
Vulnerable Method detection now available on SourceClear for Python projects - briandoll
https://blog.sourceclear.com/python-vulnerable-methods/
======
joejev
What does vulnerable mean in this context? Methods which forward input in a
way that unlocks arbitrary code execution?

~~~
briandoll
SourceClear identifies libraries you use that have security vulnerabilities in
them. We also do the extra work to find which methods in those libraries are
the vulnerable methods.

When you scan your python projects now, we can actually tell you if you have a
call chain to those particular methods in the vulnerable library or not.

Most security tools aim to scare people about the sky falling. Here we're
taking a saner approach and letting you know if you're directly impacted by a
vulnerability or not, so you can update at a more leisurely pace.

~~~
joejev
What is a security vulnerability in a library here? Do you mean something like
using `numpy.frombuffer` to mutate strings in place, or using
`numpy.lib.stride_tricks` to access invalid addresses?

Maybe this is something like functions calls which use improper sql escaping?
I am not sure what is being detected.

~~~
briandoll
A specific disclosed vulnerability found in an open source library. As you
might guess, most folks don't file CVEs
([https://cve.mitre.org/](https://cve.mitre.org/)). Our research team
maintains a database of vulnerabilities that includes published CVEs, but also
includes vulnerabilities we've identified.

Here's an example of some vulnerabilities that we discovered, disclosed, and
now have in our database: [https://blog.sourceclear.com/copy-paste-
vulnerability-disclo...](https://blog.sourceclear.com/copy-paste-
vulnerability-disclosure/)

The full vulnerability database is online here:
[https://www.sourceclear.com/registry/explore](https://www.sourceclear.com/registry/explore)

