Skip to content

Link to public package security info on package detail pages #9760

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
taleinat opened this issue Jul 6, 2021 · 3 comments
Closed

Link to public package security info on package detail pages #9760

taleinat opened this issue Jul 6, 2021 · 3 comments
Labels
feature request

Comments

@taleinat
Copy link
Contributor

taleinat commented Jul 6, 2021
edited
Loading

What's the problem this feature will solve?
Provide information about security vulnerabilities of PyPI packages.

Describe the solution you'd like
I suggest adding links on project detail pages to the packages' pages on the Snyk Advisor website. The most basic implementation would be to add a link in the sidebar, alongside the existing link to the libraries.io page.

Snyk Advisor pages include security information about packages, both summarized and in detail, as well as other useful info and stats.

For example: The package detail page for networkx would include an additional link to its Snyk Advisor page. This page currently prominently displays a red "SECURITY ISSUES FOUND" label for the latest version of networkx, with details (high severity!) and links to more information in the "Security" section of the page. (For future reference, here's an archived version from today on the Internet Archive Wayback Machine.)

Additional context
Packaging tools in some other programming ecosystems have begun providing security information about packages. One prominent example of this is npm, whose CLI tool began showing warnings for installed packages with known security vulnerabilities. The availability of tooling and information for Python packages is only recently becoming available, but awareness in the community is still low. Adding this to PyPI could help a great many projects and people discover and address security issues much earlier.

Full disclosure: I worked for a while developing Snyk Advisor as a contractor. I'm no longer affiliated with Snyk in any way, and have no direct or potential financial interest in their services being used or succeeding. Snyk did reach out to ask what I thought about this and whether I'd be willing to suggest this publicly, which I'm happy to do with no compensation of any sort, simply because I think it will benefit the community.
@zach-beniash
Copy link

I'd definitely give it the thumbs up!
As a data engineering team lead I find myself many times emphasize to my team members, the importance of some background check of a python package, before they just throw it into our requirements.txt files.
Specifically, I instruct them to check in Snyk Advisor as part of some other examinations.
It is a great idea to put all in one place, an PyPi is exactly the right place for it!
👍👍👍

@ohz
Copy link

ohz commented Jul 7, 2021

This looks like a great idea. We can all improve our security awareness, and this looks like a low effort-high reward way to do this.
👍

@woodruffw
Copy link
Member

Triage: I think this dovetails with #798.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@taleinat @woodruffw @ohz @zach-beniash