CVEs and Package Manager

Hey guys,

on Package Blocking - Posit Package Manager, there is a information the blocking specific packages, either by name, version or license, might be possible in combination with an external CVE database, as the rspm create blocklist-rule command can also be used remotely.

I was wondering if any of you have experience with this topic. That is, firstly I would like to know if there are any CVEs to retrieve vulnerabilities for R and Python packages and secondly if there is an open API to automate the process of blocking packages for all developers.

Dose anyone of you have such a workflow in usage in your company?

Hi Micha,

One of the most authoritative sources of PyPI vulnerabilities is the Python Packaging Advisory Database (GitHub - pypa/advisory-database: Advisory database for Python packages published on pypi.org). They publish those vulnerabilities to osv.dev which we consider to be the authoritative source of PyPI vulnerabilities. https://osv.dev/

These are published and freely available, which can be a great source of vulnerable packages and versions. Here's an example bash script of how to extract the latest vulnerabilities and create blocklist rules for each package version:

# run in a clean directory!
wget https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip
unzip all.zip
jq -r ".affected[] | \"\(.package.name)\t\(.versions[])\"" *.json | sort -u > vulns.out
wc -l vulns.out
awk 'BEGIN{OFS="";} {print "rspm create bl --package-name=",$1," --version=",$2}' vulns.out | bash > /dev/null

This will create a blocklist rule for every package version identified, which is over 30k rules. We've done some light performance testing with this so far and it works fine, but we hope to create a more integrated solution in a future Package Manager release.

As for CRAN packages, there are so few vulnerabilities out there, and no standard reporting location for those that are. However, given a suitable source of data, a similar approach could be taken.

Cheers,
Joe