Safety checks your installed dependencies for known security vulnerabilities

Overview

safety

PyPi Travis Updates

Safety checks your installed dependencies for known security vulnerabilities.

By default it uses the open Python vulnerability database Safety DB, but can be upgraded to use pyup.io's Safety API using the --key option.

Installation

Install safety with pip. Keep in mind that we support only Python 3.5 and up. Look at Python 2.7 section at the end of this document.

pip install safety

Usage

To check your currently selected virtual environment for dependencies with known security vulnerabilites, run:

safety check

You should get a report similar to this:

+==============================================================================+
|                                                                              |
|                               /$$$$$$            /$$                         |
|                              /$$__  $$          | $$                         |
|           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
|          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
|         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
|          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
|          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
|         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
|                                                          /$$  | $$           |
|                                                         |  $$$$$$/           |
|  by pyup.io                                              \______/            |
|                                                                              |
+==============================================================================+
| REPORT                                                                       |
+==============================================================================+
| No known security vulnerabilities found.                                     |
+==============================================================================+

Now, let's install something insecure:

pip install insecure-package

Yeah, you can really install that.

Run safety check again:

+==============================================================================+
|                                                                              |
|                               /$$$$$$            /$$                         |
|                              /$$__  $$          | $$                         |
|           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
|          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
|         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
|          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
|          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
|         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
|                                                          /$$  | $$           |
|                                                         |  $$$$$$/           |
|  by pyup.io                                              \______/            |
|                                                                              |
+==============================================================================+
| REPORT                                                                       |
+==========================+===============+===================+===============+
| package                  | installed     | affected          | source        |
+==========================+===============+===================+===============+
| insecure-package         | 0.1.0         | <0.2.0            | changelog     |
+==========================+===============+===================+===============+

Examples

Read requirement files

Just like pip, Safety is able to read local requirement files:

safety check -r requirements.txt

Read from stdin

Safety is also able to read from stdin with the --stdin flag set.

To check a local requirements file, run:

cat requirements.txt | safety check --stdin

or the output of pip freeze:

pip freeze | safety check --stdin

or to check a single package:

echo "insecure-package==0.1" | safety check --stdin

For more examples, take a look at the options section.

Scan a Python-based Docker image

To scan a docker image IMAGE_TAG, you can run

docker run -it --rm ${IMAGE_TAG} "/bin/bash -c \"pip install safety && safety check\"

Using Safety in Docker

Safety can be easily executed as Docker container. It can be used just as described in the examples section.

echo "insecure-package==0.1" | docker run -i --rm pyupio/safety safety check --stdin
cat requirements.txt | docker run -i --rm pyupio/safety safety check --stdin

Using the Safety binaries

The Safety binaries provide some extra security.

After installation, they can be used just like the regular command line version of Safety.

Using Safety with a CI service

Safety works great in your CI pipeline. It returns a non-zero exit status if it finds a vulnerability.

Run it before or after your tests. If Safety finds something, your tests will fail.

Travis

install:
  - pip install safety

script:
  - safety check

Gitlab CI

safety:
  script:
    - pip install safety
    - safety check

Tox

[tox]
envlist = py37

[testenv]
deps =
    safety
    pytest
commands =
    safety check
    pytest

Deep GitHub Integration

If you are looking for a deep integration with your GitHub repositories: Safety is available as a part of pyup.io, called Safety CI. Safety CI checks your commits and pull requests for dependencies with known security vulnerabilities and displays a status on GitHub.

Safety CI

Using Safety in production

Safety is free and open source (MIT Licensed). The underlying open vulnerability database is updated once per month.

To get access to all vulnerabilites as soon as they are added, you need a Safety API key that comes with a paid pyup.io account, starting at $99.

Options

--key

API Key for pyup.io's vulnerability database. Can be set as SAFETY_API_KEY environment variable.

Example

safety check --key=12345-ABCDEFGH

--db

Path to a directory with a local vulnerability database including insecure.json and insecure_full.json

Example

safety check --db=/home/safety-db/data

--proxy-host

Proxy host IP or DNS

--proxy-port

Proxy port number

--proxy-protocol

Proxy protocol (https or http)


--json

Output vulnerabilities in JSON format.

Example

safety check --json
[
    [
        "django",
        "<1.2.2",
        "1.2",
        "Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie.",
        "25701"
    ]
]

--full-report

Full reports includes a security advisory. It also shows CVSS values for CVEs (requires a premium PyUp subscription).

Example

safety check --full-report
+==============================================================================+
|                                                                              |
|                               /$$$$$$            /$$                         |
|                              /$$__  $$          | $$                         |
|           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
|          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
|         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
|          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
|          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
|         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
|                                                          /$$  | $$           |
|                                                         |  $$$$$$/           |
|  by pyup.io                                              \______/            |
|                                                                              |
+==============================================================================+
| REPORT                                                                       |
+============================+===========+==========================+==========+
| package                    | installed | affected                 | ID       |
+============================+===========+==========================+==========+
| CVSS v2 | BASE SCORE: 6.5 | IMPACT SCORE: 6.4                                |
+============================+===========+==========================+==========+
| django                     | 1.2       | <1.2.2                   | 25701    |
+==============================================================================+
| Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows |
|  remote attackers to inject arbitrary web script or HTML via a csrfmiddlewar |
| etoken (aka csrf_token) cookie.                                              |
+==============================================================================+

--bare

Output vulnerable packages only. Useful in combination with other tools.

Example

safety check --bare
cryptography django

--cache

Cache requests to the vulnerability database locally for 2 hours.

Example

safety check --cache

--stdin

Read input from stdin.

Example

cat requirements.txt | safety check --stdin
pip freeze | safety check --stdin
echo "insecure-package==0.1" | safety check --stdin

--file, -r

Read input from one (or multiple) requirement files.

Example

safety check -r requirements.txt
safety check --file=requirements.txt
safety check -r req_dev.txt -r req_prod.txt

--ignore, -i

Ignore one (or multiple) vulnerabilities by ID

Example

safety check -i 1234
safety check --ignore=1234
safety check -i 1234 -i 4567 -i 89101

--output, -o

Save the report to a file

Example

safety check -o insecure_report.txt
safety check --output --json insecure_report.json

Review

If you save the report in JSON format you can review in the report format again.

Options

--file, -f (REQUIRED)

Read an insecure report.

Example

safety review -f insecure.json
safety review --file=insecure.json

--full-report

Full reports include a security advisory (if available).

Example

safety review -r insecure.json --full-report
+==============================================================================+
|                                                                              |
|                               /$$$$$$            /$$                         |
|                              /$$__  $$          | $$                         |
|           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
|          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
|         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
|          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
|          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
|         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
|                                                          /$$  | $$           |
|                                                         |  $$$$$$/           |
|  by pyup.io                                              \______/            |
|                                                                              |
+==============================================================================+
| REPORT                                                                       |
+============================+===========+==========================+==========+
| package                    | installed | affected                 | ID       |
+============================+===========+==========================+==========+
| django                     | 1.2       | <1.2.2                   | 25701    |
+==============================================================================+
| Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows |
|  remote attackers to inject arbitrary web script or HTML via a csrfmiddlewar |
| etoken (aka csrf_token) cookie.                                              |
+==============================================================================+

--bare

Output vulnerable packages only.

Example

safety review --file report.json --bare
django

License

Display packages licenses information (requires a premium PyUp subscription).

Options

--key (REQUIRED)

API Key for pyup.io's licenses database. Can be set as SAFETY_API_KEY environment variable.

Example

safety license --key=12345-ABCDEFGH

Shows the license of each package in the current environment

+==============================================================================+
|                                                                              |
|                               /$$$$$$            /$$                         |
|                              /$$__  $$          | $$                         |
|           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
|          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
|         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
|          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
|          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
|         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
|                                                          /$$  | $$           |
|                                                         |  $$$$$$/           |
|  by pyup.io                                              \______/            |
|                                                                              |
+==============================================================================+
| Packages licenses                                                            |
+=============================================+===========+====================+
| package                                     |  version  | license            |
+=============================================+===========+====================+
| requests                                    | 2.25.0    | Apache-2.0         |
|------------------------------------------------------------------------------|
| click                                       | 7.1.2     | BSD-3-Clause       |
|------------------------------------------------------------------------------|
| safety                                      | 1.10.0    | MIT                |
+==============================================================================+

--db

Path to a directory with a local licenses database licenses.json

Example

safety license --key=12345-ABCDEFGH --db=/home/safety-db/data

--no-cache

Since PyUp.io licenses DB is updated once a week, the licenses database is cached locally for 7 days. You can use --no-cache to download it once again.

Example

safety license --key=12345-ABCDEFGH --no-cache

--file, -r

Read input from one (or multiple) requirement files.

Example

safety license --key=12345-ABCDEFGH -r requirements.txt
safety license --key=12345-ABCDEFGH --file=requirements.txt
safety license --key=12345-ABCDEFGH -r req_dev.txt -r req_prod.txt

--proxy-host, -ph

Proxy host IP or DNS

--proxy-port, -pp

Proxy port number

--proxy-protocol, -pr

Proxy protocol (https or http)

Example

safety license --key=12345-ABCDEFGH -ph 127.0.0.1 -pp 8080 -pr https

Python 2.7

This tool requires latest Python patch versions starting with version 3.5. We did support Python 2.7 in the past but, as for other Python 3.x minor versions, it reached its End-Of-Life and as such we are not able to support it anymore.

We understand you might still have Python 2.7 projects running. At the same time, Safety itself has a commitment to encourage developers to keep their software up-to-date, and it would not make sense for us to work with officially unsupported Python versions, or even those that reached their end of life.

If you still need to run Safety from a Python 2.7 environment, please use version 1.8.7 available at PyPi. Alternatively, you can run Safety from a Python 3 environment to check the requirements file for your Python 2.7 project.

Comments
  • UnicodeEncodeError: 'charmap' codec can't encode characters in position 0-79: character maps to <undefined>

    UnicodeEncodeError: 'charmap' codec can't encode characters in position 0-79: character maps to

    • safety version: 1.7.0
    • Python version: Python 3.6.1
    • Operating System: Windows-10-10.0.16299-SP0, AMD64

    Description

    • Trying to use safety check
    • Same error always results: UnicodeEncodeError: 'charmap' codec can't encode characters in position 0-79: character maps to <undefined>

    What I Did

    safety check -r simple-requirements.txt
    

    Contents of simple-requirements.txt

    safety
    
    • There are absolutely no unicode characters in this file

    Traceback

    $ safety check -r simple-requirements.txt
    Warning: unpinned requirement 'safety' found in simple-requirements.txt, unable to check.
    Traceback (most recent call last):
      File "c:\users\nicholas\appdata\local\programs\python\python36\Lib\runpy.py", line 193, in _run_module_as_main
        "__main__", mod_spec)
      File "c:\users\nicholas\appdata\local\programs\python\python36\Lib\runpy.py", line 85, in _run_code
        exec(code, run_globals)
      File "C:\Users\nicholas\.virtualenvs\pybotics-d30fj9Hx\Scripts\safety.exe\__main__.py", line 9, in <module>
      File "c:\users\nicholas\.virtualenvs\pybotics-d30fj9hx\lib\site-packages\click\core.py", line 722, in __call__
        return self.main(*args, **kwargs)
      File "c:\users\nicholas\.virtualenvs\pybotics-d30fj9hx\lib\site-packages\click\core.py", line 697, in main
        rv = self.invoke(ctx)
      File "c:\users\nicholas\.virtualenvs\pybotics-d30fj9hx\lib\site-packages\click\core.py", line 1066, in invoke
        return _process_result(sub_ctx.command.invoke(sub_ctx))
      File "c:\users\nicholas\.virtualenvs\pybotics-d30fj9hx\lib\site-packages\click\core.py", line 895, in invoke
        return ctx.invoke(self.callback, **ctx.params)
      File "c:\users\nicholas\.virtualenvs\pybotics-d30fj9hx\lib\site-packages\click\core.py", line 535, in invoke
        return callback(*args, **kwargs)
      File "c:\users\nicholas\.virtualenvs\pybotics-d30fj9hx\lib\site-packages\safety\cli.py", line 66, in check
        key=key
      File "c:\users\nicholas\.virtualenvs\pybotics-d30fj9hx\lib\site-packages\click\termui.py", line 420, in secho
        return echo(style(text, **styles), file=file, nl=nl, err=err, color=color)
      File "c:\users\nicholas\.virtualenvs\pybotics-d30fj9hx\lib\site-packages\click\utils.py", line 259, in echo
        file.write(message)
      File "c:\users\nicholas\.virtualenvs\pybotics-d30fj9hx\lib\encodings\cp1252.py", line 19, in encode
        return codecs.charmap_encode(input,self.errors,encoding_table)[0]
    UnicodeEncodeError: 'charmap' codec can't encode characters in position 0-79: character maps to <undefined>
    

    Similar Issues

    • https://github.com/pyupio/safety/issues/22
    bug 
    opened by engnadeau 14
  • Support for URLs in input requirements.txt files

    Support for URLs in input requirements.txt files

    Hi,

    This is a feature request.

    Lets start by stating that, following the spec, URLs to tarballs are part of the requirements file format https://pip.readthedocs.io/en/1.1/requirements.html#requirements-file-format

    Now, the pkg_resources.parse_requirements function used by safety does not support them: https://github.com/pypa/setuptools/blob/master/pkg_resources/init.py#L2850 It raises a RequirementParseError: Invalid requirement, parse error.

    I had a look at how they handle this in pip, and it's ugly: https://github.com/pypa/pip/blob/master/pip/req/req_set.py#L690

    pip-tools does not support them. It actually crashes in a bad way if you try so: https://github.com/nvie/pip-tools/issues/416

    By the way, URLs to tarball specified as editable requirements (with -e) work fine: curiously pkg_resources.parse_requirements handle them perfectly well.

    What do you think ? Should safety handle them ?

    opened by Lucas-C 14
  • Issue with GitHub integration

    Issue with GitHub integration

    • safety version: GitHub integration
    • Python version: 2.7.x
    • Operating System:

    Description

    We have an status integrated for varryfying each PR going into the master branch.

    I now encounter that this status is Pending for over 12 hours.

    Is there currently a server issue or am I doing something wrong with the integration?

    bug 
    opened by chgad 13
  • False positive for numpy

    False positive for numpy

    • safety version: 1.10.3
    • Python version: 3.8.12
    • Operating System: Ubuntu 20.04.3 LTS

    Description

    Ran safety against the latest update and got a report of a failure on numpy, despite being on 1.22.1.

    In the free safety DB, the values for numpy are expressed as:

    "numpy": [
            "<1.13.2",
            "<1.16.3",
            "<1.21.0",
            "<1.22.0",
            "<1.8.1",
            ">0"
        ],
    

    I'm not sure why >0 was added in the February release, but it seems to be causing this problem

    What I Did

    2022-02-01T15:10:46.7671452Z +==============================================================================+
    2022-02-01T15:10:46.7677519Z |                                                                              |
    2022-02-01T15:10:46.7726508Z |                               /$$$$$$            /$$                         |
    2022-02-01T15:10:46.7726760Z |                              /$$__  $$          | $$                         |
    2022-02-01T15:10:46.7727062Z |           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
    2022-02-01T15:10:46.7727279Z |          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
    2022-02-01T15:10:46.7727504Z |         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
    2022-02-01T15:10:46.7727745Z |          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
    2022-02-01T15:10:46.7727979Z |          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
    2022-02-01T15:10:46.7728200Z |         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
    2022-02-01T15:10:46.7728430Z |                                                          /$$  | $$           |
    2022-02-01T15:10:46.7728651Z |                                                         |  $$$$$$/           |
    2022-02-01T15:10:46.7728876Z |  by pyup.io                                              \______/            |
    2022-02-01T15:10:46.7729111Z |                                                                              |
    2022-02-01T15:10:46.7729338Z +==============================================================================+
    2022-02-01T15:10:46.7729569Z | REPORT                                                                       |
    2022-02-01T15:10:46.7729828Z | checked 147 packages, using free DB (updated once a month)                   |
    2022-02-01T15:10:46.7730086Z +============================+===========+==========================+==========+
    2022-02-01T15:10:46.7730332Z | package                    | installed | affected                 | ID       |
    2022-02-01T15:10:46.7730578Z +============================+===========+==========================+==========+
    2022-02-01T15:10:46.7730786Z | numpy                      | 1.22.1    | >0                       | 44715    |
    2022-02-01T15:10:46.7731010Z +==============================================================================+
    
    opened by nbhargava 11
  • Better JSON structure for easy and safer parsing

    Better JSON structure for easy and safer parsing

    • safety version: 1.8.5
    • Python version: 3.6.7
    • Operating System: Ubuntu 18.04.1 LTS

    Description

    Run the following command from a terminal: echo "Jinja==1.0.0" | safety check --stdin --full-report --json The result that will be returned looks like this:

    [
        [
            "jinja",
            "<2.7.2",
            "1.0.0",
            "jinja 2.7.2 fixes a security issue: Changed the default folder for the filesystem cache to be user specific and read and write protected on UNIX systems.  See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734747 for more information.",
            "25863"
        ],
        [
            "jinja",
            "<2.7.3",
            "1.0.0",
            "jinja 2.7.3 fixes a security issue: Corrected the security fix for the cache folder.",
            "25864"
        ]
    ]
    

    As you can see it returns a list of all CVE's that where found along with information about the CVE. There is a big downside about the current structure though (or atleast I think so). As this is a list with values inside it means I have to do extra checks or dangerous operations to get values out. Now imagine that the script is run from Python within a os.popen or equivalent way like this:

    command = (
        "echo \"Jinja==1.0.0\"" | safety check --stdin --full-report --json"
    )
    cve_result_details = json.loads(os.popen(command).read())
    

    I'll have a JSON dict just like it was sent. Now how can I safely get out the upper version of the CVE? I'd have to do something like:

    if cve_result_details:
        upper_version = cve_result_details[0][1]
    

    This feels pretty dangerous & risky. I'd propose another JSON structure that looks like this:

    {
        "cve_reports": [
          {
             "package_name": "jinja",
            "upper_version": "<2.7.2",
            "installed_version": "1.0.0",
            "package_description": "jinja 2.7.2 fixes a security issue: Changed the default folder for the filesystem cache to be user specific and read and write protected on UNIX systems.  See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734747 for more information.",
            "25863"
            }
        ]
    }
    

    This would allow to do cleaner & safer operations. To get out the upper version I could now do:

    upper_version = cve_result.get('cve_reports').get('upper_version')
    

    The benefits:

    • Will not crash if no result
    • Cleaner to write and easier to understand
    enhancement considering 
    opened by Yenthe666 9
  • Fix get_terminal_size on Python 2.7 for Windows

    Fix get_terminal_size on Python 2.7 for Windows

    The code was correctly trapping FileNotFoundError for the case where stty is not available on Windows. However, on Python 2.7, the exception raised by subprocess.check_output() is WindowsError, a subclass of OSError.

    Fixes #65.

    opened by AndreLouisCaron 8
  • pre-commit hook

    pre-commit hook

    Hi,

    This is just to let you know that I developped a pre-commit hook based on your lib: https://github.com/Lucas-C/pre-commit-hooks-safety

    It is not yet fully functional : a small limitation in pre-commit is a blocker, but I intend to fix it in this issue: https://github.com/pre-commit/pre-commit/issues/426

    opened by Lucas-C 8
  • Packaging improvements

    Packaging improvements

    • Use 'io' package as a more reliable way of opening files on Windows in Python 2.7
    • Add python_requires, which helps pip determine if the package is compatible with the version of Python.
    • Change development status to "Production/Stable" in PyPI classifiers
    • Cleanup and formatting of setup.py
    opened by GhostofGoes 7
  • Dockerise safety

    Dockerise safety

    Description

    Dockerise the safety command/tool to make it easier to be used in local development and within CI/CD pipelines.

    What I Did

    Here's a copy of my Dockerfile that I used to do this locally, it may be valuable to others (or if someone wants to PR it back into master):

    FROM ubuntu:18.04
    
    ENV LC_ALL=C.UTF-8
    ENV LANG=C.UTF-8
    
    RUN apt-get -qy update && \
        apt-get -qy install python3-pip python-dev build-essential && \
        pip3 install safety && \
        apt-get -qy clean && \
        rm -rf /var/lib/apt/lists/* && \
        rm -rf /tmp/*
    
    ENTRYPOINT ["/usr/local/bin/safety"]
    

    Then you can simply run a command as per the README.md, like so:

    echo "insecure-package==0.1" | docker run --rm docker-pyup-safety check --stdin

    opened by o6uoq 7
  • pip 10 api breakage

    pip 10 api breakage

    Quoting distutils-sig:

    We're in the process of starting to plan for a release of pip (the long-awaited pip 10). We're likely still a month or two away from a release, but now is the time for people to start ensuring that everything works for them. One key change in the new version will be that all of the internal APIs of pip will no longer be available, so any code that currently calls functions in the "pip" namespace will break. Calling pip's internal APIs has never been supported, and always carried a risk of such breakage, so projects doing so should, in theory, be prepared for such things. However, reality is not always that simple, and we are aware that people will need time to deal with the implications.

    Just in case it's not clear, simply finding where the internal APIs have moved to and calling them under the new names is not what people should do. We can't stop people calling the internal APIs, obviously, but the idea of this change is to give people the incentive to find a supported approach, not just to annoy people who are doing things we don't want them to ;-)

    So please - if you're calling pip's internals in your code, take the opportunity now to check out the in-development version of pip, and ensure your project will still work when pip 10 is released.

    And many thanks to anyone else who helps by testing out the new version, as well :-)

    Thanks, Paul


    Safety uses pip.get_installed_distributions which has moved to https://github.com/pypa/pip/blob/master/src/pip/_internal/utils/misc.py#L333

    opened by jayfk 7
  • `safety` requires `crypography>=39.0.0` which hasn't been released yet

    `safety` requires `crypography>=39.0.0` which hasn't been released yet

    • safety version: 1.10.3
    • Python version: 3.10.2
    • Operating System: MacOS 11.7

    Description

    Hello 👋

    safety currently requires cryptography>=39.0.0 for its checks to pass (see screenshot), citing the below reason, with ID 51159:

    Cryptography 39.0.0 drops support for C library "LibreSSL" < 3.4, as these versions are not receiving security support anymore.

    However, it looks like version 39.0.0 of cryptography is under development and hasn't been released yet.

    As far as I can see, the only way around this for now is to ask safety to ignore its check on cryptography.

    There's a comment on commit https://github.com/pyupio/safety-db/commit/e582a03665fde14b58dd247b5d33aa4c0f0832e5 about it here.

    Thanks 🙏

    image

    What I Did

    Ran the following:

    safety check --full-report --file=requirements.txt
    
    opened by figchutney 6
  • Pinning to packaging < 22.0

    Pinning to packaging < 22.0

    • safety version: 2.3.5
    • Python version: All
    • Operating System: All

    Description

    We are attempting to create virtual environments for our developers that include all production dependencies for their package plus all of our static analyzers and security checks, so they can reproduce our CI system locally. It has recently come up that the latest version of safety pins to packaging<22.0 which ~is incompatible~ requires some extra work to operate with some of our existing package dependencies.

    Can you shed some more light on the comment in this commit: https://github.com/pyupio/safety/commit/aa1b1532818a1b2cb229b14907cad64c927fa8c6? What exactly is meant by "preventing issues?" Is this something that you could use help on or is on your roadmap to support?

    What I Did

    First look at my input file (reduced to show minimal reproducible error):

    > cat test.in
    pandera
    

    Next, compile that file to a lockfile:

    > pip-compile --no-emit-index-url --no-header --quiet --pip-args --no-input --resolver=legacy --output-file=test.txt test.in        
    > cat test.txt                                                                                                                      
    mypy-extensions==0.4.3
        # via typing-inspect
    numpy==1.23.5
        # via
        #   pandas
        #   pandera
    packaging==22.0
        # via pandera
    pandas==1.5.2
        # via pandera
    pandera==0.13.4
        # via -r test.in
    pydantic==1.10.2
        # via pandera
    python-dateutil==2.8.2
        # via pandas
    pytz==2022.6
        # via pandas
    six==1.16.0
        # via python-dateutil
    typing-extensions==4.4.0
        # via
        #   pydantic
        #   typing-inspect
    typing-inspect==0.8.0
        # via pandera
    wrapt==1.14.1
        # via pandera
    

    Now to show the dev requirements:

    > cat test-dev.in                                                                                                                   
    -c test.txt
    
    safety
    

    And finally, attempt to lock that file:

    > pip-compile --no-emit-index-url --no-header --quiet --pip-args --no-input --resolver=legacy --output-file=test-dev.txt test-dev.in
    Could not find a version that matches packaging<22.0,==22.0,>=21.0 (from -c test.txt (line 7))
    Tried: 14.0, 14.0, 14.1, 14.1, 14.2, 14.2, 14.3, 14.3, 14.4, 14.4, 14.5, 14.5, 15.0, 15.0, 15.1, 15.1, 15.2, 15.2, 15.3, 15.3, 16.0, 16.0, 16.1, 16.1, 16.2, 16.2, 16.3, 16.3, 16.4, 16.4, 16.5, 16.5, 16.6, 16.6, 16.7, 16.7, 16.8, 16.8, 17.0, 17.0, 17.1, 17.1, 18.0, 18.0, 19.0, 19.0, 19.1, 19.1, 19.2, 19.2, 20.0, 20.0, 20.1, 20.1, 20.2, 20.2, 20.3, 20.3, 20.4, 20.4, 20.5, 20.5, 20.6, 20.6, 20.7, 20.7, 20.8, 20.8, 20.9, 20.9, 21.0, 21.0, 21.1, 21.1, 21.2, 21.2, 21.3, 21.3, 22.0, 22.0
    There are incompatible versions in the resolved dependencies:
      packaging==22.0 (from -c test.txt (line 7))
    

    I realize there are some pretty simple workarounds in this case, and we are investigating tools like pip-compile-multi to solve this problem more robustly with our internal tooling, but I just wanted to flag in case others do not have the luxury of dodging a specific version of packaging. It could be someone is reliant on a new feature. I also acknowledge that this new version of packaging is hot off the press, and will take time to onboard. Let me know if I can help, I really like this tool!

    enhancement 
    opened by dmaljovec 3
  • Resolve undefined names in util.py

    Resolve undefined names in util.py

    % flake8 . --count --select=E9,F63,F7,F82,Y --show-source --statistics

    ./safety/util.py:557:20: F821 undefined name 'Context'
            self, ctx: "Context", param: "Parameter", incomplete: str
                       ^
    ./safety/util.py:557:38: F821 undefined name 'Parameter'
            self, ctx: "Context", param: "Parameter", incomplete: str
                                         ^
    2     F821 undefined name 'Context'
    2
    

    https://click.palletsprojects.com/en/8.1.x/api/?highlight=parameter#click.Context https://click.palletsprojects.com/en/8.1.x/api/?highlight=parameter#click.Parameter

    opened by cclauss 0
  • Safety `--disable-telemetry` option does not appear to disable telemetry

    Safety `--disable-telemetry` option does not appear to disable telemetry

    • safety version: 2.0.0
    • Python version: 3.6
    • Operating System: ubuntu 18

    Description

    Safety --disable-telemetry option does not appear to disable telemetry

    What I Did

    We can see below safety is attempting to reach out to https://pyup.io/aws/safety/free/insecure.json?telemetry=%7B%22safety_version%22%3A+%222.0.0%22%7D despite --disable-telemetry flag passed in.

    (safety) [email protected]:~/workspace/Application_Testing/DataApi/PR-554$ safety --version
    safety, version 2.0.0
    (safety) [email protected]:~/workspace/Application_Testing/DataApi/PR-554$ safety --debug --disable-telemetry check -r requirements.txt
    2022-07-01 19:21:59,689 safety.cli => Telemetry enabled: False
    2022-07-01 19:21:59,690 safety.cli => Running check command
    2022-07-01 19:21:59,715 safety.cli => Not local DB used, Getting announcements
    2022-07-01 19:21:59,715 safety.safety => Getting announcements
    2022-07-01 19:21:59,715 safety.util => Telemetry body built: {'safety_version': '2.0.0'}
    2022-07-01 19:21:59,715 safety.safety => Telemetry body sent: {'safety_version': '2.0.0'}
    2022-07-01 19:21:59,717 urllib3.connectionpool => Starting new HTTPS connection (1): pyup.io:443
    2022-07-01 19:22:00,097 safety.safety => Unexpected but HANDLED Exception happened getting the announcements: HTTPSConnectionPool(host='pyup.io', port=443): Max retries exceeded with url: /api/v1/safety/announcements/ (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))
    2022-07-01 19:22:00,098 safety.cli => Calling the check function
    2022-07-01 19:22:00,098 safety.util => Telemetry body built: {'safety_version': '2.0.0'}
    2022-07-01 19:22:00,099 urllib3.connectionpool => Starting new HTTPS connection (2): pyup.io:443
    2022-07-01 19:22:00,405 safety.cli => Expected SafetyError happened: Check your network connection, unable to reach the server
    Traceback (most recent call last):
      File "/var/lib/jenkins/workspace/Application_Testing/DataApi/PR-554/.tox/safety/lib/python3.6/site-packages/urllib3/connectionpool.py", line 710, in urlopen
        chunked=chunked,
      File "/var/lib/jenkins/workspace/Application_Testing/DataApi/PR-554/.tox/safety/lib/python3.6/site-packages/urllib3/connectionpool.py", line 386, in _make_request
        self._validate_conn(conn)
      File "/var/lib/jenkins/workspace/Application_Testing/DataApi/PR-554/.tox/safety/lib/python3.6/site-packages/urllib3/connectionpool.py", line 1040, in _validate_conn
        conn.connect()
      File "/var/lib/jenkins/workspace/Application_Testing/DataApi/PR-554/.tox/safety/lib/python3.6/site-packages/urllib3/connection.py", line 424, in connect
        tls_in_tls=tls_in_tls,
      File "/var/lib/jenkins/workspace/Application_Testing/DataApi/PR-554/.tox/safety/lib/python3.6/site-packages/urllib3/util/ssl_.py", line 450, in ssl_wrap_socket
        sock, context, tls_in_tls, server_hostname=server_hostname
      File "/var/lib/jenkins/workspace/Application_Testing/DataApi/PR-554/.tox/safety/lib/python3.6/site-packages/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl
        return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
      File "/usr/lib/python3.6/ssl.py", line 407, in wrap_socket
        _context=self, _session=session)
      File "/usr/lib/python3.6/ssl.py", line 817, in __init__
        self.do_handshake()
      File "/usr/lib/python3.6/ssl.py", line 1077, in do_handshake
        self._sslobj.do_handshake()
      File "/usr/lib/python3.6/ssl.py", line 689, in do_handshake
        self._sslobj.do_handshake()
    ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)
    
    During handling of the above exception, another exception occurred:
    
    Traceback (most recent call last):
      File "/var/lib/jenkins/workspace/Application_Testing/DataApi/PR-554/.tox/safety/lib/python3.6/site-packages/requests/adapters.py", line 450, in send
        timeout=timeout
      File "/var/lib/jenkins/workspace/Application_Testing/DataApi/PR-554/.tox/safety/lib/python3.6/site-packages/urllib3/connectionpool.py", line 786, in urlopen
        method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2]
      File "/var/lib/jenkins/workspace/Application_Testing/DataApi/PR-554/.tox/safety/lib/python3.6/site-packages/urllib3/util/retry.py", line 592, in increment
        raise MaxRetryError(_pool, url, error or ResponseError(cause))
    urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='pyup.io', port=443): Max retries exceeded with url: /aws/safety/free/insecure.json?telemetry=%7B%22safety_version%22%3A+%222.0.0%22%7D (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))
    
    During handling of the above exception, another exception occurred:
    
    Traceback (most recent call last):
      File "/var/lib/jenkins/workspace/Application_Testing/DataApi/PR-554/.tox/safety/lib/python3.6/site-packages/safety/safety.py", line 117, in fetch_database_url
        r = session.get(url=url, timeout=REQUEST_TIMEOUT, headers=headers, proxies=proxy, params=telemetry_data)
      File "/var/lib/jenkins/workspace/Application_Testing/DataApi/PR-554/.tox/safety/lib/python3.6/site-packages/requests/sessions.py", line 542, in get
        return self.request('GET', url, **kwargs)
      File "/var/lib/jenkins/workspace/Application_Testing/DataApi/PR-554/.tox/safety/lib/python3.6/site-packages/requests/sessions.py", line 529, in request
        resp = self.send(prep, **send_kwargs)
      File "/var/lib/jenkins/workspace/Application_Testing/DataApi/PR-554/.tox/safety/lib/python3.6/site-packages/requests/sessions.py", line 645, in send
        r = adapter.send(request, **kwargs)
      File "/var/lib/jenkins/workspace/Application_Testing/DataApi/PR-554/.tox/safety/lib/python3.6/site-packages/requests/adapters.py", line 517, in send
        raise SSLError(e, request=request)
    requests.exceptions.SSLError: HTTPSConnectionPool(host='pyup.io', port=443): Max retries exceeded with url: /aws/safety/free/insecure.json?telemetry=%7B%22safety_version%22%3A+%222.0.0%22%7D (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))
    
    During handling of the above exception, another exception occurred:
    
    Traceback (most recent call last):
      File "/var/lib/jenkins/workspace/Application_Testing/DataApi/PR-554/.tox/safety/lib/python3.6/site-packages/safety/cli.py", line 114, in check
        params=params)
      File "/var/lib/jenkins/workspace/Application_Testing/DataApi/PR-554/.tox/safety/lib/python3.6/site-packages/safety/util.py", line 639, in new_func
        return f(*args, **kwargs)
      File "/var/lib/jenkins/workspace/Application_Testing/DataApi/PR-554/.tox/safety/lib/python3.6/site-packages/safety/safety.py", line 258, in check
        db = fetch_database(key=key, db=db_mirror, cached=cached, proxy=proxy, telemetry=telemetry)
      File "/var/lib/jenkins/workspace/Application_Testing/DataApi/PR-554/.tox/safety/lib/python3.6/site-packages/safety/safety.py", line 164, in fetch_database
        data = fetch_database_url(mirror, db_name=db_name, key=key, cached=cached, proxy=proxy, telemetry=telemetry)
      File "/var/lib/jenkins/workspace/Application_Testing/DataApi/PR-554/.tox/safety/lib/python3.6/site-packages/safety/safety.py", line 119, in fetch_database_url
        raise NetworkConnectionError()
    safety.errors.NetworkConnectionError: Check your network connection, unable to reach the server
    Check your network connection, unable to reach the server
    
    opened by hans2520 2
  • Using local repository

    Using local repository

    • safety version: latest
    • Python version: 3.7
    • Operating System: alpine docker

    Description

    I have a local pypi repository, can I use it offline when working with safety?

    What I Did

    offline runner: `Connection to pypi.org timed out. (connect timeout=15)')': /simple/safety/`
    
    opened by itsecforu 0
  • Build and release an arm64 version of safety

    Build and release an arm64 version of safety

    • safety version: 1.10.3
    • Python version: Any
    • Operating System: Mac and Linux

    Description

    I would like to get a native build of safety for the arm64/aarch64 architecture and the Mac and Linux OSs.

    But the current releases are only for the amd64/x86_64 architectures.

    hadolint/hadolint#411 has some possibly relevant discussions.

    opened by proinsias 0
Releases(2.3.5)
CC CAMERA HACKING TOOL

CAM-HACK CC CAMERA HACKING TOOL Installation On Termux $ apt update

Aryan 10 Sep 25, 2022
Rapidly enumerate subdomains and domains using rapiddns.io.

Description Simple python module (unofficial) allowing you to access data from rapiddns.io. You can also use it as a module. As mentioned on the rapid

27 Dec 31, 2022
cve-2021-21985 exploit

cve-2021-21985 exploit 0x01 漏洞点 分析可见: https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985?referrer=home#rapid7-analysis 0x02 exploit 对beans对象进行重新构

xnianq 105 Nov 22, 2022
解密哥斯拉webshell管理工具流量

kingkong 解密哥斯拉Godzilla-V2.96 webshell管理工具流量 目前只支持jsp类型的webshell流量解密 Usage 获取攻击者上传到服务器的webshell样本 获取wireshark之类的流量包,一般甲方有科来之类的全流量镜像设备,联系运维人员获取,这里以test.

h4ck for fun 46 Dec 21, 2022
Backdoor is a term that refers to the access of the software or hardware of a computer system without being detected.

This program is an non-object oriented opensource, hidden and undetectable backdoor/reverse shell/RAT for Windows made in Python 3 which contains many features such as multi-client support and cross-

35 Apr 17, 2022
KeyLogger

By-Emirhan KeyLogger Hangi Sistemlerde Çalışır? | On Which Systems Does It Work? KALİ LİNUX UBUNTU PARDUS MİNT TERMUX ARCH YÜKLEME & ÇALIŞTIRMA KOMUTL

2 Feb 24, 2022
Yet another web fuzzer

yafuzz Yet another web fuzzer Usage This script can run in two modes of operation. Supplying a wordlist -W argument will initiate a multithreaded fuzz

FooBallZ 5 Feb 02, 2022
Zero-attacker is an multipurpose hacking tool with over 12 tools

Zero Attacker Zero Attacker is bunch of tools which we made for people.These all tools are for purpose of ethical hacking and discord tools. Who is th

Asjad 300 Dec 28, 2022
IDA Python Script for anti ollvm

IDA Python Script for anti ollvm

Shocker 62 Dec 23, 2022
Tool to decrypt iOS apps using r2frida

r2flutch Yet another tool to decrypt iOS apps using r2frida. Requirements It requires to install Frida on the Jailbroken iOS device: Jailbroken device

Murphy 146 Jan 03, 2023
阿里云accesskey利用工具

aliyun-accesskey-Tools 此工具用于查询ALIYUN_ACCESSKEY的主机,并且远程执行命令。 对于ALIYUN_ACCESSKEY利用方式可参考文章:记一次阿里云主机泄露Access Key到Getshell 工具截图 安装模块 pip install -r require

一灯老和尚 826 Jan 01, 2023
RDP Stealer

RDP Stealer RDP Stealer by lamp Require Python How To Use Download This Source Extract The Zip File Change webhook url Convert to exe send to target I

Lamp 14 Nov 26, 2022
Log4j vuln fuzz/scan with python

Log4jFuzz log4j vuln fuzz/scan USE // it's use localhost udp server to check target vuln. python3 log4jFuzz.py [option] optional arguments: -u URL,

VVzv 3 Dec 22, 2021
SonicWall SMA-100 Unauth RCE Exploit (CVE-2021-20038)

Bad Blood Bad Blood is an exploit for CVE-2021-20038, a stack-based buffer overflow in the httpd binary of SMA-100 series systems using firmware versi

Jake Baines 80 Dec 29, 2022
Scan all java processes on your host to check weather it's affected by log4j2 remote code execution

Log4j2 Vulnerability Local Scanner (CVE-2021-45046) Log4j 漏洞本地检测脚本,扫描主机上所有java进程,检测是否引入了有漏洞的log4j-core jar包,是否可能遭到远程代码执行攻击(CVE-2021-45046)。上传扫描报告到指定的服

86 Dec 09, 2022
NS-LOOKUP - A python script for scanning website for getting ip address of a website

NS-LOOKUP A python script for scanning website for getting ip address of a websi

Spider Anongreyhat 5 Aug 02, 2022
NexScanner is a tool which allows you to scan a website and find the admin login panel and sub-domains

NexScanner NexScanner is a tool which helps you scan a website for sub-domains and also to find login pages in the website like the admin login panel

8 Sep 03, 2022
An forensics tool to help aid in the investigation of spoofed emails based off the email headers.

A forensic tool to make analysis of email headers easy to aid in the quick discovery of the attacker. Table of Contents About mailMeta Installation Us

Syed Modassir Ali 59 Nov 26, 2022
Python library to remotely extract credentials on a set of hosts.

Python library to remotely extract credentials on a set of hosts.

Pixis 1.5k Dec 31, 2022
This project is all about building an amazing application that will help users manage their passwords and even generate new passwords for them

An amazing application that will help us manage our passwords and even generate new passwords for us.

1 Jan 23, 2022