- Include the name of the project in vulnerability alerts and the location of the package to better aid multi-project environments.
- Use new PyUp v2.0.0 API that supports commercial projects.
- Support for 2022.3
- "Bundled" package check setting will a live database PyUP.IO's public API. This API is meant for non-commercial projects only, so a message is shown. If you're scanning commercial projects, please use the PyPI API in the settings or register for an account with PyUP.io and enter your API key in settings.
- Updated to Java 17
- Updated to newer KTor API client
- Support for 2022.2
- Update safety DB to July 2022
- Added a PyPi API option for package security checking that uses the new PyPI vulnerability API
- Support for 2021.3
- Update safety DB to december
- Update safety db to october 2021
- Support for 2021.2 series
- Update safety db to august 2021
- Fix a bug raising a runtime exception (PsiInvalidElementException)
- Support for 2021.1 release of PyCharm
- Fix corrupt package
- PyUp.io december update
- Enable 203* series (2020.3)
- Update to 2020.2
- Use 202.6397.50 (2020.2) in CI/CD action
- Fixed null pointer exception when SDK not properly initialized
- Updated SafetyDB to July 2020 update
- Massive speed improvement to the package checker action by checking multiple packages asynchronously
- Added support for PyCharm 2020.2 series
- Sped up security package scanning
- Added (DJG300) and (DJG301) for inspection of Django authorization mixins in class-based views.
- Fixed #118 : Fixers don't work for Mako and Jinja2 in edge case (@koxudaxi)
- Added SQL200 for inspection of insecure SQLalchemy method calls
- Added a source path argument to the GitHub action
- Added a result output to the GitHub action
- Use PyCharm 2020 as the primary build target
- Fix crash on scanning package security [issues#105(issues/105)
- Updated SafetyDB to latest version (April 2020)
- Reduced size of Docker image pull#98
- Bugfix on TRY100 raising false-positives. Fixes issues#88 - pull#97
- Added STR100 for insecure format strings
- Extended the behaviour of DJG102 to not raise a warning when the safe string input is a string literal pull#87
- Added support for snyk.io as the vulnerability database. Snyk offers an up to date and in-depth database of Python package issues.
- Added DJG103 to look for use of the Django
extra()
API on a query set with quoted parameters. - Extended DJG102 to include quoted templated variable names, e.g.
'%(variable)s'
- Added DJG104 to inspect usage of the Django Expression APIs with dangerous templates vulnerable to SQL injection.
- Modified TRY100 to only verify
Exception
and no exception specified.
- Added configuration option to ignore code inside docstrings (enabled by default)
- Fix matching bug for packages which were installed with mixed-case names
- Added SH100 to check for 17 potential shell injection commands
- Added SH101 to check for 16 potentially risky spawned process commands
- Added a configuration panel to customise how your packages are checked
- Enabled support for PyUp.io subscriptions via an API key
- Updated SafetyDB to the "February 2020" release
- Extended PR100 to include older subprocess APIs, "check_call()" and "check_output()"
- Inspection descriptions in the IDE (within the Code Inspection window, Inspection Results and Right-Click on annotation) have full details
- Docker Image and GitHub action does deeper inspection using packages defined within a project
- Added paramiko shell injection inspection PAR101
- Added SSL wrap socket with no version check SSL100
- Added SSL wrap socket with insecure protocol check SSL101
- Fix on Pyyaml inspector looking for
'loader'
keyword argument instead of'Loader'
. - Fix on plugin XML having wrong standard library short name
- Fix on pickle not matching aliases imports
- Added pickle load inspection PIC100
- Added django safe strings inspection DJG102
- Added hardcoded temp path read or write inspection TMP101
- Added XML standard library DoS inspection XML100
- Added XML RPC dotted paths inspection XML200
- Dockerfile compiles from source, so 'latest' docker image is from master and each tag is correctly set issue#41
- Annotations descriptions have links to the documentation issue#43
- GitHub Action now supports "failure on warning"
- GitHub Action now always uses latest image
- GitHub Action supports setting path to custom inspection XML file
- Github actions now have annotations
- Updated documentation for GitHub actions. Made path optional
- Fixed bug in BindAllInterfacesInspection where a call to
bind()
with no arguments would raise an NPE issue#36
- Added github action support (alpha)
- Fixed a bug where packages that had a vulnerability in safetydb but no CVE record would raise a NPE to PyCharm issue#33
- Changed YML100 to not match when
loader=SafeLoader
is used - Altered PW100 to only match on == and != operators, reducing false positives
- Added DJG101 Using quoted, parametrized literal will bypass Django SQL Injection protection
- Added TRY100 check for try..except..pass statements
- Added TRY101 check for try..except..continue statements
- Added AST100 check for assert usage outside of a test
- Added NET100 check unspecified binding
- Added PAR100 check for host key bypass in paramiko ssh client usage
- Added OS100 check calls to
os.chmod()
for dangerous POSIX permissions
- Added SQL injection with Python formatting check SQL100
- Support for PyCharm 2020.1
- Added new hardcoded password check PW100
- Added new builtin exec check EX100
- Added new mako unescaped input check MK100
- Added new mako HTML escape quick fix
- Fixed minor bug in Flask debug mode check
- All fixes can now be run in batch mode
- Added Jinja2 unescaped Template Validator
- Added Jinja2 unconditional escape fixer
- All checks are now local inspections, so within the Code Inspection tool, they will show as "Python Security"
- Users can now alter the severity of any particular check and mute for a given project, file or IDE
- Added Django CSRF Middleware Validator
- Added Django Clickjack Middleware Validator
- Added Django Middleware Fixer
- Fixed bug where function references would be unsafely cast to a PyReferenceExpression and cause a fault
- Added Shell Escape Fixer, recommended by PR100
- Modified the shell injection validator to match subprocess.call, .run and .Popen
- Modified the shell injection validator to ignore string literals or lists of literals
- Annotations "Read Documentation" fix will go to the new documentation site instead of GitHub.
- PW100 uses
secrets.compare_digest
if the Python version is 3.7+ - Fixed bug in test suite (doesn't affect plugin)
- Added a documentation action to all recommendations
- Added a timing attack fixer for using hmac.compare_digest
- Added a timing attack test for comparing a password string
- Added hashlib test for cryptographically weak algorithm usage
- Added hashlib check for algorithms vulnerable to length-attacks
- Notification summarising package scan, even when no issues are found
- Issues warning notification when no Python SDK is configured
- Various minor bug fixes
- Fixed a bug when instantiating the vulnerability database at startup. Raised by @m-aciek #3
- Fixed error when checking incomplete statements. Raised by @jugmac00 #1
- Package checker works with specific (PEP440) version ranges.
- Checks installed packages against safetydb and alerts for any known vulnerabilities
- Added django debug mode check
- Added
tempfile.mktemp
check with fixer to replacetempfile.mkstemp
with existing arguments - Added subprocess.call(shell=true) check
- Added httpx no-verify check
- Added requests no-verify check
- Added flask debug mode check
- Added pyyaml load check