Skip to main content

Find vulnerabilities in Python

You can find vulnerabilities in your Python applications. You can scan Python repositories using the command-line interface or the CI integrations.

For packaging instructions for Veracode Static Analysis, see Packaging Python applications.

Scan your code

You can use scan any code repository to which you have access and meet the requirements. To run an example scan, clone one of the public Veracode SCA repositories:

git clone https://github.com/veracode/example-python
git clone https://github.com/veracode/example-python-pipenv
git clone https://github.com/veracode/example-python3-poetry

After you add a srcclr.yml file to the directory where you point the Veracode SCA agent, you can specify scan directives for scanning your Python code. Some scan directives are specific to Python projects.

Before you begin:

Scanning a repository that uses PyPi for package management requires the ability to assemble your libraries within the environment in which you scan the project. This includes these requirements:

  • Your code repository uses Python 2.x or 3.x.
  • Have Python 2.x or 3.x installed in your path.
  • For pip:
    • Install pip version 10.0.0 or later.
    • Include one of these files in the repository: setup.py, requirements.txt, requirements-dev.txt, or dev-requirements.txt.
  • For pipenv:
    • Install pipenv in your path.
    • Include one of these files in the repository: Pipfile or Pipfile.lock.

  • For Poetry: include both pyproject.toml and poetry.lock in the repository.

  • Be able to perform one of these installation tasks:

    • pip: from the project root, run pip install -r <requirements-file>, where <requirements-file> is requirements.txt, requirements-dev.txt, or dev-requirements.txt.
    • pip: run the python setup.py install command.
    • pipenv: be able to run pipenv sync if the Pipfile.lock file is available, or be able to run pipenv install if the file unavailable.
    • Poetry: N/A

  • Exclude optional dependencies from your requirements files or lock files to avoid false negative results.

To complete this task:

At the command line, run the scan command pointed to the directory of the Python repository. For example:

srcclr scan path/to/{project_folder}

To scan code repositories hosted in Git, use the --url argument at the command line.

To view more verbose output during the scan process, add the --loud argument:

srcclr scan path/to/{project_folder} --loud

Results:

The Veracode SCA agent uses the native package managers to identify the dependencies and their versions in your project. When the agent evaluates the open-source libraries in use, it produces a summary of the scan results. This summary includes counts for total libraries used, vulnerable libraries, percentage of third-party code, and a list of the vulnerabilities found.

Next steps:

After completing the scan, you can view the results.

Fix example direct vulnerability

When a library is specifically referenced in your setup.py, requirements.txt, requirements-dev.txt, or dev-requirements.txt, Veracode SCA refers to the library as a direct dependency.

These example steps provide a fix for a Denial of Service (DoS) Memory Consumption vulnerability in feedparser, version 5.1.1 in the example-python repository.

To complete this task:

  1. Edit the requirements.txt file in the root of the project to match the following:

    feedparser== 5.1.2

  2. Validate the fix.

Fix example transitive vulnerability

To fix a transitive library for Python, override the transitive dependency by adding the appropriately versioned dependency as a direct library to your configuration file, which can be a requirements.txt or setup.py file.

These steps provide a fix for a Cross-Site Scripting (XSS) vulnerability in html5lib, version .9999999 in the transitive_vulns branch of the example-python repository.

To complete this task:

  1. Edit the requirements.txt file in the root of the project and add the recommended version of the library:

    html5lib== 0.99999999
    Important

    Updating some transitive libraries will fail because a specific version is required for usage. In cases such as these, you will need to update the directly specified library to a version which allows for the safe version to be used.

  2. Validate the fix.

Fix example vulnerable method

These example steps provide a fix for a BERserk attack vulnerable method in rsa, which is included in the example-python repository.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.

  2. Select Agent-Based Scan.

  3. Select your workspace.

  4. Select Projects.

  5. Select the srcclr/example-python project.

  6. Select BERserk Attack Vulnerability in the rsa library in the Vulnerabilities table. The Vulnerable Methods section shows that the verify method is the vulnerable part of the library.

  7. To address the identified vulnerable method, do one of these tasks:

    • Change your code to perform in the same manner without relying on this particular method.
    • Follow the provided instructions to update the library to a safe version.

  8. Validate the fix.

Last updated on