Many of these Source Code Analysis Tools report way to much false positives.
I you want to more secure use virtual environment eg like venv or pipenv.
pipenv also has Detection of Security Vulnerabilities
Example:
Do it complain for safe stuff,just don't use it
Quote:Weaknesses
- High numbers of false positives.
I you want to more secure use virtual environment eg like venv or pipenv.
pipenv also has Detection of Security Vulnerabilities
Example:
λ pipenv install requests Installing requests... ..... Locking [dev-packages] dependencies... Locking [packages] dependencies... Updated Pipfile.lock (444a6d)! Installing dependencies from Pipfile.lock (444a6d)... ================================ 5/5 - 00:00:01 To activate this project's virtualenv, run pipenv shell. Alternatively, run a command inside the virtualenv with pipenv run. # Check for Vulnerabilities C:\a λ pipenv check Checking PEP 508 requirements... Passed! Checking installed package safety... All good! # What's get installed when use Requests graph C:\a λ pipenv graph requests==2.19.1 - certifi [required: >=2017.4.17, installed: 2018.4.16] - chardet [required: >=3.0.2,<3.1.0, installed: 3.0.4] - idna [required: >=2.5,<2.8, installed: 2.7] - urllib3 [required: >=1.21.1,<1.24, installed: 1.23]Now have much better control and can run checkmarx on what's in virtual environment.
Do it complain for safe stuff,just don't use it