I’m from Google and my team has been working on some efforts to improve vulnerability management for open source packages.
In particular we’ve started to build a database of vulnerabilities that affect PyPI packages. CVEs are notoriously difficult to match to open source packages and versions, so our goal is to define a standardized shared vulnerability interchange format with precise version/naming that makes them much easier to consume.
An example vulnerability entry would look something like this (more examples here)
id: PYSEC-UNDECIDED-2021-0001 package: name: httplib2 ecosystem: PyPI summary: Vulnerability in httplib2 details: httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library. severity: HIGH affects: ranges: - type: GIT repo: https://github.com/httplib2/httplib2 fixed: bd9ee252c8f099608019709e22c0d705e98d26bc - type: ECOSYSTEM fixed: 0.19.0 references: - https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m aliases: - CVE-2021-21240 modified: "2021-02-12T14:56:00Z" published: "2021-02-08T20:15:00Z"
We’ve built out a proof of concept for a workflow that automates most of the work necessary to generate these entries from existing CVE feeds. Once this gets going it should result in very minimal ongoing human maintenance work, and we are happy to contribute time to bootstrap this.
Would you be open to having this database live under Python Software Foundation · GitHub as a community owned database of vulnerabilities?
Our ultimate wish is to see this community database flow into PyPI’s API/UI and eventually the pip command so users can tell if their dependencies are vulnerable. We’ve already started engaging with the PyPI team on this.