Thoth Security Advises¶
Thoth allows users to request security advises. When a security based advise is
requested the pipeline unit SecurityIndicatorsStep
is included
and changes the behaviour of the CvePenalizationStep
. The
SecurityIndicatorsStep
aggregates
information from si-cloc
and si-bandit
which wrap cloc
and
bandit
to work on specific python package versions to be easily stored in
our DB. The CVE penalization step, instead of penalizing a package version for
having a known CVE it will completely remove it from resolution.
This is a living document and as other methods of judging a packages security are added to Thoth this document will be update to reflect these new ways of scoring.
CVE¶
Thoth uses vulnerability database published by the Python packaging association (PyPA) - see pypa/advisory-db 1. This database keeps track of known vulnerabilities in Python packages.
Vulnerability Static Analysis for Containers based on Quay Clair¶
When using container images provided by Thoth team, users get additional guidance on the container image level with respect to vulnerabilities. Quay Clair is used to obtain vulnerability related reports. These reports are automatically synced into Thoth’s knowledge base using prescriptions and are available to users who consume Thoth advisories.
Bandit¶
Bandit 2 is a project created by the PyCQA — Python Code Quality Authority — which transforms Python code into an abstract syntax tree (AST) and runs static code quality checks looking for common security issues in Python. Bandit classifies the issues by severity and confidence.
cloc¶
cloc
3 is a command line tool that counts lines of code. This is used
as a normalizer for security score. Having a single high-severity,
high-confidence issue in a small Python project is much more concerning than if
a single high-severity, high-confidence issue is found in a large project.
Security Scorecards for Open Source Projects¶
Open Source Security Foundation provides Security Scorecards for open-source projects. Thoth uses scorecards in recommendations to provide additional knowledge about Python packages to users. If you are interested, follow scorecards checks available.
Security Scorecards used in Thoth are available in thoth-station/prescriptions repository.
Quay security scans of container image¶
Another source of security information is security data from Quay 4 security scanners. Quay scans container images for security vulnerabilities. Information about vulnerabilities in container images is automatically aggregated by Thoth’s background data aggregation logic for container images provided by Thoth team. By using these container images, users get fine-grained control on vulnerabilities present on the container image level in addition to their software stacks.
Using security advises in OpenShift S2I¶
Thoth’s integration in OpenShift S2I can block building Python applications
that are potentially vulnerable. By adjusting recommendation_type
to
security
, the build process fails if any package is considered
vulnerable.