mam-dev / security-constraints Goto Github PK

See https://docs.pypi.org/trusted-publishers/

Consider using ruff instead of flake8. Try it out, read a bit, compare, see if the project should switch.

Stop testing/building for 3.7 and start using syntax which was not allowed in 3.7.

End-of-life for Python 3.7 is 2023-06-27, see https://devguide.python.org/versions/

It should be consistent with the ISO format.

The PyPi page does not link to github. This probably requires changes to pyproject.toml (or possibly the readme).

The readme still shows constraints with min and max version in the output. This is not consistent with behavior after the 1.0.1 bug fix.

Lint rules can differ between versions, so that should be pinned.

Could use e.g. pip-compile or pip-compile-multi to bump requirements.

Care needs to be taken with the different supported Python versions.

sed: can't read 3.9: No such file or directory
The "sed" part may not even be needed.

There are probably new versions of the actions used.

Enforce through config. Add tests until reached, as necessary.

As strict as possible.

Allow passing multiple config files. The config then gets merged, the same way it is merged with the args.

Since Configuration.merge already support merging multiple configs, this should be quite easy to implement.

Usecase: A group may want one config file for all their projects, plus an optional additional one per project, so that the group can have a list of vulnerabilities they have agreed on ignoring globally but then individual projects can ignore others.

... and create issues to enable them.

Candidates:

• https://cve.mitre.org/ (thanks to 22Maxx on r/python)
• "the OSV database" (thanks to Zamaamiro on r/python)
• https://ossindex.sonatype.org/

Probably already works, but CI and classifier should be added.

Connects to external source and produces output. Verify some features of that output (obviously, the output will be different as the source database changes). Tokens should be handed securely.

If a vulnerability affects versions >=2, <3, then security-constraints will generate the contraints <2,>=3. This would be fine if the comma represented an OR, but it actually represents an AND, so it creates a constraint that cannot be met. In this case, security-constraints should just generate ">=3" (higher version is better). If the vulnerability affects versions >=2 only, then it makes sense to have <2. But there should never be incompatible conditions.