I would find it useful at work. My colleagues seem to like the idea of searching the CVE database for "python" and then blaming them all on the language when 99% are in applications. Having a more accurate page to point them to would be good.
I'm sure others would find value in being able to easily minimize upgrades or identify patches, but that doesn't really bother me. But please, automate it as much as you possibly can :) . Last thing I want is for you or anyone else to have to update it manually, not least because that guarantees it'll become outdated. Cheers, Steve Top-posted from my Windows Phone -----Original Message----- From: "Victor Stinner" <victor.stin...@gmail.com> Sent: 2/17/2017 16:28 To: "os.urandom rehab clinic" <security-sig@python.org> Subject: [Security-sig] HTML page of Python security vulnerabilities Hi, I wrote a tool to generate an HTML report on Python security vulnerabilities. It takes the following YAML file as input: https://github.com/haypo/python-security/blob/master/vulnerabilities.yml And Python release dates, file written manually from Misc/NEWS: https://github.com/haypo/python-security/blob/master/python_releases.txt The output is the HTML page: http://python-security.readthedocs.io/en/latest/vulnerabilities.html For each vulnerability, you have a description and a list of links. >From a list of commits, the tool computes the fixed Python and the number of days Python was vulnerable. Can you please check data of my two input files? What do you think of the page? Is it useful? TODO: * fix render_doc.py to support multiple lines in the table * add title to links * find the YAML syntax for "Issue #26657" :-) Current, #xxx is ignored since it's seen as a comment * maybe document in the YAML file how the Disclosure date was chosen Maybe I should add a "vulnerable" column to list Python versions which are vulnerable. If you consider the data useful and the data are double checked, the next step will to announce it. Later, I plan to slowly fill vulnerabilities.yml with recent vulnerabilities, and then with older vulnerabilities. FYI a few months ago, I generated the page manually, but quickly I realized that it's painful to compute all data and also to maintain manually such list. My old page: http://haypo-notes.readthedocs.io/python_security.html Victor _______________________________________________ Security-SIG mailing list Security-SIG@python.org https://mail.python.org/mailman/listinfo/security-sig
_______________________________________________ Security-SIG mailing list Security-SIG@python.org https://mail.python.org/mailman/listinfo/security-sig
