|
checkmarx python
|
|
Jul-12-2018, 06:23 PM
while running checkmarx in python i am get vulnerabilities of level-HIGH from inbuilt libraries which i did
install with pip.so how should i avoid this now.
Jul-12-2018, 07:30 PM
I wasn't familiar with checkmarx, and just did a quick Google search so if I seem ignorant that would be why...
(Jul-12-2018, 06:23 PM)saisankalpj Wrote: level-HIGH from inbuilt libraries which i didIf you used pip, then they're not built-in. That's what pip is for - getting third party libraries. They're not always trustworthy. (Jul-12-2018, 06:23 PM)saisankalpj Wrote: so how should i avoid this now.If you want to avoid the warnings from checkmarx, then you need to stop using those modules. I can't speak to how reliable checkmarx is in terms of whether it's worth actually stopping using the modules, or if they use whitelist or blacklist. I'm curious as well which modules are being flagged.
Many of these Source Code Analysis Tools report way to much false positives.
Quote:Weaknesses I you want to more secure use virtual environment eg like venv or pipenv. pipenv also has Detection of Security Vulnerabilities Example: λ pipenv install requests Installing requests... ..... Locking [dev-packages] dependencies... Locking [packages] dependencies... Updated Pipfile.lock (444a6d)! Installing dependencies from Pipfile.lock (444a6d)... ================================ 5/5 - 00:00:01 To activate this project's virtualenv, run pipenv shell. Alternatively, run a command inside the virtualenv with pipenv run. # Check for Vulnerabilities C:\a λ pipenv check Checking PEP 508 requirements... Passed! Checking installed package safety... All good! # What's get installed when use Requests graph C:\a λ pipenv graph requests==2.19.1 - certifi [required: >=2017.4.17, installed: 2018.4.16] - chardet [required: >=3.0.2,<3.1.0, installed: 3.0.4] - idna [required: >=2.5,<2.8, installed: 2.7] - urllib3 [required: >=1.21.1,<1.24, installed: 1.23]Now have much better control and can run checkmarx on what's in virtual environment. Do it complain for safe stuff,just don't use it 
Jul-13-2018, 06:32 PM
(Jul-12-2018, 07:30 PM)micseydel Wrote: I wasn't familiar with checkmarx, and just did a quick Google search so if I seem ignorant that would be why...packages like(Jul-12-2018, 06:23 PM)saisankalpj Wrote: level-HIGH from inbuilt libraries which i did install with pipIf you used pip, then they're not built-in. That's what pip is for - getting third party libraries. They're not always trustworthy.(Jul-12-2018, 06:23 PM)saisankalpj Wrote: so how should i avoid this now.If you want to avoid the warnings from checkmarx, then you need to stop using those modules. I can't speak to how reliable checkmarx is in terms of whether it's worth actually stopping using the modules, or if they use whitelist or blacklist. I'm curious as well which modules are being flagged. 1. compat.py 2, site_packages/pkg_resources 3. wheel 4. pip/vendor 5.lib/site.py are giving High vulnerabilities
Jul-13-2018, 08:41 PM
They are for sure all false positives.
compat.py just help convert Python 2 to 3. 2 to 5 are all core Python modules. pip and wheel is also under the wing of Python Packaging Authority.Quote:The Python Packaging Authority (PyPA) is a working group that maintains many of the relevant projects in Python packaging.checkmarx is totally useless running over a whole Python installation. Can be used to run in with own written source code with used module/libraries in a virtual environment, but if new to Python and don't know what to look for as vulnerabilities,then it's again totally useless 
|
|
|
