This is community owned repository of advisories for packages published on https://pypi.org.
Advisories live in the vulns directory and use a YAML encoding of a simple format.
Existing entries can be edited by simply creating a pull request.
To introduce a new entry, create a pull request with a new file that has a name
matching PYSEC-0000-<anything>.yaml. This will be later picked up by
automation to allocate a proper ID once merged.
Much of the existing set of vulnerabilities are collected from the NVD CVE feed.
We use this tool, which
performs a lot of heuristics to match CVEs with exact Python packages and
versions (which is a difficult problem!) and a small amount of human triage to
generate the .yaml entries here.
Vulnerabilities are integrated into the Open Source Vulnerabilities project, which provides an API to query for vulnerabilities like so:
$ curl -X POST -d \
'{"version": "2.4.1", "package": {"name": "jinja2", "ecosystem": "PyPI"}}' \
"https://api.osv.dev/v1/query"Longer term, we are working with the PyPI team to
build a pipeline to
automatically get these vulnerabilities into PyPI. The goal is to
have the pip install (and an additional pip audit) command automatically
report vulnerabilities out of the box.
Everyone interacting with this project is expected to follow the PSF Code of Conduct.