I’m currently testing some APIs to obtain security information for Python packages, including known vulnerabilities.
My question is: Is there any way to monitor new vulnerabilities being added to a package version without actively polling the API? For example, is there an RSS feed, webhook, or other passive notification mechanism focused specifically on vulnerabilities?
I understand that it is possible to create a mechanism for this using, for example, the PyPI or OSV API itself, but I would like to know if there is something similar to the RSS feed that exists for new releases and updates, but specific for vulnerability tracking.
Any information or recommendations on how to be notified when a vulnerability is added to an existing version would be greatly appreciated.
I don’t know if that is in-scope for what PyPI provides. I’d be curious if the PyPI security folks find the idea interesting, but I don’t think there’s any such mechanism today.
There are a smattering of tools trying to fill this niche though:
Tidelift provides a security and support focused model for getting FOSS maintainers paid for their efforts. I don’t know if they have public APIs, but they might.
Not all projects are working with Tidelift, but their vulnerability DB might span the entire ecosystem. I would presume that access to their data requires that you pay, but I don’t really know.
Another (private, monetized) solution is the Safety CLI tool. I recall trying it out a few years ago and finding it nice to use, but I think there were some terms of service or something which prevented us from using it at $WORK.
And lastly I’d point you at GitHub security updates, for projects which are hosted on GitHub.
I’m sure there are lots of other ways of mapping packages to CVEs and security issues, but nothing centralized and community-run, as far as I know.
My inclination is to say that this is a perfect paid add-on service for someone to be able to offer, and provided whoever accepts those payments feeds some amount of it back into the ecosystem (typically by hiring people who already work in the ecosystem and letting them continue), it would be of net benefit to let it be done that way. Stephen already pointed at some existing examples of this, but I’m sure there’d be no harm in more.
The implied alternative (volunteers do all the work for free) just isn’t sustainable. Maybe some people/entities will appreciate it enough to make PSF donations as a result, but ultimately it’s work that just requires tracking a lot of different sources of information (each project will have their own disclosure/announcement processes), which tends to be uninteresting to people in their free time.
