I reviewed flexparser 0.4-1 as checked into plucky. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
flexparser is a parser written in python. Users must write their own
classes for every type of content they want to parse and implement
the from_string method.
- CVE History
- no CVE has been reported to this project
- Build-Depends
- debhelper-compat (= 13),
- dh-sequence-python3,
- pybuild-plugin-pyproject,
- python3-all,
- python3-pytest <!nocheck>,
- python3-pytest-mpl <!nocheck>,
- python3-pytest-subtests <!nocheck>,
- python3-setuptools,
- python3-setuptools-scm,
- python3-typing-extensions,
- pre/post inst/rm scripts
- normal dh-python
- init scripts
- none
- systemd units
- none
- dbus services
- none
- setuid binaries
- none
- binaries in PATH
- none
- sudo fragments
- none
- polkit files
- none
- udev rules
- none
- unit tests / autopkgtests
- the package has a testsuite which runs when building and has autopkg tests.
- cron jobs
- none
- Build logs
- none
- Processes spawned
- none
- Memory management
- none
- File IO
- they open files in read mode and with context managers that will ensure the
files will close.
- Logging
- They only have one warning with a fixed message.
- Environment variable usage
- none
- Use of privileged functions
- none
- Use of cryptography / random number sources etc
- it only uses hashing algorithms but not for cryptographic purposes.
- Use of temp files
- none
- Use of networking
- none
- Use of WebKit
- none
- Use of PolicyKit
- none
- Any significant cppcheck results
- none
- Any significant Coverity results
- none
- Any significant shellcheck results
- none
- Any significant bandit results
- none
- Any significant govulncheck results
- none
- Any significant Semgrep results
- none
flexparser is a relatively new project. Upstream maintainer is the same
as python-pint.
Although they have not many issues reported, all reported issues are closed,
and they
replied timely.
They don't have a SECURITY.md in their project. I contacted Upstream and asked
if they
could add one.
This parser relies on user-defined classes that should inherit from the class
ParsedStatement.
When invoking the parser, you must pass a file to parse and the classes that
define how you
want to parse it.
The parser will then construct those classes, meaning that the __init__ of them
will be called.
However, this is not like "pickle" in where the software will blindly construct
from a
string. In this software, you need to define a class and pass it on to the
parser.
Security team ACK for promoting flexparser to main.
** Changed in: flexparser (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2089037
Title:
[MIR] flexparser
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/flexparser/+bug/2089037/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
