Hi,

I wrote a tool to generate an HTML report on Python security
vulnerabilities. It takes the following YAML file as input:
https://github.com/haypo/python-security/blob/master/vulnerabilities.yml

And Python release dates, file written manually from Misc/NEWS:
https://github.com/haypo/python-security/blob/master/python_releases.txt

The output is the HTML page:
http://python-security.readthedocs.io/en/latest/vulnerabilities.html

For each vulnerability, you have a description and a list of links.
>From a list of commits, the tool computes the fixed Python and the
number of days Python was vulnerable.

Can you please check data of my two input files?

What do you think of the page? Is it useful?

TODO:

* fix render_doc.py to support multiple lines in the table
* add title to links
* find the YAML syntax for "Issue #26657" :-) Current, #xxx is ignored
since it's seen as a comment
* maybe document in the YAML file how the Disclosure date was chosen

Maybe I should add a "vulnerable" column to list Python versions which
are vulnerable.

If you consider the data useful and the data are double checked, the
next step will to announce it.

Later, I plan to slowly fill vulnerabilities.yml with recent
vulnerabilities, and then with older vulnerabilities.

FYI a few months ago, I generated the page manually, but quickly I
realized that it's painful to compute all data and also to maintain
manually such list. My old page:
http://haypo-notes.readthedocs.io/python_security.html

Victor
_______________________________________________
Security-SIG mailing list
Security-SIG@python.org
https://mail.python.org/mailman/listinfo/security-sig