Chapter 1: Vulnerable components - test

README.md

@@ -1,28 +1,46 @@
 # Secure Coding with Python.
 
 ## Chapter 1: Project Bootstrap
-### Requirement
-To start with our development, we copy over a `requirements.txt` file we had from a previous project and install
-Flash from it.
+### Testing
+In order to make sure our libraries don't containg any know vulnerabilities, we can use a dependency scanner such as [Safety](https://pyup.io/safety/).
 
-```bash
-> pip install -r requirements.txt
 ```
+ > $ pip install safety
+ > $ safety check -r requirements.txt --full-report
+╒══════════════════════════════════════════════════════════════════════════════╕
+│                                                                              │
+│                               /$$$$$$            /$$                         │
+│                              /$$__  $$          | $$                         │
+│           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           │
+│          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           │
+│         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           │
+│          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           │
+│          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           │
+│         |_______/  \_______/|__/     \_______/   \___/   \____  $$           │
+│                                                          /$$  | $$           │
+│                                                         |  $$$$$$/           │
+│  by pyup.io                                              \______/            │
+│                                                                              │
+╞══════════════════════════════════════════════════════════════════════════════╡
+│ REPORT                                                                       │
+│ checked 1 packages, using default DB                                         │
+╞════════════════════════════╤═══════════╤══════════════════════════╤══════════╡
+│ package                    │ installed │ affected                 │ ID       │
+╞════════════════════════════╧═══════════╧══════════════════════════╧══════════╡
+│ flask                      │ 0.12      │ <0.12.3                  │ 36388    │
+╞══════════════════════════════════════════════════════════════════════════════╡
+│ flask version Before 0.12.3 contains a CWE-20: Improper Input Validation     │
+│ vulnerability in flask that can result in Large amount of memory usage       │
+│ possibly leading to denial of service. This attack appear to be exploitable  │
+│ via Attacker provides JSON data in incorrect encoding. This vulnerability    │
+│ appears to have been fixed in 0.12.3.                                        │
+╘══════════════════════════════════════════════════════════════════════════════╛
+```
+**Note:** The free version of safety updates it's database once a month, so latest vulnerabilities might not show up. For better security a paid API key can be used to get more up-to-date releases information.
 
-Then we  create the `marketplace` package, with a minimal Flask app in `__init__.py`. We can run the project with
-`python -m flask run` to see that it loads correctly going with our browser to `http://127.0.0.1:5000/`.
-
-### Vulnerability
-Since we copied over a `requirements.txt` and installed Flask from it, we have a very old Flask version. The 
-version in said file was Flask 0.12. At the date of the development, the latest Flask release is 1.0.3
-
-Since Flask 0.12 the following security releases had been issued:
-* [0.12.3](https://github.com/pallets/flask/releases/tag/0.12.3): CWE-20: Improper Input Validation on JSON decoding.
-
-Given that we used an old version that's vulnerable to all of the above, our application, by definition is vulnerable 
-if we make use of the affected functionallity.
+We can start building our CI build script with a simple dependency vulnerabilities check using [Safety](https://pyup.io/safety/) as shown in build.sh
 
-**Proceed to [next section](https://github.com/nxvl/secure-coding-with-python/tree/1-vulnerable-components/test)**
+**Proceed to [next section](https://github.com/nxvl/secure-coding-with-python/tree/1-vulnerable-components/fix)**
 
 ## Index
 ### 1. Vulnerable Components

build.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+vulnerable_deps=$(safety check --bare -r requirements.txt)
+if [[ $? != 0 ]]; then
+  echo "Vulnerabilities found in packages:" $vulnerable_deps
+fi

requirements.txt

@@ -1 +1,2 @@
-Flask==0.12
+Flask==0.12
+safety==1.8.5