[Security-sig] HTML page of Python security vulnerabilities

Steve Dower steve.dower at python.org
Sat Feb 18 11:15:21 EST 2017 

I would find it useful at work. My colleagues seem to like the idea of searching the CVE database for "python" and then blaming them all on the language when 99% are in applications. Having a more accurate page to point them to would be good.

I'm sure others would find value in being able to easily minimize upgrades or identify patches, but that doesn't really bother me.

But please, automate it as much as you possibly can :) . Last thing I want is for you or anyone else to have to update it manually, not least because that guarantees it'll become outdated.

Cheers,
Steve

Top-posted from my Windows Phone

-----Original Message-----
From: "Victor Stinner" <victor.stinner at gmail.com>
Sent: ‎2/‎17/‎2017 16:28
To: "os.urandom rehab clinic" <security-sig at python.org>
Subject: [Security-sig] HTML page of Python security vulnerabilities

Hi,

I wrote a tool to generate an HTML report on Python security
vulnerabilities. It takes the following YAML file as input:
https://github.com/haypo/python-security/blob/master/vulnerabilities.yml

And Python release dates, file written manually from Misc/NEWS:
https://github.com/haypo/python-security/blob/master/python_releases.txt

The output is the HTML page:
http://python-security.readthedocs.io/en/latest/vulnerabilities.html

For each vulnerability, you have a description and a list of links.
>From a list of commits, the tool computes the fixed Python and the
number of days Python was vulnerable.

Can you please check data of my two input files?

What do you think of the page? Is it useful?

TODO:

* fix render_doc.py to support multiple lines in the table
* add title to links
* find the YAML syntax for "Issue #26657" :-) Current, #xxx is ignored
since it's seen as a comment
* maybe document in the YAML file how the Disclosure date was chosen

Maybe I should add a "vulnerable" column to list Python versions which
are vulnerable.

If you consider the data useful and the data are double checked, the
next step will to announce it.

Later, I plan to slowly fill vulnerabilities.yml with recent
vulnerabilities, and then with older vulnerabilities.

FYI a few months ago, I generated the page manually, but quickly I
realized that it's painful to compute all data and also to maintain
manually such list. My old page:
http://haypo-notes.readthedocs.io/python_security.html

Victor
_______________________________________________
Security-SIG mailing list
Security-SIG at python.org
https://mail.python.org/mailman/listinfo/security-sig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/security-sig/attachments/20170218/1b4a6e8d/attachment.html>

More information about the Security-SIG mailing list