/apr 3, 2016

Introducing Python Support

By Sean Kinzer

On our journey to ensure all open-source is being used safely, we have taken a step forward by adding language support for a growing community of developers. I am happy to announce that you can now scan your Python 2 applications and see if they are using vulnerable open-source libaries. We mirror PyPi packages in our library catalog, and already have hundreds of Python vulnerabilities cataloged from a wide variety of sources.

python logo

NOTE: These instructions are from older versions of the CLI. For the latest installation and usage instructions, please check out the documentation.

What is Supported?

Support is included for Python 2 repositories that specify their third-party requirements through either requirements.txt files (in the format used by pip) or setup.py configuration files. In order to perform a scan on such repositories, the environment in which you are scanning must have Python 2.7.x installed. For the terminal application, you can test this by running python --version in order to verify that you have the appropriate version. Users can also verify Source Code Management agent environments by accessing the host running the agent and performing the same python --version command to check that the version is 2.7.x.


For command line interface (cli) users, updating is easy. On OSX with Homebrew, enter the following command in order to upgrade:

brew update && brew upgrade srcclr

For OSX users without Homebrew and Linux users, do the following from the terminal:

curl -Of https://download.srcclr.com/console/srcclr-console-latest.tgz
tar xvf srcclr-console-latest.tgz
//insert the version to the x.x.x below (i.e. ./srcclr-console-1.2.8/install-xdg.sh install)
./srcclr-console-1x.x.x/install-xdg.sh install

Once you have updated the cli, test your environment by running srcclr test --pip.

Updating your agent is simple as well. Stop whatever agent you are using, and run the following commands:

curl -Of https://download.srcclr.com/scm/srcclr-agent-latest.tgz
tar xvf srcclr-agent-latest.tgz
//insert the version to the x.x.x below (i.e ./srcclr-agent-1.7.0/install.sh)

Restart your agent once you have ran the install command and you are good to go!

I Don't Specify Packages in a 'requirements.txt' File Though

If the repository you are scanning specifies dependencies somewhere other than the requirements.txt, or the requirements.txt is in a subdirectory, you can also identify dependencies by adding a .srcclr.json configuration file to the root directory. In that .srcclr.json file, simply add the following json snippet in order for SourceClear to scan your Python repository:

    "pipRequirementsFile": "requirementsDir/my-special-requirements.txt"

In addition, if you require preinstalled systemwide packages which are not included in the requirements.txt, you can configure a .srcclr.json to identify those libraries as well by adding the following configuration:

    "pipRequirementsFile": "requirementsDir/my-special-requirements.txt",
    "systemSitePackages": true

This will include global system packages in SourceClear's scan, and will allow for us to scan dependencies despite system-wide install requirements, but may miss some dependencies because pip will not re-install the dependencies already installed system-wide.

Your First Scan

When you have installed the cli you can scan your projects

srcclr scan

-> Attempting to match evidence using the SRC:CLR API...
-> matched in 2 seconds.


[Component] Django
     Coordinates:     django:1.7.11
            Link:     https://srcclr.com/catalog/components/167006?version=1.7.11
           Paths:     requirements.txt#L7 [Direct]

     *************** Vulnerabilities ***************
     *    [Vulnerability] Cross-site Scripting (XSS) and Malicious Redirect
     *    Severity:          3.5 / 10
     *    CVE:               CVE-2016-2512
     *    Link:              https://srcclr.com/catalog/vulnerabilities/2210
     *    [Vulnerability] User Enumeration Timing Attack During Login
     *    Severity:          3.7 / 10
     *    CVE:               CVE-2016-2513
     *    Link:              https://srcclr.com/catalog/vulnerabilities/2211

[Component] Pillow
     Coordinates:     pillow:2.7.0
            Link:     https://srcclr.com/catalog/components/167297?version=2.7.0
           Paths:     requirements.txt#L11 [Direct]

     *************** Vulnerabilities ***************
     *    [Vulnerability] Buffer Overflow in FliDecode.c
     *    Severity:          5.0 / 10
     *    CVE:               CVE-2016-0775
     *    Link:              https://srcclr.com/catalog/vulnerabilities/2052
     *    [Vulnerability] Buffer Overflow through TiffDecode.c
     *    Severity:          5.0 / 10
     *    CVE:               CVE-2016-0740
     *    Link:              https://srcclr.com/catalog/vulnerabilities/2200
     *    [Vulnerability] Buffer Overflow through Decoder for Uncompressed PCD Image Data
     *    Severity:          5.0 / 10
     *    CVE:               CVE-2016-2533
     *    Link:              https://srcclr.com/catalog/vulnerabilities/2047

[Component] requests
     Coordinates:     requests:2.5.1
            Link:     https://srcclr.com/catalog/components/167292?version=2.5.1
           Paths:     requirements.txt#L33 [Direct]

     *************** Vulnerabilities ***************
     *    [Vulnerability] Session Fixation Attacks
     *    Severity:          6.8 / 10
     *    CVE:               CVE-2015-2296
     *    Link:              https://srcclr.com/catalog/vulnerabilities/1979

Scan Report for /home/ubuntu/test-python-pip
                Duration:      28 seconds
          Evidence Count:      57
      Unique Coordinates:      57
   Cryptographic Digests:      0
        Bytecode Digests:      0
   Vulnerable Components:      3
      Vulnerable Methods:      Not scanned

Coming soon

Vulnerable methods technology is currently not available for Python but will be shipping soon!

Related Posts

By Sean Kinzer

Sean is part of the customer success team at Veracode. He helps address customer issues and handles our support desk.