Safety checks Python dependencies for known security vulnerabilities and suggests the proper remediations for vulnerabilities detected.
Home Page: https://safetycli.com/product/safety-cli
License: MIT License
Should --full-report be the default option?
$SUBJ when there's a git requirement, like for example this:
-e git+https://github.com/jdunck/python-unicodecsv#egg=unicodecsv
Here's the traceback:
$ safety check -r requirements.txt
Traceback (most recent call last):
File "/home/vagrant/build/venv/bin/safety", line 11, in <module>
sys.exit(cli())
File "/home/vagrant/build/venv/local/lib/python2.7/site-packages/click/core.py", line 722, in __call__
return self.main(*args, **kwargs)
File "/home/vagrant/build/venv/local/lib/python2.7/site-packages/click/core.py", line 697, in main
rv = self.invoke(ctx)
File "/home/vagrant/build/venv/local/lib/python2.7/site-packages/click/core.py", line 1066, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/home/vagrant/build/venv/local/lib/python2.7/site-packages/click/core.py", line 895, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/home/vagrant/build/venv/local/lib/python2.7/site-packages/click/core.py", line 535, in invoke
return callback(*args, **kwargs)
File "/home/vagrant/build/venv/local/lib/python2.7/site-packages/safety/cli.py", line 55, in check
vulns = safety.check(packages=packages, key=key, db_mirror=db, cached=cache, ignore_ids=ignore)
File "/home/vagrant/build/venv/local/lib/python2.7/site-packages/safety/safety.py", line 132, in check
for pkg in packages:
File "/home/vagrant/build/venv/local/lib/python2.7/site-packages/safety/util.py", line 81, in read_requirements
req=req.project_name),
AttributeError: 'Requirement' object has no attribute 'project_name'
Whenever safety stumbles over unpinned requirements, it fails with an exception:
This is the result:
Traceback (most recent call last):
File "/opt/virtualenv/safety/bin/safety", line 11, in <module>
sys.exit(cli())
File "/opt/virtualenv/safety/lib/python2.7/site-packages/click/core.py", line 722, in __call__
return self.main(*args, **kwargs)
File "/opt/virtualenv/safety/lib/python2.7/site-packages/click/core.py", line 697, in main
rv = self.invoke(ctx)
File "/opt/virtualenv/safety/lib/python2.7/site-packages/click/core.py", line 1066, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/opt/virtualenv/safety/lib/python2.7/site-packages/click/core.py", line 895, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/opt/virtualenv/safety/lib/python2.7/site-packages/click/core.py", line 535, in invoke
return callback(*args, **kwargs)
File "/opt/virtualenv/safety/lib/python2.7/site-packages/safety/cli.py", line 40, in check
vulns = safety.check(packages=packages, key=key, db_mirror=db, cached=cache)
File "/opt/virtualenv/safety/lib/python2.7/site-packages/safety/safety.py", line 130, in check
for pkg in packages:
File "/opt/virtualenv/safety/lib/python2.7/site-packages/safety/util.py", line 81, in read_requirements
req=req.name),
AttributeError: Requirement instance has no attribute 'name'
This happens both with unpinned versions in requirements.txt and with unpinned versions in the pip freeze output (e.g. git snapshots).
In my setup the parsed requirement req, which is accessed on line 81 in utils.py only has the following attributes:
['specifier', 'project_name', 'unsafe_name', 'key', 'hashCmp', '_Requirement__hash', 'specs', 'extras']
It looks like you are trying to access the name attribute of a Requirement, which should not be present according to setuptool's documentation.
This is a feature suggestion.
It'd be nice to be able to recall the saved results in the tidy way safety displays.
Firstly, a user may run the check and save its result:
safety check --json > vulns_2018-06-26.jsonTo review the pretty-printed result later, do:
safety review --stdin < vulns_2018-06-26.json
# Alternatively,
safety review --file=vulns_2018-06-26.jsonsafety reads the input JSON and display its readings:
╒══════════════════════════════════════════════════════════════════════════════╕
│ │
│ /$$$$$$ /$$ │
│ /$$__ $$ | $$ │
│ /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ │
│ /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ │
│ | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ │
│ \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ │
│ /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ │
│ |_______/ \_______/|__/ \_______/ \___/ \____ $$ │
│ /$$ | $$ │
│ | $$$$$$/ │
│ by pyup.io \______/ │
│ │
╞══════════════════════════════════════════════════════════════════════════════╡
│ REPORT │
│ checked 144 packages, using default DB │
╞════════════════════════════╤═══════════╤══════════════════════════╤══════════╡
│ package │ installed │ affected │ ID │
╞════════════════════════════╧═══════════╧══════════════════════════╧══════════╡
│ pyjwt │ 1.5.0 │ <1.5.1 │ 35014 │
│ newrelic │ 2.78.0.57 │ >=1.1.0.192,<=2.106.0.87 │ 35805 │
╘══════════════════════════════════════════════════════════════════════════════╛
Adding --bare and --full-report supports would be great, too.
I thought of this idea.
For example Pillow==2.4.0 is not affected by CVE-2016-3076 but it's still shown as vulnerable.
$ safety check --full-report
pillow │ 2.4.0 │ <3.1.2 │ 25943
pillow before 3.1.2 is vulnerable to an integer overflow in Jpeg2KEncode.c causing a buffer overflow. CVE-2016-3076.
safety is the perfect tool to check against these malicious packages.
Ref:
.. and switch to packaging.
PyYAML (v3.12) doesn't seem to support Windows Py3.3
click dependency on AppVeyor: https://ci.appveyor.com/project/jayfk/safety/build/1.0.167/job/s4m3cfjfxoi2w2dwRun safety on a requirements file with a recursive requirement from --stdin e.g. -r requirements.txt from requirements-dev.txt
what happened/what went wrong: safety crashed
what you expected to happen: safety not to crash and check the remaining lines. Logging a warning to stderr would be good too.
wget https://raw.githubusercontent.com/mozilla/pontoon/6fe02c4734d6f60df45dd2f829cfdc3d40faa9b6/requirements-dev.txt
If there was a crash, please include the traceback here.
Traceback (most recent call last):
File "/usr/local/bin/safety", line 11, in <module>
sys.exit(cli())
File "/usr/local/lib/python3.5/dist-packages/click/core.py", line 722, in __call__
return self.main(*args, **kwargs)
File "/usr/local/lib/python3.5/dist-packages/click/core.py", line 697, in main
rv = self.invoke(ctx)
File "/usr/local/lib/python3.5/dist-packages/click/core.py", line 1066, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/usr/local/lib/python3.5/dist-packages/click/core.py", line 895, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/usr/local/lib/python3.5/dist-packages/click/core.py", line 535, in invoke
return callback(*args, **kwargs)
File "/usr/local/lib/python3.5/dist-packages/safety/cli.py", line 63, in check
vulns = safety.check(packages=packages, key=key, db_mirror=db, cached=cache, ignore_ids=ignore)
File "/usr/local/lib/python3.5/dist-packages/safety/safety.py", line 133, in check
name = pkg.key.replace("_", "-").lower()
AttributeError: 'RequirementFile' object has no attribute 'key'
What do you think about checking if Python itself or some of its modules are subject to security issues? @Haypo has been working on a list of Python versions with security issues, https://python-security.readthedocs.io/vulnerabilities.html
I'm trying to run safety check --full-report. I expect the check to pass, but it fails with a pyyaml vulnerability. Safety has a dependency on dparse, which has a dependency on pyyaml. I'm running safety against a package (no requirements.txt), so it falls back to checking installed packages via pip's API. This means that any dependencies of safety or its sub-dependencies are also checked.
I'm running safety via tox:
$ tox -r -e scan-deps 10s 649ms
GLOB sdist-make: /Users/rleland/myproject/setup.py
scan-deps recreate: /Users/rleland/myproject/.tox/scan-deps
scan-deps installdeps: safety==1.8.1
scan-deps inst: /Users/rleland/myproject/.tox/dist/myproject-1.1.3.zip
scan-deps installed: myproject==1.1.3,certifi==2018.4.16,chardet==3.0.4,click==6.7,dparse==0.4.1,idna==2.7,packaging==17.1,pyparsing==2.2.0,PyYAML==3.13,requests==2.19.1,safety==1.8.1,six==1.11.0,urllib3==1.23
scan-deps runtests: PYTHONHASHSEED='2113859831'
scan-deps runtests: commands[0] | safety check --full-report
╒══════════════════════════════════════════════════════════════════════════════╕
│ │
│ /$$$$$$ /$$ │
│ /$$__ $$ | $$ │
│ /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ │
│ /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ │
│ | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ │
│ \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ │
│ /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ │
│ |_______/ \_______/|__/ \_______/ \___/ \____ $$ │
│ /$$ | $$ │
│ | $$$$$$/ │
│ by pyup.io \______/ │
│ │
╞══════════════════════════════════════════════════════════════════════════════╡
│ REPORT │
│ checked 16 packages, using pyup.io's DB │
╞════════════════════════════╤═══════════╤══════════════════════════╤══════════╡
│ package │ installed │ affected │ ID │
╞════════════════════════════╧═══════════╧══════════════════════════╧══════════╡
│ pyyaml │ 3.13 │ <4 │ 36333 │
╞══════════════════════════════════════════════════════════════════════════════╡
│ pyyaml before 4 uses ``yaml.load`` which has been assigned CVE-2017-18342. │
╘══════════════════════════════════════════════════════════════════════════════╛
There doesn't appear to be a non-pre-release version of PyYAML on PyPI of version 4.
There are ways for me to work around this (add ignore, create and maintain requirements alongside setup.py, etc.) but I thought it might be helpful for anyone else that runs into this. Curious what your thoughts are too around some way to check only non-dev dependencies. I really like checking whatever pip has installed, but that will always catch everything installed.
I was try to run safety and it fails cause there were entries which contains something like 'git+git...'
in requirements.lock
Expected version spec in git+git://github.com/*** at +git://github.com/***
We can put the version check in try catch maybe.
This looks horrible
Safety should check the terminal size and use an alternative template if the size is below 80.
This is a feature request.
It would be nice that when running in CI mode, safety can output the errors to stderr.
In this way, it would be easier to highlight them in the whole CI output.
I see that the current design for formatter/reported does not make it easy to make the distinction between the normal banner and extra formatting and the actual error report.
So at this point, I don't know if it make sense to redesign, but I just wanted to report this so that in the case there is a redesign for this part of the code you can consider making this type of filtering easier :)
Thanks for the nice tool!
It would be cool if we could use this tool without having to install it (and its dependencies) into a virtualenv. I'm thinking something like /path/to/questionable/virtualenv/bin/pip freeze | safety check --stdin. Thoughts?
safety check no longer runs. Suspect breaking API change in new version of dparse.
Clean install of safety, followed by safety check. Produces stack trace:
$ safety check
Traceback (most recent call last):
File "/usr/local/bin/safety", line 7, in <module>
from safety.cli import cli
File "/usr/local/lib/python3.6/site-packages/safety/cli.py", line 9, in <module>
from safety.util import read_requirements
File "/usr/local/lib/python3.6/site-packages/safety/util.py", line 1, in <module>
from dparse.parser import setuptools_parse_requirements_backport as _parse_requirements
File "/usr/local/lib/python3.6/site-packages/dparse/__init__.py", line 9, in <module>
from .parser import parse
File "/usr/local/lib/python3.6/site-packages/dparse/parser.py", line 31, in <module>
from .vendor import toml
ModuleNotFoundError: No module named 'dparse.vendor'
Seems to have occurred on dependency being resolved from dparse version 0.3.0 to 0.4.0.
(Transferred from pyupio/safety-db#2249).
Thanks for posting this tool, looks very promising!
I just tried this on Windows and I got an error:
safety\formatter.py", line 27, in get_terminal_size
rows, columns = subprocess.check_output(['stty', 'size']).split()
WindowsError: [Error 2] Le fichier spécifié est introuvable
I guess the stty command is not available on Windows. There is an API to get this information. Would you be willing to accept a patch to fix this?
Thanks!
safery can't handle nested requirements.txt files.
Example, there are 3 files: main.txt, dev.txt, requirements.txt:
django==1.10.3
celery==3.1.23
ipython==5.1.0
pytest==3.0.3
fake-factory=0.5.7
-r main.txt
-r dev.txt
Run safety:
$ cat requirements.txt | safety check --stdin
Traceback (most recent call last):
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/pkg_resources/_vendor/packaging/requirements.py", line 90, in __init__
req = REQUIREMENT.parseString(requirement_string)
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/pkg_resources/_vendor/pyparsing.py", line 1617, in parseString
raise exc
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/pkg_resources/_vendor/pyparsing.py", line 1607, in parseString
loc, tokens = self._parse( instring, 0 )
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/pkg_resources/_vendor/pyparsing.py", line 1379, in _parseNoCache
loc,tokens = self.parseImpl( instring, preloc, doActions )
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/pkg_resources/_vendor/pyparsing.py", line 3376, in parseImpl
loc, exprtokens = e._parse( instring, loc, doActions )
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/pkg_resources/_vendor/pyparsing.py", line 1379, in _parseNoCache
loc,tokens = self.parseImpl( instring, preloc, doActions )
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/pkg_resources/_vendor/pyparsing.py", line 3698, in parseImpl
return self.expr._parse( instring, loc, doActions, callPreParse=False )
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/pkg_resources/_vendor/pyparsing.py", line 1379, in _parseNoCache
loc,tokens = self.parseImpl( instring, preloc, doActions )
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/pkg_resources/_vendor/pyparsing.py", line 3359, in parseImpl
loc, resultlist = self.exprs[0]._parse( instring, loc, doActions, callPreParse=False )
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/pkg_resources/_vendor/pyparsing.py", line 1383, in _parseNoCache
loc,tokens = self.parseImpl( instring, preloc, doActions )
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/pkg_resources/_vendor/pyparsing.py", line 2670, in parseImpl
raise ParseException(instring, loc, self.errmsg, self)
pkg_resources._vendor.pyparsing.ParseException: Expected W:(abcd...) (at char 0), (line:1, col:1)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/pkg_resources/__init__.py", line 2873, in __init__
super(Requirement, self).__init__(requirement_string)
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/pkg_resources/_vendor/packaging/requirements.py", line 94, in __init__
requirement_string[e.loc:e.loc + 8]))
pkg_resources.extern.packaging.requirements.InvalidRequirement: Invalid requirement, parse error at "'-r main.'"
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/vagrant/venvs/abcd-xyz/bin/safety", line 11, in <module>
sys.exit(cli())
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/click/core.py", line 716, in __call__
return self.main(*args, **kwargs)
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/click/core.py", line 696, in main
rv = self.invoke(ctx)
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/click/core.py", line 1060, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/click/core.py", line 889, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/click/core.py", line 534, in invoke
return callback(*args, **kwargs)
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/safety/cli.py", line 40, in check
vulns = safety.check(packages=packages)
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/safety/safety.py", line 54, in check
for pkg in packages:
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/safety/cli.py", line 16, in read_requirements
for req in parse_requirements(fh.read()):
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/pkg_resources/__init__.py", line 2866, in parse_requirements
yield Requirement(line)
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/pkg_resources/__init__.py", line 2875, in __init__
raise RequirementParseError(str(e))
pkg_resources.RequirementParseError: Invalid requirement, parse error at "'-r main.'"If a requirements.txt file has unpinned entries, parsing output with --json is difficult, as the warnings are not in the data structure.
I ran safety check --json -r ./requirements.txt against a requirements file that had unpinned entries, and received some warnings, as expected. However the warnings were logged to stdout, outside the json structure, meaning the tools couldn't safely parse the output:
Warning: unpinned requirement 'simplejson' found in ./requirements.txt, unable to check.
[]
Perhaps these should be in the json, with the module name, perhaps empty version strings, and the description field containing the warning message.
Somewhat related to #90 , safety has a dependency on pip which is not declared in the requirements.
Instead requirements_dev.txt has pip==9.0.1
Currently the listed dependencies are
dparse master depends on pipenv, which depends on pip, but dparse latest release 0.2.1 does not include pip as a dependency, so on a brand new install of Python, running setup.py results in a missing dependency, unless ensurepip is used. Not a very likely scenario, but still not desirable.
But more importantly, it is nice to declare dependencies in the package metadata. Especially when that dependency has forever said that it isnt a library to be imported ;-)
Hi,
This is a feature request.
Lets start by stating that, following the spec, URLs to tarballs are part of the requirements file format
https://pip.readthedocs.io/en/1.1/requirements.html#requirements-file-format
Now, the pkg_resources.parse_requirements function used by safety does not support them:
https://github.com/pypa/setuptools/blob/master/pkg_resources/__init__.py#L2850
It raises a RequirementParseError: Invalid requirement, parse error.
I had a look at how they handle this in pip, and it's ugly:
https://github.com/pypa/pip/blob/master/pip/req/req_set.py#L690
pip-tools does not support them. It actually crashes in a bad way if you try so: jazzband/pip-tools#416
By the way, URLs to tarball specified as editable requirements (with -e) work fine: curiously pkg_resources.parse_requirements handle them perfectly well.
What do you think ? Should safety handle them ?
This is a feature suggestion.
My project has a constraints file (i.e. constraints.txt) which pins the libraries' versions.
I was wondering if there's a plan to support constraints, e.g.
safety check -r requirements.txt -c constraints.txt
In the meantime, I'm working it around by actually installing the requirements and then running safety with stdin mode:
pip install -r requirements.txt -c constraints.txt
pip freeze | safety check --stdinNice project. Cheers!
safety-db is now installable via pip, add it as an option.
When putting multiple versions of a library in a file, safety does not check each version.
This would be a useful feature for people hosting a local pypi repository that needs libraries vetted for vulnerabilities.
$ cat list.txt
insecure-package==0.0.9
insecure-package==0.1
insecure-package==0.2
$ safety check -r list.txt --full-report --json
[
[
"insecure-package",
"<0.2.0",
"0.0.9",
"This is an insecure package with lots of exploitable security vulnerabilities.",
"25853"
]
]
$ safety check -r list.txt --full-report --json
[
[
"insecure-package",
"<0.2.0",
"0.0.9",
"This is an insecure package with lots of exploitable security vulnerabilities.",
"25853"
],
[
"insecure-package",
"<0.2.0",
"0.1.0",
"This is an insecure package with lots of exploitable security vulnerabilities.",
"25853"
]
]
Even though it's still in --help, it looks like --full-report argument is ignored, and there's no way on master to show additional information about vulnerabilities found. Is that intentional? Is the option to see details of vulnerabilities going to be removed?
Installed fresh safety and run safety check.
Got NameError: global name 'FileNotFoundError' is not defined error.
(hic) ➜ HiConversion pip install -U safety
Collecting safety
Downloading safety-1.0.0-py2.py3-none-any.whl
Requirement already up-to-date: packaging in /Users/kulapard/virtualenvs/hic/lib/python2.7/site-packages (from safety)
Collecting requests (from safety)
Using cached requests-2.13.0-py2.py3-none-any.whl
Collecting setuptools>=16 (from safety)
Using cached setuptools-34.3.2-py2.py3-none-any.whl
Requirement already up-to-date: Click>=6.0 in /Users/kulapard/virtualenvs/hic/lib/python2.7/site-packages (from safety)
Requirement already up-to-date: six in /Users/kulapard/virtualenvs/hic/lib/python2.7/site-packages (from packaging->safety)
Collecting pyparsing (from packaging->safety)
Using cached pyparsing-2.2.0-py2.py3-none-any.whl
Collecting appdirs>=1.4.0 (from setuptools>=16->safety)
Using cached appdirs-1.4.3-py2.py3-none-any.whl
Installing collected packages: requests, appdirs, setuptools, safety, pyparsing
Found existing installation: requests 2.9.1
Uninstalling requests-2.9.1:
Successfully uninstalled requests-2.9.1
Found existing installation: appdirs 1.4.0
Uninstalling appdirs-1.4.0:
Successfully uninstalled appdirs-1.4.0
Found existing installation: setuptools 34.2.0
Uninstalling setuptools-34.2.0:
Successfully uninstalled setuptools-34.2.0
Found existing installation: safety 0.6.0
Uninstalling safety-0.6.0:
Successfully uninstalled safety-0.6.0
Found existing installation: pyparsing 2.1.10
Uninstalling pyparsing-2.1.10:
Successfully uninstalled pyparsing-2.1.10
Successfully installed appdirs-1.4.3 pyparsing-2.2.0 requests-2.13.0 safety-1.0.0 setuptools-34.3.2
(hic) ➜ HiConversion safety check
class _(tuple):
'_(rows,)'
__slots__ = ()
_fields = ('rows',)
def __new__(_cls, rows,):
'Create new instance of _(rows,)'
return _tuple.__new__(_cls, (rows,))
@classmethod
def _make(cls, iterable, new=tuple.__new__, len=len):
'Make a new _ object from a sequence or iterable'
result = new(cls, iterable)
if len(result) != 1:
raise TypeError('Expected 1 arguments, got %d' % len(result))
return result
def __repr__(self):
'Return a nicely formatted representation string'
return '_(rows=%r)' % self
def _asdict(self):
'Return a new OrderedDict which maps field names to their values'
return OrderedDict(zip(self._fields, self))
def _replace(_self, **kwds):
'Return a new _ object replacing specified fields with new values'
result = _self._make(map(kwds.pop, ('rows',), _self))
if kwds:
raise ValueError('Got unexpected field names: %r' % kwds.keys())
return result
def __getnewargs__(self):
'Return self as a plain tuple. Used by copy and pickle.'
return tuple(self)
__dict__ = _property(_asdict)
def __getstate__(self):
'Exclude the OrderedDict from pickling'
pass
rows = _property(_itemgetter(0), doc='Alias for field number 0')
Traceback (most recent call last):
File "/Users/kulapard/virtualenvs/hic/bin/safety", line 11, in <module>
sys.exit(cli())
File "/Users/kulapard/virtualenvs/hic/lib/python2.7/site-packages/click/core.py", line 722, in __call__
return self.main(*args, **kwargs)
File "/Users/kulapard/virtualenvs/hic/lib/python2.7/site-packages/click/core.py", line 697, in main
rv = self.invoke(ctx)
File "/Users/kulapard/virtualenvs/hic/lib/python2.7/site-packages/click/core.py", line 1066, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/Users/kulapard/virtualenvs/hic/lib/python2.7/site-packages/click/core.py", line 895, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/Users/kulapard/virtualenvs/hic/lib/python2.7/site-packages/click/core.py", line 535, in invoke
return callback(*args, **kwargs)
File "/Users/kulapard/virtualenvs/hic/lib/python2.7/site-packages/safety/cli.py", line 41, in check
click.secho(report(vulns=vulns, full=full_report))
File "/Users/kulapard/virtualenvs/hic/lib/python2.7/site-packages/safety/formatter.py", line 127, in report
size = get_terminal_size()
File "/Users/kulapard/virtualenvs/hic/lib/python2.7/site-packages/safety/formatter.py", line 14, in get_terminal_size
except (ValueError, FileNotFoundError):
NameError: global name 'FileNotFoundError' is not defined
I was trying to check the requirements packages using the Safety API (using the key) and an exception was raised.
Obs: using Safety DB without the key it works.
Traceback (most recent call last):
File "/path_to_virtualenv/bin/safety", line 11, in <module>
sys.exit(cli())
File "/path_to_virtualenv/lib/python3.5/site-packages/click/core.py", line 722, in __call__
return self.main(*args, **kwargs)
File "/path_to_virtualenv/lib/python3.5/site-packages/click/core.py", line 697, in main
rv = self.invoke(ctx)
File "/path_to_virtualenv/lib/python3.5/site-packages/click/core.py", line 1066, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/path_to_virtualenv/lib/python3.5/site-packages/click/core.py", line 895, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/path_to_virtualenv/lib/python3.5/site-packages/click/core.py", line 535, in invoke
return callback(*args, **kwargs)
File "/path_to_virtualenv/lib/python3.5/site-packages/safety/cli.py", line 55, in check
vulns = safety.check(packages=packages, key=key, db_mirror=db, cached=cache, ignore_ids=ignore)
File "/path_to_virtualenv/lib/python3.5/site-packages/safety/safety.py", line 140, in check
spec_set = SpecifierSet(specifiers=specifier)
File "/path_to_virtualenv/lib/python3.5/site-packages/packaging/specifiers.py", line 594, in __init__
specifiers = [s.strip() for s in specifiers.split(",") if s.strip()]
AttributeError: 'dict' object has no attribute 'split'
With the Safety API the exception is raise and the specifiers field got this content:
{'type': 'cve', 'cve': 'CVE-2009-2659', 'advisory': 'The Admin media handler in core/servers/basehttp.py in Django 1.0 and 0.96 does not properly map URL requests to expected "static media files," which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a crafted URL.', 'specs': ['<1.0'], 'id': 'pyup.io-25694'}
But using the Safety DB it works and the specifiers field got this kind of content:
'<1.0'
--stdin is rather inflexible in that it requires a shell or other means of piping data to the executable.
I'm proposing a --input-file which works similarly but obsoletes --stdin
cat requirements.txt | safety --stdin becomes safety -- requirements.txt
echo 'x==1' | safety --stdin becomes echo 'x==1' | safety -- /dev/stdin
etc.
Thanks to @JochenABC for the suggestion
In the standard output: Indicate wether the API Key or the (older)
free db was used for this scan. For us it is difficult to determine
since we run safety check --key=${SAFETY_CHECK_API_KEY} in a CI job and
the env var gets injected by CI.
Env var injection not set in CI because of misconfig -> "safety check
--key=" is run -> we run on public db
Env var injection works -> safety check --key=verysrect is run -> we run
on the latest db
Full report with non-ascii data causes UnicodeEncodeError
$ echo 'cryptography==1.3.2' | safety check --stdin --full-report
Traceback (most recent call last):
File "/home/tkontusz/.local/bin/safety", line 11, in <module>
sys.exit(cli())
File "/home/tkontusz/.local/venvs/safety/local/lib/python2.7/site-packages/click/core.py", line 716, in __call__
return self.main(*args, **kwargs)
File "/home/tkontusz/.local/venvs/safety/local/lib/python2.7/site-packages/click/core.py", line 696, in main
rv = self.invoke(ctx)
File "/home/tkontusz/.local/venvs/safety/local/lib/python2.7/site-packages/click/core.py", line 1060, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/home/tkontusz/.local/venvs/safety/local/lib/python2.7/site-packages/click/core.py", line 889, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/home/tkontusz/.local/venvs/safety/local/lib/python2.7/site-packages/click/core.py", line 534, in invoke
return callback(*args, **kwargs)
File "/home/tkontusz/.local/venvs/safety/local/lib/python2.7/site-packages/safety/cli.py", line 80, in check
click.secho(report(vulns=vulns, full=full_report))
File "/home/tkontusz/.local/venvs/safety/local/lib/python2.7/site-packages/safety/formatter.py", line 62, in report
table.append("│ {:76} │".format(line))
UnicodeEncodeError: 'ascii' codec can't encode character u'\xf6' in position 22: ordinal not in range(128)
Quoting distutils-sig:
We're in the process of starting to plan for a release of pip (the
long-awaited pip 10). We're likely still a month or two away from a
release, but now is the time for people to start ensuring that
everything works for them. One key change in the new version will be
that all of the internal APIs of pip will no longer be available, so
any code that currently calls functions in the "pip" namespace will
break. Calling pip's internal APIs has never been supported, and
always carried a risk of such breakage, so projects doing so should,
in theory, be prepared for such things. However, reality is not always
that simple, and we are aware that people will need time to deal with
the implications.
Just in case it's not clear, simply finding where the internal APIs
have moved to and calling them under the new names is not what
people should do. We can't stop people calling the internal APIs,
obviously, but the idea of this change is to give people the incentive
to find a supported approach, not just to annoy people who are doing
things we don't want them to ;-)
So please - if you're calling pip's internals in your code, take the
opportunity now to check out the in-development version of pip, and
ensure your project will still work when pip 10 is released.
And many thanks to anyone else who helps by testing out the new
version, as well :-)
Thanks,
Paul
Safety uses pip.get_installed_distributions which has moved to https://github.com/pypa/pip/blob/master/src/pip/_internal/utils/misc.py#L333
safety check multiple requirements, e.g.: safety check --full-report -r requirements/main.txt -r requirements/example-testing.txt -r requirements/unit-testing.txt -r requirements/deployment.txt -r requirements/versioning.txt -r requirements/static-testing.txt
Warning: unpinned requirement 'numpy' found, unable to check.
Warning: unpinned requirement 'typing' found, unable to check.
Lines 79 to 83 in 76a6e68
Safety already works with the currently active virtual environment, but it would be nice to to run:
safety check -r Pipfile
or
safety check -r Pipfile.lock
It's probably the best to wait for pypa/pipfile#57 before working on this.
safety doesn't seem to handle -r {file} lines inside requirements.txt files.
$ safety check -r requirements/development.txt
...
│ checked 0 packages, using default DB │
│ No known security vulnerabilities found. │
...
$ cat requirements/development.txt
-r common/project.txt
$ safety check -r requirements/common/project.txt
...
│ checked 60 packages, using default DB │
...
│ django │ 1.8.18 │ >=1.8,<1.8.19 │ 35797 │
│ django │ 1.8.18 │ >=1.8,<1.8.19 │ 35796 │
...
safety implicitly depends on setuptools, by way of from setuptools import setup in the setup.py, however pkg_resources.parse_requirements was introduced is only in setuptools 0.6, which is luckily just before Ubuntu precise python-setuptools 0.6.24 and trusty python-setuptools 3.3, but safety will very likely fail on anything earlier that Ubuntu precise (not a serious problem IMO, but .. worth painting the picture of this implicit requirement).
A more significant problem arises is when trying to catch requirements.txt parser errors, from read_requirements, the ideal exception to catch varies on the version of pkg_resources that is installed. In all cases, ValueError is acceptable, however, as of setuptools 16 RequirementParseError was introduced.
Given setuptools 16 is over 1.5 years ago, and safety is about keeping up to date, I suspect that adding setuptools >=16 will be acceptable.
try:
safety.cli.read_requirements(text)
except pkg_resources.RequirementParseError:
pass
Result:
AttributeError: 'module' object has no attribute 'RequirementParseError'
Suggested by @JochenABC
Add some indication in standard command output about how many pip
packages were scanned. In the beginning we were not sure that safety was
behaving correctly and really scanning all packages in our venv.
It would be nice to be able to opt out of specific affected versions - for example, Django 1.8.16 has vulnerabilities that a lot of users won't be affected by.
I'd like to ignore this specific vulnerabilities, but still get informed about others when they are added to safety-db.
Hi,
This is just to let you know that I developped a pre-commit hook based on your lib:
https://github.com/Lucas-C/pre-commit-hooks-safety
It is not yet fully functional : a small limitation in pre-commit is a blocker, but I intend to fix it in this issue:
pre-commit/pre-commit#426
Trying to check a requirements.txt file raises an exception, see below.
$ safety check -r project/requirements.txt
...
File "venv/lib/python3.4/site-packages/safety/cli.py", line 64, in check
checked_packages=len(packages),
safety version:0.3.0
Python version:3.5.1
Operating System: Ubuntu 16.04
safery can't handle requirements.txt with packages which have been installed from VCS directly.
requirements.txt:
-e git+https://github.com/django/django.git@802dd1ffc5cfa3d547efeb285dac70884b99e16d#egg=django
Run safety:
$ cat requirements.txt | safety check --stdin
Traceback (most recent call last):
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/pkg_resources/_vendor/packaging/requirements.py", line 90, in __init__
req = REQUIREMENT.parseString(requirement_string)
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/pkg_resources/_vendor/pyparsing.py", line 1617, in parseString
raise exc
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/pkg_resources/_vendor/pyparsing.py", line 1607, in parseString
loc, tokens = self._parse( instring, 0 )
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/pkg_resources/_vendor/pyparsing.py", line 1379, in _parseNoCache
loc,tokens = self.parseImpl( instring, preloc, doActions )
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/pkg_resources/_vendor/pyparsing.py", line 3376, in parseImpl
loc, exprtokens = e._parse( instring, loc, doActions )
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/pkg_resources/_vendor/pyparsing.py", line 1379, in _parseNoCache
loc,tokens = self.parseImpl( instring, preloc, doActions )
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/pkg_resources/_vendor/pyparsing.py", line 3698, in parseImpl
return self.expr._parse( instring, loc, doActions, callPreParse=False )
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/pkg_resources/_vendor/pyparsing.py", line 1379, in _parseNoCache
loc,tokens = self.parseImpl( instring, preloc, doActions )
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/pkg_resources/_vendor/pyparsing.py", line 3359, in parseImpl
loc, resultlist = self.exprs[0]._parse( instring, loc, doActions, callPreParse=False )
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/pkg_resources/_vendor/pyparsing.py", line 1383, in _parseNoCache
loc,tokens = self.parseImpl( instring, preloc, doActions )
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/pkg_resources/_vendor/pyparsing.py", line 2670, in parseImpl
raise ParseException(instring, loc, self.errmsg, self)
pkg_resources._vendor.pyparsing.ParseException: Expected W:(abcd...) (at char 0), (line:1, col:1)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/pkg_resources/__init__.py", line 2873, in __init__
super(Requirement, self).__init__(requirement_string)
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/pkg_resources/_vendor/packaging/requirements.py", line 94, in __init__
requirement_string[e.loc:e.loc + 8]))
pkg_resources.extern.packaging.requirements.InvalidRequirement: Invalid requirement, parse error at "'-e git+h'"
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/vagrant/venvs/abcd-xyz/bin/safety", line 11, in <module>
sys.exit(cli())
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/click/core.py", line 716, in __call__
return self.main(*args, **kwargs)
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/click/core.py", line 696, in main
rv = self.invoke(ctx)
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/click/core.py", line 1060, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/click/core.py", line 889, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/click/core.py", line 534, in invoke
return callback(*args, **kwargs)
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/safety/cli.py", line 40, in check
vulns = safety.check(packages=packages)
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/safety/safety.py", line 54, in check
for pkg in packages:
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/safety/cli.py", line 16, in read_requirements
for req in parse_requirements(fh.read()):
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/pkg_resources/__init__.py", line 2866, in parse_requirements
yield Requirement(line)
File "/home/vagrant/venvs/abcd-xyz/lib/python3.5/site-packages/pkg_resources/__init__.py", line 2875, in __init__
raise RequirementParseError(str(e))
pkg_resources.RequirementParseError: Invalid requirement, parse error at "'-e git+h'"
It would be nice if it was possible to pass setup.py files to safety check --file
When running Safety in a cron job it might make sense to add an email address which could be used to mail a report if something is vulnerable.
Ideas?
We have an status integrated for varryfying each PR going into the master branch.
I now encounter that this status is Pending for over 12 hours.
Is there currently a server issue or am I doing something wrong with the integration?
Whenever safety is run with --full-report and tries to report an issue it will abort with TypeError: unsupported format string passed to bytes.__format__
$ virtualenv -p /usr/bin/python3.6 test1
Running virtualenv with interpreter /usr/bin/python3.6
Using base prefix '/usr'
New python executable in /home/someuser/repos/mercury/test1/bin/python3.6
Also creating executable in /home/someuser/repos/mercury/test1/bin/python
Installing setuptools, pip, wheel...done.
$ source test1/bin/activate
(test1) $ pip install safety pyyaml
Collecting safety
Using cached https://files.pythonhosted.org/packages/20/58/701d0b61562a63b7f0008bcfd673617b277ddaa2cde217a398f82c146cd4/safety-1.8.2-py2.py3-none-any.whl
Collecting pyyaml
Downloading https://files.pythonhosted.org/packages/9e/a3/1d13970c3f36777c583f136c136f804d70f500168edc1edea6daa7200769/PyYAML-3.13.tar.gz (270kB)
100% |████████████████████████████████| 276kB 7.3MB/s
Collecting dparse>=0.4.1 (from safety)
Collecting packaging (from safety)
Using cached https://files.pythonhosted.org/packages/ad/c2/b500ea05d5f9f361a562f089fc91f77ed3b4783e13a08a3daf82069b1224/packaging-17.1-py2.py3-none-any.whl
Collecting requests (from safety)
Downloading https://files.pythonhosted.org/packages/65/47/7e02164a2a3db50ed6d8a6ab1d6d60b69c4c3fdf57a284257925dfc12bda/requests-2.19.1-py2.py3-none-any.whl (91kB)
100% |████████████████████████████████| 92kB 7.6MB/s
Collecting Click>=6.0 (from safety)
Using cached https://files.pythonhosted.org/packages/34/c1/8806f99713ddb993c5366c362b2f908f18269f8d792aff1abfd700775a77/click-6.7-py2.py3-none-any.whl
Requirement already satisfied: pip in ./test1/lib/python3.6/site-packages (from safety) (10.0.1)
Collecting six (from dparse>=0.4.1->safety)
Using cached https://files.pythonhosted.org/packages/67/4b/141a581104b1f6397bfa78ac9d43d8ad29a7ca43ea90a2d863fe3056e86a/six-1.11.0-py2.py3-none-any.whl
Collecting pyparsing>=2.0.2 (from packaging->safety)
Using cached https://files.pythonhosted.org/packages/6a/8a/718fd7d3458f9fab8e67186b00abdd345b639976bc7fb3ae722e1b026a50/pyparsing-2.2.0-py2.py3-none-any.whl
Collecting certifi>=2017.4.17 (from requests->safety)
Using cached https://files.pythonhosted.org/packages/7c/e6/92ad559b7192d846975fc916b65f667c7b8c3a32bea7372340bfe9a15fa5/certifi-2018.4.16-py2.py3-none-any.whl
Collecting idna<2.8,>=2.5 (from requests->safety)
Downloading https://files.pythonhosted.org/packages/4b/2a/0276479a4b3caeb8a8c1af2f8e4355746a97fab05a372e4a2c6a6b876165/idna-2.7-py2.py3-none-any.whl (58kB)
100% |████████████████████████████████| 61kB 9.1MB/s
Collecting urllib3<1.24,>=1.21.1 (from requests->safety)
Downloading https://files.pythonhosted.org/packages/bd/c9/6fdd990019071a4a32a5e7cb78a1d92c53851ef4f56f62a3486e6a7d8ffb/urllib3-1.23-py2.py3-none-any.whl (133kB)
100% |████████████████████████████████| 143kB 7.9MB/s
Collecting chardet<3.1.0,>=3.0.2 (from requests->safety)
Using cached https://files.pythonhosted.org/packages/bc/a9/01ffebfb562e4274b6487b4bb1ddec7ca55ec7510b22e4c51f14098443b8/chardet-3.0.4-py2.py3-none-any.whl
Building wheels for collected packages: pyyaml
Running setup.py bdist_wheel for pyyaml ... done
Stored in directory: /home/someuser/.cache/pip/wheels/ad/da/0c/74eb680767247273e2cf2723482cb9c924fe70af57c334513f
Successfully built pyyaml
Installing collected packages: pyyaml, pyparsing, six, packaging, dparse, certifi, idna, urllib3, chardet, requests, Click, safety
Successfully installed Click-6.7 certifi-2018.4.16 chardet-3.0.4 dparse-0.4.1 idna-2.7 packaging-17.1 pyparsing-2.2.0 pyyaml-3.13 requests-2.19.1 safety-1.8.2 six-1.11.0 urllib3-1.23
$ safety check --key="my-paid-key"
╒══════════════════════════════════════════════════════════════════════════════╕
│ │
│ /$$$$$$ /$$ │
│ /$$__ $$ | $$ │
│ /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ │
│ /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ │
│ | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ │
│ \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ │
│ /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ │
│ |_______/ \_______/|__/ \_______/ \___/ \____ $$ │
│ /$$ | $$ │
│ | $$$$$$/ │
│ by pyup.io \______/ │
│ │
╞══════════════════════════════════════════════════════════════════════════════╡
│ REPORT │
│ checked 15 packages, using pyup.io's DB │
╞════════════════════════════╤═══════════╤══════════════════════════╤══════════╡
│ package │ installed │ affected │ ID │
╞════════════════════════════╧═══════════╧══════════════════════════╧══════════╡
│ pyyaml │ 3.13 │ <4 │ 36333 │
╘══════════════════════════════════════════════════════════════════════════════╛
$ safety check --full-report --key="my-paid-key"
Traceback (most recent call last):
File "/home/someuser/repos/mercury/test1/bin/safety", line 11, in <module>
sys.exit(cli())
File "/home/someuser/repos/mercury/test1/lib/python3.6/site-packages/click/core.py", line 722, in __call__
return self.main(*args, **kwargs)
File "/home/someuser/repos/mercury/test1/lib/python3.6/site-packages/click/core.py", line 697, in main
rv = self.invoke(ctx)
File "/home/someuser/repos/mercury/test1/lib/python3.6/site-packages/click/core.py", line 1066, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/home/someuser/repos/mercury/test1/lib/python3.6/site-packages/click/core.py", line 895, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/home/someuser/repos/mercury/test1/lib/python3.6/site-packages/click/core.py", line 535, in invoke
return callback(*args, **kwargs)
File "/home/someuser/repos/mercury/test1/lib/python3.6/site-packages/safety/cli.py", line 71, in check
key=key
File "/home/someuser/repos/mercury/test1/lib/python3.6/site-packages/safety/formatter.py", line 196, in report
return SheetReport.render(vulns, full=full, checked_packages=checked_packages, used_db=used_db)
File "/home/someuser/repos/mercury/test1/lib/python3.6/site-packages/safety/formatter.py", line 116, in render
table.append("│ {:76} │".format(line.encode('utf-8')))
TypeError: unsupported format string passed to bytes.__format__
Windows-10-10.0.16299-SP0, AMD64safety checkUnicodeEncodeError: 'charmap' codec can't encode characters in position 0-79: character maps to <undefined>safety check -r simple-requirements.txt
simple-requirements.txtsafety
$ safety check -r simple-requirements.txt
Warning: unpinned requirement 'safety' found in simple-requirements.txt, unable to check.
Traceback (most recent call last):
File "c:\users\nicholas\appdata\local\programs\python\python36\Lib\runpy.py", line 193, in _run_module_as_main
"__main__", mod_spec)
File "c:\users\nicholas\appdata\local\programs\python\python36\Lib\runpy.py", line 85, in _run_code
exec(code, run_globals)
File "C:\Users\nicholas\.virtualenvs\pybotics-d30fj9Hx\Scripts\safety.exe\__main__.py", line 9, in <module>
File "c:\users\nicholas\.virtualenvs\pybotics-d30fj9hx\lib\site-packages\click\core.py", line 722, in __call__
return self.main(*args, **kwargs)
File "c:\users\nicholas\.virtualenvs\pybotics-d30fj9hx\lib\site-packages\click\core.py", line 697, in main
rv = self.invoke(ctx)
File "c:\users\nicholas\.virtualenvs\pybotics-d30fj9hx\lib\site-packages\click\core.py", line 1066, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "c:\users\nicholas\.virtualenvs\pybotics-d30fj9hx\lib\site-packages\click\core.py", line 895, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "c:\users\nicholas\.virtualenvs\pybotics-d30fj9hx\lib\site-packages\click\core.py", line 535, in invoke
return callback(*args, **kwargs)
File "c:\users\nicholas\.virtualenvs\pybotics-d30fj9hx\lib\site-packages\safety\cli.py", line 66, in check
key=key
File "c:\users\nicholas\.virtualenvs\pybotics-d30fj9hx\lib\site-packages\click\termui.py", line 420, in secho
return echo(style(text, **styles), file=file, nl=nl, err=err, color=color)
File "c:\users\nicholas\.virtualenvs\pybotics-d30fj9hx\lib\site-packages\click\utils.py", line 259, in echo
file.write(message)
File "c:\users\nicholas\.virtualenvs\pybotics-d30fj9hx\lib\encodings\cp1252.py", line 19, in encode
return codecs.charmap_encode(input,self.errors,encoding_table)[0]
UnicodeEncodeError: 'charmap' codec can't encode characters in position 0-79: character maps to <undefined>
Installing safety not in a venv, but on the system for both python2 and python3 results in the /usr/bin/safety file to be overwritten
pip install safety
pip3 install safety
The hashbang contains the python version for which safety was last installed.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.