Finding vulnerable dependencies

Safety-db is a database that keeps track of vulnerable python packages and version information. It is updated once a month. They also provide a tool called safety, that checks if the installed packages or packages in requirements.txt are identified as vulnerable using the safety-db.

  • Install safety

    1

    pip install safety

  • Use safety to check all packages in the current virtual enviroment

    1

    safety check

  • Use safety to only check the dependencies listed in requirements.txt file

    1

    safety check -r requirements.txt

Safety shows a list of python packages that have a known vulnerability.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

+==============================================================================+
|                                                                              |
|                               /$$$$$$            /$$                         |
|                              /$$__  $$          | $$                         |
|           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
|          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
|         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
|          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
|          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
|         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
|                                                          /$$  | $$           |
|                                                         |  $$$$$$/           |
|  by pyup.io                                              \______/            |
|                                                                              |
+==============================================================================+
| REPORT                                                                       |
| checked 63 packages, using free DB (updated once a month)                    |
+============================+===========+==========================+==========+
| package                    | installed | affected                 | ID       |
+============================+===========+==========================+==========+
| pillow                     | 8.3.1     | >=5.2.0,<8.3.2           | 41271    |
| pillow                     | 8.3.1     | >=7.1.0,<8.3.2           | 41277    |
| pip                        | 20.3.4    | <21.1                    | 40291    |
+==============================================================================+

Updating dependencies

To update the dependencies we can use the pip-upgrade tool. pip-upgrade updates the dependency package to the latest version and also updates the requirements.txt file.

  • Install pip-upgrader

    1

    pip install pip-upgrader

  • Use pip-upgrader on a requirements.txt file

    1

    pip-upgrade requirements.txt

    If the requirements.txt file is not provided, it expects to find it in the current directory.

  • Use pip-upgrader to update a specific package

    1

    pip-upgrade requirements.txt -p pillow

Check for regressions

Newer versions of dependencies may change the API that the application uses. So when updating dependencies, It is always a good idea to check if the application works correctly with the updated packages.

References