back to article GitHub to Pythonistas: Let us save you from vulnerable code

GitHub's added Python to the list of programming languages it can auto-scan for known vulnerabilities. In March, the social code-host added Ruby and Javascript libraries to the dependency graph service it announced last year. Afraid of the dark, image via Shutterstock Your code is RUBBISH, says GitHub. Good thing we're here …

  1. Charlie Clark Silver badge

    Looks like they just check the use of libraries used by the code. While the Python language has very few known vulnerabilities, there are a multitude of libraries out there that might have them, for example the handling of some entities in the various XML libraries.

    But there are other static code analysis tools that will do this and more: Sonar, Code Climate (or whatever it's now called). Personally, I really like Quantified Code which was also released as open source.

    1. stephanh

      pickle

      "While the Python language has very few known vulnerabilities"

      What do you consider a known vulnerability?

      From Python docs:

      "The pickle module is not secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.Unpickling data from an untrusted source, allows an attacker arbitrary code execution."

      And of course, tons of other modules use pickle under the hood.

      1. thames

        Re: pickle

        @stephanh said: "What do you consider a known vulnerability?"

        A known vulnerability is something that is supposed to be secure against attack but isn't. Pickle wouldn't count as a vulnerability, because you are essentially just serializing and unserializing executable object code and data. This is something you do between different parts of your own application, not with data from outside. The docs as you said, make this clear. If your application un-pickles data from untrusted sources, the mistake is yours since you were explicitly told not to do that.

        For untrusted data you would use something like JSON. If there were a bug in the JSON decoder which allowed someone to execute arbitrary code, then that would be a vulnerability.

        Most programming language libraries have something to let you execute OS shell commands. That is potentially dangerous if you were to write your application such that anyone could execute arbitrary shell commands via the web interface. However, that wouldn't be a programming language vulnerability, that would a vulnerability in your program since you should not provide a feature that does this.

        Something is a vulnerability when it can do something dangerous that wasn't in the documentation.

  2. Mephistro Silver badge
    Devil

    What?

    A company owned by MS wants to "save us from vulnerable code"?

    LOL, just LOL!

    1. Tomato42 Silver badge

      Re: What?

      I'm quite sure they started working on it well before acquisition

    2. Charlie Clark Silver badge

      Re: What?

      Not everything written by MS is a pile of crap. Yes, Windows is hobbled by shit done years ago but to bang about this all the time is to miss the point.

    3. teknopaul Silver badge

      Re: What?

      Github underestimated how much the OS community dislikes Micro$oft.

      1. Charlie Clark Silver badge

        Re: What?

        Github underestimated how much the OS community dislikes Micro$oft.

        The investors made a packet. That's how Silicon Valley works. Mind you, I suspect that most people won't care especially if they get more free stuff.

        Personally, I've always preferred Bitbucket to Github but think that none of the providers are indispensable.

  3. Tom 7 Silver badge

    Every time I push the GPL to the server it claims its insecure code.

    FTFY. MS Fucked That For You.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019