
Show HN: A curated list of insecure Python packages - jayfk
https://github.com/pyupio/safety-db
======
eganist
Can you get in touch with the guys at OWASP Dependency Check? It's one of
their more mature projects, and it essentially does a lot of what you
described and then some, including for Python projects.

[https://www.owasp.org/index.php/OWASP_Dependency_Check](https://www.owasp.org/index.php/OWASP_Dependency_Check)

I can make a connection between you and Jeremy Long (head of the project) if
you'd like. He's also on twitter as @ctxt

------
jacknews
Just a single wrong character can really ruin a package

------
SubiculumCode
HN title contains a misspelling: insucure should be insecure

Unless insucure is a Python package I do not know about.

------
pekk
What standard are you applying to distinguish "insecure" from "secure"?

------
svisser
This can detect when a CVE vulnerability is fixed but how would you know the
version number at which it was introduced?

~~~
jayfk
Most CVEs have a pretty good descriptions. For example CVE-2016-6186[1]:

Cross-site scripting (XSS) vulnerability in the
dismissChangeRelatedObjectPopup function in
contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before
1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers
to inject arbitrary web script or HTML via vectors involving unsafe usage of
Element.innerHTML.

[1]
[http://www.cvedetails.com/cve/CVE-2016-6186/](http://www.cvedetails.com/cve/CVE-2016-6186/)

------
Twirrim
It doesn't seem to be loading all the data when you browse the "human" site.
Stops at ftw.mail (if there's a way to go on to the next page, it isn't
obvious)

------
daveguy
This is _awesome_. What a great service! Just curious, what stack did you use
for the human browsable site and database? I am looking for a quick data
reporting stack like this that is hopefully easy to set up in Python. Any
advice?

~~~
jayfk
I wouldn't call it stack, really. It's just a little bit jQuery flavored
JavaScript that loads the DB via ajax and adds all entries to the DOM. Under
30 LOC: [https://github.com/pyupio/safety-
db/blob/master/docs/index.h...](https://github.com/pyupio/safety-
db/blob/master/docs/index.html#L67)

It's a bit dirty, but was the right tool for the job. If you are working on a
larger project, I'd probably use some template language like mustache to
render the elements.

------
vinayan3
Really cool stuff. I love it! Thank you for making this.

A side note anyone using Django should keep up to date. If you see the list of
versions and the related packages which have known vulnerabilities you will
realize keeping up to date is critical.

------
x1798DE
Is the backend getting hammered? [https://pyupio.github.io/safety-
db](https://pyupio.github.io/safety-db) is just looping a loading animation.

~~~
jayfk
The site is loading the data directly from the repo. Maybe HN has triggered
some abuse mechanism.

Edit: Switched to S3 to load the data.

