Python Forum

while running checkmarx in python i am get vulnerabilities of level-HIGH from inbuilt libraries which i did
install with pip.so how should i avoid this now.

I wasn't familiar with checkmarx, and just did a quick Google search so if I seem ignorant that would be why...

(Jul-12-2018, 06:23 PM)saisankalpj Wrote: [ -> ]level-HIGH from inbuilt libraries which i did
install with pip

If you used pip, then they're not built-in. That's what pip is for - getting third party libraries. They're not always trustworthy.

(Jul-12-2018, 06:23 PM)saisankalpj Wrote: [ -> ]so how should i avoid this now.

If you want to avoid the warnings from checkmarx, then you need to stop using those modules. I can't speak to how reliable checkmarx is in terms of whether it's worth actually stopping using the modules, or if they use whitelist or blacklist.

I'm curious as well which modules are being flagged.

Many of these Source Code Analysis Tools report way to much false positives.

Quote:Weaknesses

• High numbers of false positives.
  

I you want to more secure use virtual environment eg like venv or pipenv.
pipenv also has Detection of Security Vulnerabilities
Example:

λ pipenv install requests
Installing requests...
.....
Locking [dev-packages] dependencies...
Locking [packages] dependencies...
Updated Pipfile.lock (444a6d)!
Installing dependencies from Pipfile.lock (444a6d)...
  ================================ 5/5 - 00:00:01
To activate this project's virtualenv, run pipenv shell.
Alternatively, run a command inside the virtualenv with pipenv run.

# Check for Vulnerabilities
C:\a
λ pipenv check
Checking PEP 508 requirements...
Passed!
Checking installed package safety...
All good!

# What's get installed when use Requests graph
C:\a
λ pipenv graph
requests==2.19.1
  - certifi [required: >=2017.4.17, installed: 2018.4.16]
  - chardet [required: >=3.0.2,<3.1.0, installed: 3.0.4]
  - idna [required: >=2.5,<2.8, installed: 2.7]
  - urllib3 [required: >=1.21.1,<1.24, installed: 1.23]

Now have much better control and can run checkmarx on what's in virtual environment.
Do it complain for safe stuff,just don't use it

(Jul-12-2018, 07:30 PM)micseydel Wrote: [ -> ]I wasn't familiar with checkmarx, and just did a quick Google search so if I seem ignorant that would be why...

(Jul-12-2018, 06:23 PM)saisankalpj Wrote: [ -> ]level-HIGH from inbuilt libraries which i did install with pip

If you used pip, then they're not built-in. That's what pip is for - getting third party libraries. They're not always trustworthy.

(Jul-12-2018, 06:23 PM)saisankalpj Wrote: [ -> ]so how should i avoid this now.

If you want to avoid the warnings from checkmarx, then you need to stop using those modules. I can't speak to how reliable checkmarx is in terms of whether it's worth actually stopping using the modules, or if they use whitelist or blacklist. I'm curious as well which modules are being flagged.

packages like
1. compat.py
2, site_packages/pkg_resources
3. wheel
4. pip/vendor
5.lib/site.py
are giving High vulnerabilities

They are for sure all false positives.
compat.py just help convert Python 2 to 3.
2 to 5 are all core Python modules.
pip and wheel is also under the wing of Python Packaging Authority.

Quote:The Python Packaging Authority (PyPA) is a working group that maintains many of the relevant projects in Python packaging.
They host projects on GitHub and Bitbucket, and discuss issues on the pypa-dev and distutils-sig mailing lists.

checkmarx is totally useless running over a whole Python installation.
Can be used to run in with own written source code with used module/libraries in a virtual environment,
but if new to Python and don't know what to look for as vulnerabilities,then it's again totally useless