‘Good initial results’, says one early adopter

Pip-audit: Google-backed tool probes Python environments for vulnerable packages

UPDATED A tool has been launched with support from Google that scans Python environments for packages with known vulnerabilities.

‘Pip-audit’ leverages the PyPI JSON API to compare dependencies against the Python Packaging Advisory Database – a repository of security advisories that in turn collects much of its data from the NVD CVE feed.

Users can alternatively audit dependencies against the Open Source Vulnerabilities (OSV) database.

RELATED Dependency confusion attack mounted via PyPi repo exposes flawed package installer behavior

Dependencies can be audited with system packages included or excluded from the scan, with or without CVE descriptions, and for a given requirements file.

Scan results, which can be presented in JSON format, include package names, version IDs, fixed versions, and CVE descriptions.

The project was developed by William Woodruff and Alex Cameron of Trail of Bits, a New York-based cybersecurity company, with funding from Google and support from Dustin Ingram, senior developer advocate at Google.

Pip-audit 1.0.0 was launched on Wednesday (December 1).

No strings attached

The tool is not the only application that scans for flaws in Python environments, with existing alternatives including Safety, Snyk for Python, GitHub’s Dependabot, and OWASP Dependency Check.

Woodruff, the project lead, told The Daily Swig: “We wanted to build a tool that didn’t have any financial or licensing strings attached. Snyk and Safety are wonderful additions to the security ecosystem, but both require some level of paid subscription for their functionality (e.g. access to Safety’s more complete private vulnerability DB).”

They also “wanted something that works well for both humans and machines: a lot of tools (like Dependabot, which is also great) lock tightly into either user or automated workflows”.

Moreover, they wanted pip-audit to eventually be integrated into ‘pip’ itself. “Pip’s support guarantees (e.g., for older Pythons), stringent dependency requirements, and CLI design would have made adapting a previous tool into a serious undertaking,” he explains.

“Finally, we wanted a high quality ‘reference’ tool that consumes PyPI’s recently added vulnerability information. As far as we know, we’re the only tool to do so currently.”

Commenting on a NetSec subreddit unveiling pip-audit, ‘brainphreeze’ praised the tool as “quick and easy to set up and run”. They added: “Good initial results too.”

Catch up with the latest software supply chain attack news

However, they also observed that “the lack of a severity rating does make the verification step more involved, but this looks to be based on how [the Python Packaging Advisory Database] stores its results”.

Acknowledging this shortcoming, Woodruff said: “We’re looking into being able to better connect PYSEC identifiers to their upstream CVE/NVD/similar records.”

Pip-audit project is one of many open source security initiatives being supported by Google. In recent months, for instance, Google has sponsored security reviews of eight open source projects, and contributed to a National Institute of Standards and Technology (NIST) project focused on creating federal government guidelines for procuring secure software, among other examples.

This article was updated on December 3 with comments from project lead William Woodruff

YOU MIGHT ALSO LIKE Dependency Combobulator offers defense against namespace confusion attacks