https://github.com/pypa/pipenv/blob/master/pipenv/patched/safety/safety.py :
def write_to_cache(db_name, data):
# cache is in: ~/safety/cache.json
# ...
def fetch_database(...)
On Tuesday, February 12, 2019, Wes Turner <wes.tur...@gmail.com> wrote:
> Good call. I didn't realize that that's how safety works.
>
> Is this the same data that pipenv/safety retrieves from pyup?
> https://github.com/pyupio/safety-db/blob/master/data/insecure_full.json
>
> https://pipenv.readthedocs.io/en/latest/advanced/#detection-
> of-security-vulnerabilities :
>
> > Note
> > In order to enable this functionality while maintaining its permissive
> copyright license, pipenv embeds an API client key for the backend Safety
> API operated by pyup.io rather than including a full copy of the
> CC-BY-NC-SA licensed Safety-DB database. This embedded client key is shared
> across all pipenv check users, and hence will be subject to API access
> throttling based on overall usage rather than individual client usage.
> >
> > You can also use your own safety API key by setting the environment
> variable PIPENV_PYUP_API_KEY.
>
> https://github.com/pypa/pipenv/blob/master/pipenv/patched/safety/cli.py
> vulns = safety.check(packages=packages, key=key, db_mirror=db,
> cached=cache, ignore_ids=ignore)
>
> https://github.com/pypa/pipenv/blob/master/tasks/vendoring/__init__.py
> def update_safety
>
> On Monday, February 11, 2019, Tzu-ping Chung <uranu...@gmail.com> wrote:
>
>> One way to avoid disclosing user environments to a third party is to
>> build this into PyPI instead. The API could generate the warning for pip to
>> display.
>>
>> This only covers packages on PyPI, of course, but trying to audit local
>> and self-hosted packages is is a fools errand anyway IMO since there is no
>> practical way for any tool to reliably know what *actually* is installed.
>>
>> --
>> Tzu-ping Chung (@uranusjr)
>> uranu...@gmail.com
>> Sent from my iPhone
>>
>> On 12 Feb 2019, at 11:34, Wes Turner <wes.tur...@gmail.com> wrote:
>>
>> Would something like this require:
>>
>> - a pip extension/plugin/post-install hook API
>> - a post-install hook that discloses all installed packages and versions
>> (from pypi.org, mirrors, local directory) in exchange for checking and
>> online security DB
>> - a way to specify a key to e.g. pyup
>>
>> GItHub and GitLab offer similar functionality:
>>
>> https://github.blog/2018-07-12-security-vulnerability-alerts-for-python/
>> https://help.github.com/articles/about-security-alerts-
>> for-vulnerable-dependencies/
>>
>> https://docs.gitlab.com/ee/user/project/merge_requests/depen
>> dency_scanning.html
>> https://gitlab.com/gitlab-org/security-products/dependency-s
>> canning#supported-languages-and-package-managers
>>
>> https://pyup.io
>>
>> https://github.com/pyupio/safety-db
>>
>> > pipenv check relies on safety and Safety-DB to check for known
>> vulnerabilities in locked components
>>
>>
>> On Monday, February 11, 2019, Julian Berman <jul...@grayvines.com> wrote:
>>
>>> Hi.
>>>
>>> I recently found myself installing a node.js package, and in the process
>>> noticed that (sometime recently?) it started automatically warning about
>>> known vulnerabilities during installation of package.jsons (see
>>> https://docs.npmjs.com/cli/audit).
>>>
>>> At work, we run safety (https://pypi.org/project/safety/) on all our
>>> projects (which has both free and paid versions). It's great.
>>>
>>> I know there's a ton of wonderful work happening at the minute to
>>> improve underlying scaffolding + specification to enable tools other than
>>> setuptools + pip to thrive, so maybe this is the wrong moment, but I
>>> figured I'd ask anyways :) -- what are opinions on running a similar thing
>>> during pip install?
>>>
>>> -J
>>>
>> --
>> Distutils-SIG mailing list -- distutils-sig@python.org
>> To unsubscribe send an email to distutils-sig-le...@python.org
>> https://mail.python.org/mailman3/lists/distutils-sig.python.org/
>> Message archived at https://mail.python.org/archiv
>> es/list/distutils-sig@python.org/message/GSTL47B4CREYHKOS5I
>> 47WOPQURBKTOAY/
>>
>>
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at
https://mail.python.org/archives/list/distutils-sig@python.org/message/ZOB7CT4HI6VTG7KWP2TFH63Z6VWZBCZX/
