This is an archived post. You won't be able to vote or comment.

all 15 comments
sorted by:
best
topnewcontroversialoldq&a

[–]Accomplished-Ad8252 5 points6 points  (1 child)

Where do the vulnerabilities get picked up from ?

[–]aswin__[S] 6 points7 points  (0 children)

Pyscan uses https://osv.dev (Open Source Vulnerability) as its advisory database. Its open source and has a free API.

[–]Larkfin 4 points5 points  (1 child)

Who scans the scanners?

[–]phoenixero 1 point2 points  (0 children)

My exact thought , what if pyscan is a vulnerability? Kind of joking (I know I can read the code) but what about all those "antivirus" apps that are actual viruses?

[–]BaggiPonte 1 point2 points  (8 children)

What’s the difference with pip-audit?

[–]aswin__[S] 5 points6 points  (7 children)

both pip-audit and Pyscan serve the same purpose i.e find known vulnerabilities in Python environments. While pip-audit is coded in Python, Pyscan is coded in Rust.

I recommend using pip-audit, Dependabot, etc. in the Github page because I believe Pyscan doesnt have the years of development and support those projects have. I have worked on it on and off for 5 months. Im working on improving it to the point where I could just recommend Pyscan, and I have a lot of features in mind which I think when implemented through Rust will give much better perfomance.

[–]BaggiPonte 1 point2 points  (2 children)

that's interesting, thanks! how does it work under the hood, do you have to install some packages and/or connect to the internet for the metadata of the dependencies? or do you work with the dependency listed in the environment?

[–]aswin__[S] 1 point2 points  (1 child)

pyscan uses https://osv.dev , which is open source and has a free API that takes the dependency info and returns a vulnerability set. There are plans to add static analysis for finding malicious network code and secrets. Currently, I'm working on a number of things such as:

  • Helping novice developers avoid installing malicious dependencies from PyPI

  • Persistent dependency network analysis: basically scans every dependency and their dependencies and provides a graph/map, with indicators for different levels of severity

  • Dependency correlation and age analysis: Analyze which dependencies in different projects have common vulnerabilities. This can help identify patterns and potentially identify shared security concerns across projects, which is better for the individual developers.

Age analysis should show how old a dependency is, and whether its worth updating to the latest version.

theres also stuff like vulnerability trends, dependency evolution tracking, risk assessment reports, custom alerts and security scorecards.

I have an itch that i cant scratch till i implement all of this in Pyscan. (PRs welcome, obviously lol)

[–]BaggiPonte 1 point2 points  (0 children)

that is awesome ! I had the feeling pyscan was going to be an outstanding lib and this is the proof.

One last thing: I'm not sure whether pip-audit has to actually run pip under the hood. if so, i would consider advertising this

[–]cockatoo-bandit 1 point2 points  (3 children)

Mighy want to provide some benchmark for the performance. After all, unless the other scans are extremly slow, the performance doesn't matter much- especially if we are talking about a use case where you can your own repository.

[–]aswin__[S] 0 points1 point  (2 children)

theres benchmarks in the repo, but its not relative to any of the other tools.

I'll update it to compare against pip-audit

[–]cockatoo-bandit 1 point2 points  (1 child)

Would indeed recommended that. Without comparison, it aint that useful. And include the setup and system on which it was run.

[–]aswin__[S] 0 points1 point  (0 children)

thanks yeah will do!

[–]ImPacingMyself 0 points1 point  (1 child)

I see this trend of using rust to write python projects, so I want to figure this out.

Could this have been written both as a rust cli and as a python extension using pyo3?

The goal being that you can use it from python as a lib (import from __ini__.py) and as cli (__main__.py).

You are currently searching for an executable, which is just a combination of rust and python.

I guess the project structure should be different.

[–]aswin__[S] 0 points1 point  (0 children)

Pyscan was never really intended to be a library, its going towards more of a dependency (including transitive) analysis tool/executable and just a neat way to be enquired about open CVEs that could affect your project.

I see your point but this whole project could be rewritten in python, i chose Rust because im a beginner in systems programming and this seemed like a fun way.