This is community owned repository of advisories for packages published on https://pypi.org.

Advisories live in the vulns directory and use a YAML encoding of a simple format.

Existing entries can be edited by simply creating a pull request.

To introduce a new entry, create a pull request with a new file that has a name matching PYSEC-0000-<anything>.yaml. This will be later picked up by automation to allocate a proper ID once merged.

You can validate the structure of your YAML file by running:

pipx run check-jsonschema --schemafile https://raw.githubusercontent.com/ossf/osv-schema/main/validation/schema.json <PATH TO YAML FILE>

Much of the existing set of vulnerabilities are collected from the NVD CVE feed.

We use this tool, which performs a lot of heuristics to match CVEs with exact Python packages and versions (which is a difficult problem!) and a small amount of human triage to generate the .yaml entries here.

To help with reducing false positive matches, entries in this database can include details on specific code elements of a package that are vulnerable. OSV entries in this database have the following ecosystem_specific definition to encode this:

"ecosystem_specific": {
  "imports": [
    { 
       "attribute": string,
       "modules": [ string ],
    }
  ]
}

“imports” is a JSON array containing the modules and attributes affected by the vulnerability… For example, a vulnerability that affects PIL::ImageFont can be represented as…

"imports": [
  {
    "attribute": "ImageFont",
    "modules": ["PIL"]
  }
]

which is equivalent to PIL:ImageFont. If a second attribute ImageFont2 is also affected, then a second import entry needs to be added to the imports array.

"imports": [
  { "attribute": "ImageFont", "modules": ["PIL"] },
  { "attribute": "ImageFont2", "modules": ["PIL"] }
]

Attributes which are accessible via multiple paths may be represented in a condensed form. Consider the attribute django.db.models:JSONField from the django project. The attribute django.db.models:JSONField is a re-export of django.db.models.fields.json:JSONField and both are valid paths. These can be condensed to a more compact OSV representation as:

{
  "attribute": "JSONField",
  "modules": ["django.db.models", "django.db.models.fields.json"]
}

This data is exposed by pip-audit, which provides a CLI for resolving Python dependencies in an environment or project and identifying known vulnerabilities:

python -m pip install pip-audit
python -m pip-audit -r requirements.txt

You can also use pypa/gh-action-pip-audit on GitHub Actions:

jobs:
  pip-audit:
    steps:
      - uses: pypa/gh-action-pip-audit@v1.0.8
        with:
          inputs: requirements.txt

Vulnerabilities are integrated into the Open Source Vulnerabilities project, which provides an API to query for vulnerabilities like so:

$ curl -X POST -d \
          '{"version": "2.4.1", "package": {"name": "jinja2", "ecosystem": "PyPI"}}' \
          "https://api.osv.dev/v1/query"

This data has also been integrated into the PyPI JSON API.

Everyone interacting with this project is expected to follow the PSF Code of Conduct.