Security-constraints is a command-line application used to fetch security vulnerabilities in Python packages from external sources and from them generate version constraints for the packages.
The constraints can then be given to pip install with the -c option,
either on the command line or in a requirements file.
Just install it with pip:
pip install security-constraintsThe environment variable SC_GITHUB_TOKEN needs to be set
to a valid GitHub token which provides read access to public
repositories. This is needed in order to access GitHub Security
Advisory. Once this is set, you can simply run the program to
output safe pip constraints to stdout.
>security-constraints
# Generated by security-constraints 1.0.0 on 2022-11-04T08:33:54.523625Z
# Data sources: Github Security Advisory
# Configuration: {'ignore_ids': [], 'min_severity': 'CRITICAL'}
...
vncauthproxy>=1.2.0 # CVE-2022-36436 (ID: GHSA-237r-mx84-7x8c)
waitress!=1.4.2 # CVE-2020-5236 (ID: GHSA-73m2-3pwg-5fgc)
waitress>=1.4.0 # GHSA-4ppp-gpcr-7qf6 (ID: GHSA-4ppp-gpcr-7qf6)
ymlref>0.1.1 # CVE-2018-20133 (ID: GHSA-8r8j-xvfj-36f9)
>You can use --output to instead output to a file.
>security-constraints --output constraints.txt
>cat constraints.txt
# Generated by security-constraints 1.0.0 on 2022-11-04T08:33:54.523625Z
# Data sources: Github Security Advisory
# Configuration: {'ignore_ids': [], 'min_severity': 'CRITICAL'}
...
vncauthproxy>=1.2.0 # CVE-2022-36436 (ID: GHSA-237r-mx84-7x8c)
waitress!=1.4.2 # CVE-2020-5236 (ID: GHSA-73m2-3pwg-5fgc)
waitress>=1.4.0 # GHSA-4ppp-gpcr-7qf6 (ID: GHSA-4ppp-gpcr-7qf6)
ymlref>0.1.1 # CVE-2018-20133 (ID: GHSA-8r8j-xvfj-36f9)
>You can provide a space-separated list of IDs of vulnerabilities that
should be ignored. The IDs in question are those that appear in after
ID: in the comments in the output.
>security-constraints --ignore-ids GHSA-4ppp-gpcr-7qf6 GHSA-8r8j-xvfj-36f9
# Generated by security-constraints 1.0.0 on 2022-11-04T08:33:54.523625Z
# Data sources: Github Security Advisory
# Configuration: {'ignore_ids': ['GHSA-4ppp-gpcr-7qf6', 'GHSA-8r8j-xvfj-36f9'], 'min_severity': 'CRITICAL'}
...
vncauthproxy>=1.2.0 # CVE-2022-36436 (ID: GHSA-237r-mx84-7x8c)
waitress!=1.4.2 # CVE-2020-5236 (ID: GHSA-73m2-3pwg-5fgc)
>The IDs to ignore can also be given in a configuration file using --config.
To create an initial configuration file, you can use --dump-config. This
will dump the current configuration (including any --ignore-ids passed) to
stdout and then exit. You can redirect this into a file to create an
initial configuration file. The configuration file is in yaml format.
>security-constraints --ignore-ids GHSA-4ppp-gpcr-7qf6 GHSA-8r8j-xvfj-36f9 --dump-config > sc_config.yaml
>cat sc_config.yaml
ignore_ids:
- GHSA-4ppp-gpcr-7qf6
- GHSA-8r8j-xvfj-36f9
min_severity: CRITICAL
>security-constraints --config sc_config.yaml
# Generated by security-constraints 1.0.0 on 2022-11-04T08:33:54.523625Z
# Data sources: Github Security Advisory
# Configuration: {'ignore_ids': ['GHSA-4ppp-gpcr-7qf6', 'GHSA-8r8j-xvfj-36f9'], 'min_severity': 'CRITICAL'}
...
vncauthproxy>=1.2.0 # CVE-2022-36436 (ID: GHSA-237r-mx84-7x8c)
waitress!=1.4.2 # CVE-2020-5236 (ID: GHSA-73m2-3pwg-5fgc)
>By default, security-constraints fetches all security vulnerabilities with
severity "CRITICAL" or higher (as understood by Github Security Advisory).
The minimum severity can be configured using the option --min-severity or
by setting min_severity in the config file (if both are set, their common
minimum will be used).
>security-constraints --min-severity highPull requests as well as new issues are welcome.
