‘Good initial results’, says one early adopter
A tool has been launched with support from Google that scans Python environments for packages with known vulnerabilities.
‘Pip-audit’ leverages the PyPI JSON API to compare dependencies against the Python Packaging Advisory Database – a repository of security advisories that in turn collects much of its data from the NVD CVE feed.
Users can alternatively audit dependencies against the Open Source Vulnerabilities (OSV) database.
RELATED Dependency confusion attack mounted via PyPi repo exposes flawed package installer behavior
Dependencies can be audited with system packages included or excluded from the scan, with or without CVE descriptions, and for a given requirements file.
Scan results, which can be presented in JSON format, include package names, version IDs, fixed versions, and CVE descriptions.
The project was developed by Trail of Bits, a New York-based cybersecurity company whose clients include Google, Microsoft, and GitHub.
Pip-audit 1.0.0 was launched on Wednesday (December 1).
Similar tools
Sharing the tool on the NetSec subreddit, ‘yossarian_flew_away’ said Google had funded the project. “We’re more than happy to be paid to create a free tool that doesn’t require paying a monthly fee,” they said.
This contrasts with similar, paid-for tools Safety and Snyk for Python. Other free tools that can scan for flaws in Python environments include GitHub’s Dependabot and OWASP Dependency Check.
On the same subreddit thread, ‘brainphreeze’ praised the tool as “quick and easy to set up and run”. They added: “Good initial results too.”
Catch up with the latest software supply chain attack news
However, they also observed that “the lack of a severity rating does make the verification step more involved, but this looks to be based on how [the Python Packaging Advisory Database] stores its results”.
Acknowledging this shortcoming, ‘yossarian_flew_away’ said “we’re looking into being able to better connect PYSEC identifiers to their upstream CVE/NVD/similar records”.
Dependency Combobulator
The launch also follows the unveiling, at Black Hat Europe 2021, of an open source toolkit designed to specifically detect and thwart dependency confusion attacks.
Dependency Combobulator can be embedded within the software development lifecycle (SDLC) and CI/CD workflows and detects malicious packages at the SDLC’s commit, build, or release phases.
Google’s backing for Pip-audit is one of many open source security initiatives being supported or operated by the tech giant.
In recent months, for instance, Google has sponsored security reviews of eight open source projects and contributed to a National Institute of Standards and Technology (NIST) project focused on creating federal government guidelines for procuring secure software, among other examples.
YOU MIGHT ALSO LIKE Dependency Combobulator offers defense against namespace confusion attacks