packages published on https://pypi.org.

Advisories live in the vulns directory and use a YAML encoding of a simple format.

Contributing advisories

Making a pull request

Existing entries can be edited by simply creating a pull request.

To introduce a new entry, create a pull request with a new file that has a name matching PYSEC-0000-<anything>.yaml. This will be later picked up by automation to allocate a proper ID once merged.

Triage process

Much of the existing set of vulnerabilities are collected from the NVD CVE feed.

We use this tool, which performs a lot of heuristics to match CVEs with exact Python packages and versions (which is a difficult problem!) and a small amount of human triage to generate the .yaml entries here.

Using this data

Vulnerabilities are integrated into the Open Source Vulnerabilities project, which provides an API to query for vulnerabilities like so:

$ curl -X POST -d \
          '{"version": "2.4.1", "package": {"name": "jinja2", "ecosystem": "PyPI"}}' \
          "https://api.osv.dev/v1/query"

Longer term, we are working with the PyPI team to build a pipeline to automatically get these vulnerabilities into PyPI. The goal is to have the pip install (and an additional pip audit) command automatically report vulnerabilities out of the box.

Code of Conduct

Everyone interacting with this project is expected to follow the PSF Code of Conduct.

More Repositories

1

pipenv

Python Development Workflow for Humans.
Python
24,500
star
2

pip

The Python package installer
Python
9,178
star
3

pipx

Install and Run Python Applications in Isolated Environments
Python
8,438
star
4

hatch

Modern, extensible Python project management
Python
5,078
star
5

sampleproject

A sample project that exists for PyPUG's "Tutorial on Packaging and Distributing Projects"
Python
4,914
star
6

virtualenv

Virtual Python Environment builder
Python
4,642
star
7

pipfile

Python
3,231
star
8

setuptools

Official project repository for the Setuptools build system
Python
2,251
star
9

flit

Simplified packaging of Python modules
Python
2,070
star
10

cibuildwheel

🎑 Build Python wheels for all the platforms with minimal configuration.
Python
1,684
star
11

twine

Utilities for interacting with PyPI
Python
1,543
star
12

manylinux

Python wheels that work on any linux (almost)
Shell
1,365
star
13

packaging.python.org

Python Packaging User Guide
Python
1,362
star
14

pip-audit

Audits Python environments and dependency trees for known vulnerabilities
Python
888
star
15

setuptools_scm

the blessed package to manage your versions by scm tags
Python
802
star
16

gh-action-pypi-publish

The blessed :octocat: GitHub Action, for publishing your πŸ“¦ distribution files to PyPI: https://github.com/marketplace/actions/pypi-publish
Python
795
star
17

get-pip

Helper scripts to install pip, in a Python installation that doesn't have it.
Python
694
star
18

build

A simple, correct Python build frontend
Python
667
star
19

packaging

Core utilities for Python packages
Python
566
star
20

wheel

The official binary distribution format for Python
Python
469
star
21

bandersnatch

A PyPI mirror client according to PEP 381 http://www.python.org/dev/peps/pep-0381/
Python
421
star
22

auditwheel

Auditing and relabeling cross-distribution Linux wheels.
Python
403
star
23

python-manylinux-demo

Demo project for building Python wheels for Linux with Travis-CI
C
221
star
24

sample-namespace-packages

Tests against namespace packages
Python
166
star
25

readme_renderer

Safely render long_description/README files in Warehouse
Python
151
star
26

packaging-problems

An issue tracker for the problems in packaging
140
star
27

trove-classifiers

Canonical source for classifiers on PyPI.
Python
126
star
28

pyproject-hooks

A low-level library for calling build-backends in `pyproject.toml`-based project
Python
115
star
29

installer

A low-level library for installing from a Python wheel distribution.
Python
107
star
30

scripttest

Utilities to help with testing command line scripts
Python
59
star
31

gh-action-pip-audit

A GitHub Action for pip-audit
Python
59
star
32

distlib

A low-level library which implements some Python packaging standards (PEPs) and which could be used by third-party packaging tools to achieve interoperability.
Python
43
star
33

distutils

distutils as found in cpython
Python
42
star
34

.github

Community health files for the Python Packaging Authority
30
star
35

interoperability-peps

Development repo for evolution of PyPA interoperability standards (released versions are published as PEPs on python.org)
Python
22
star
36

pypa.io

Source code for the pypa.io website
Python
22
star
37

integration-test

ensure core packaging tools work well with each other
17
star
38

pkg_resources

Abandoned extraction of pkg_resources. Official version found at /pypa/setuptools.
Python
15
star
39

get-virtualenv

14
star
40

history

history generates history/changelog files for a project
Python
7
star
41

easy_install

Python
7
star
42

wheel-builders

Companion repo for the [email protected] mailing list
7
star
43

browntruck

Python
6
star
44

pypa-docs-theme

Common base Sphinx theme for PyPA projects
Python
6
star
45

docker-python

5
star
46

copr

Package files for building PyPA packages in copr
4
star
47

pep470

Python
4
star
48

pip-test-package

Used in pip's test suite
Python
4
star
49

pypa-bot

Source code behind @pypa-bot (eventually)
3
star
50

pypi-camo

Dockerfile
3
star
51

bot-test

1
star