[Security-sig] HTML page of Python security vulnerabilities
Victor Stinner
victor.stinner at gmail.com
Fri Feb 17 19:27:24 EST 2017
Hi,
I wrote a tool to generate an HTML report on Python security
vulnerabilities. It takes the following YAML file as input:
https://github.com/haypo/python-security/blob/master/vulnerabilities.yml
And Python release dates, file written manually from Misc/NEWS:
https://github.com/haypo/python-security/blob/master/python_releases.txt
The output is the HTML page:
http://python-security.readthedocs.io/en/latest/vulnerabilities.html
For each vulnerability, you have a description and a list of links.
>From a list of commits, the tool computes the fixed Python and the
number of days Python was vulnerable.
Can you please check data of my two input files?
What do you think of the page? Is it useful?
TODO:
* fix render_doc.py to support multiple lines in the table
* add title to links
* find the YAML syntax for "Issue #26657" :-) Current, #xxx is ignored
since it's seen as a comment
* maybe document in the YAML file how the Disclosure date was chosen
Maybe I should add a "vulnerable" column to list Python versions which
are vulnerable.
If you consider the data useful and the data are double checked, the
next step will to announce it.
Later, I plan to slowly fill vulnerabilities.yml with recent
vulnerabilities, and then with older vulnerabilities.
FYI a few months ago, I generated the page manually, but quickly I
realized that it's painful to compute all data and also to maintain
manually such list. My old page:
http://haypo-notes.readthedocs.io/python_security.html
Victor
More information about the Security-SIG
mailing list