Skip to main content

Python packaging

Your Python applications must meet specific compilation requirements before you can submit them for scanning.

See Supported languages and platforms for instructions for other platforms.

You can analyze applications using Veracode Static Analysis or Veracode Software Composition Analysis (SCA) upload and scan, if licensed. For SCA agent-based scan requirements, see Using Veracode SCA with Programming Languages.

Automated packaging

Auto-packaging simplifies the packaging process for Python projects.

Required files

Veracode requires all source files for the application, including HTML template files, such as Flask/Django.

Veracode can also analyze Jython applications that you submit as source.

Supported Python versions

LanguageSupported versions
Python2.x, 3.x

Supported Python frameworks and libraries

Framework/LibrarySupported versions
AWS SDK for Python (Boto3)1.x
Azure Functions3.x
Cryptography0.6–1.x
Django1.x, 3.x, 4.x
Flask0.x-2.x
httplib20.9.2 and earlier
Jinja Template Library2.x
Requests2.x
SQLAlchemy.9.x–1.x

Packaging guidance

Upload a compressed ZIP archive containing all Python and HTML code, maintaining the project structure, to Veracode. Do not include third-party packages. Do not upload individual Python source files. If using Veracode Software Composition Analysis, include Pipfile.lock in the root of your ZIP archive.

important

To generate Pipfile.lock, you need the pipenv tool. To generate Pipfile.lock from requirements.txt, see https://pipenv.pypa.io/en/latest/pipfile.html#importing-from-requirements-txt .

Veracode scans only files with these extensions:

  • PY
  • HTML
  • HTM

Packaging AWS Lambda applications

Veracode requires you to submit applications built for AWS Lambda according to the AWS Lambda Deployment Package formats. For information, see https://docs.aws.amazon.com/ and search for AWS Lambda Deployment Package in Python.

note

Veracode does not support the analysis of dependencies submitted as Lambda layers. To analyze Lambda components deployed in layers, submit them as standard deployment packages, or consider repackaging the function to include layer components as part of the lambda function package.

Identifying Lambda function handlers for Python

In Python, function handlers must have at least two positional (default) parameters. The function handlers may have additional parameters that must have initial values set because AWS Lambda passes data only to the first two positional parameters.

To detect Lambda function handlers for Python, Veracode accepts the YAML and YML configuration files included as part of the uploaded package from the Serverless and AWS SAM frameworks. Veracode parses these configuration files to identify the function handlers defined in the uploaded artifact. Veracode uses these configuration files to identify the configuration of layers or other settings.

When a deployment package does not contain a YAML configuration file, Veracode applies this heuristic to identify the candidate source files in which to look for function handlers in the deployment package:

  • If a directory called functions exists, Veracode recognizes every Python file in every subdirectory below functions as a candidate source file. Veracode does not consider files in any directories one level below functions as candidate files.

    For example, in the following directory structure, the candidate files are:

    • functions/one/primero.py
    • functions/two/orangefunc.py
    • functions/two/utils.py
    .
    └── functions
    ├── one
    │ ├── misc
    │ │ └── utils.py
    │ └── primero.py
    └── two
    ├── orangefunc.py
    └── utils.py
  • Every Python file in the top-level directory of the archive is a candidate source file.

    For example, in the following directory structure, the only candidate file is primero.py.

      .
    ├── misc
    │ └── utils.py
    └── primero.py

After Veracode identifies a candidate file, functions with exactly two parameters or with more parameters where all additional parameters have initial values set are considered function handlers. Example candidate function handlers are:

  • def lambda_handler(event, context):
  • def different_func(evt, ctx, xyz=123):

This function cannot be a function handler:

  • def different_func(event):