Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What's the best information source for me to follow to keep up to date on these kinds of library vulnerabilities? I would make a feed of the homepages for all the libraries I know I use, but that won't help me with the libraries I use without knowing.


"bandit" (available in pypi) is a nice static analysis tool - I don't remember if it is able to recurse into dependencies though

[safety](https://pyup.io/safety/) is a commercial product that monitors your dependencies for this kind of shenanigans

LGTM.com seemed to be working in this area - Semmle was acquired by github/microsoft


we made a tool that automates that process - https://trustd.dev

it will analyse open-source packages as you install them and tell you of any vulnerabilities before they are even on your system...

meaning it will detect problems in the libraries you aren't thinking about.


I saw a recorded conference talk where they mentioned Snyk as a way to keep your eye on package vulns, but have never used it myself




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: