Tag: AppSec

Adding Python Support

VersionEye 2.0 started with only 3 languages. Ruby, NodeJS and PHP. Now Python was added as well!

VersionEye supports the package manger PIP. You can simply upload your requirements.txt file to get a BOM (Bill of Materials). By default the ‘requirements.txt’ file contains only the direct dependencies. I would recommend to use Pips freeze feature to lock down all transitive dependencies. That can be achieved with this command: 

python -m pip freeze > frozen-requirements.txt

That command will take all direct dependencies from the requirements.txt file, resolve all transitive dependencies and create a new file frozen-requirements.txt which contains ALL (direct & transitive) dependencies with fixed versions. That’s much better then the pure requirements.txt file because the frozen version contains all dependencies which are shipped to production. That contains ALL dependencies which are necessary to run the application.

Here is an example for a Python VersionEye scan:

Try it out and let me know how you like it! Would love to hear your feedback.

If you don’t have an account yet, signup with this promotion code “Ve2Python“. That code is valid until 4th of June and gives you a 50% discount on the monthly subscription!

Security Alerts for Java & Python

A couple months ago VersionEye started to track security vulnerabilities for PHP packages. A couple weeks ago the feature was rolled out for Ruby & Node.JS dependencies as well. And now it’s rolled out for Java & Python!

Now you will see the security tab in your Java & Python projects as well. Just like in the example here.

VersionEye-Java-Project-Security

If you click on the dependency link above you will come to the package detail page where more details to the security issues are visible.

VersionEye-Java-Project-Security_2

If your project dependencies are affected the dependency badge turns to “insecure”, showing everybody that some of the dependencies have security issues.

The security feature is available via the VersionEye API as well. You can filter by language and prod_key. Feel free to build your own integration on it 🙂

VersionEye-API-Security

VersionEye notifies you about security vulnerabilities independently from the version & license notifications. The security notification emails are going out on each Tuesday.

Currently VersionEye is crawling 6 different security sources for this feature. For Java & Python we are using the victims db, which claims to have 0 false positives. Please contribute to this db if you know about a Java or Python security vulnerability and help to make the world a safer place.

Do you know more good security databases which you would like to see integrated with VersionEye? If so contact me on Twitter please.

Security Alerts for Ruby Gems

Since a couple weeks VersionEye shows security issues for PHP projects. Now this feature works the same way for NodeJS and Ruby packages. If VersionEye is monitoring a Gemfile for you, then you will see the “Security” tab in the project view. Just like here in this example.

VersionEye-Ruby-Security

In the “Security” tab all known security vulnerabilities are listed for your 3rd party dependencies. If there is a security issue the dependency badge turns red! By clicking on the package name the package detail page comes up with a more detailed description of the security vulnerability.

VersionEye-Ruby-Security_2

On the detail the page a detailed description of the security vulnerability shows up and a link to the original source. That way it’s easy to reproduce the security vulnerability.

Now there is now reason not to use VersionEye. You get notifications about:

  • out-dated dependencies
  • license violations
  • security vulnerabilities

This feature is pretty new, but already good tested through the PHP community. Your feedback is anyway welcome either here in the comments or on Twitter.

Security Alerts for NodeJS

Since a couple weeks VersionEye shows security issues for PHP projects. Now this feature works the same way for NodeJS / NPM packages. If VersionEye is monitoring a package.json for you, then you will see the “Security” tab in the project view. Just like here in this example.

VersionEye-NodeJS-Security-View

In the “Security” tab all known security vulnerabilities are listed for your 3rd party dependencies. By clicking on the package name the package detail page comes up with a more detailed description of the security vulnerability.

VersionEye-NodeJS-Security

In most of the cases it is recommended to fix the issue by updating to the current version of the software package.

This feature is pretty new, but already good tested through the PHP community. Your feedback is anyway welcome either here in the comments or on Twitter.