-1

I'm not a professional at recognizing security in Python modules, but is one of these Python modules possibly dangerous or contains malware?

altgraph 0.17.3 atlassian-python-api 3.39.0 attrs 23.1.0 auto-py-to-exe 2.36.0 bottle 0.12.25 bottle-websocket 0.2.9 certifi 2023.5.7 cffi 1.15.1 chardet 5.1.0 charset-normalizer 3.2.0 cryptography 41.0.2 Deprecated 1.2.14 Eel 0.16.0 exceptiongroup 1.1.2 future 0.18.3 gevent 23.7.0 gevent-websocket 0.10.1 greenlet 2.0.2 h11 0.14.0 idna 3.4 isodate 0.6.1 jwt 1.3.1 lxml 4.9.3 oauthlib 3.2.2 outcome 1.2.0 pefile 2023.2.7 Pillow 10.0.0 pip 23.1.2 platformdirs 3.8.1 plyer 2.1.0 pycparser 2.21 pyinstaller 5.13.0 pyinstaller-hooks-contrib 2023.5 PyJWT 2.7.0 pyparsing 3.1.0 pypiwin32 223 PySocks 1.7.1 pystray 0.19.4 pytz 2023.3 pywin32 306 pywin32-ctypes 0.2.2 requests 2.31.0 requests-file 1.5.1 requests-oauthlib 1.3.1 requests-toolbelt 1.0.0 selenium 4.10.0 setuptools 65.5.0 six 1.16.0 sniffio 1.3.0 sortedcontainers 2.4.0 trio 0.22.2 trio-websocket 0.10.3 urllib3 2.0.3 whichcraft 0.6.1 win10toast 0.9 winotify 1.1.0 winsdk 1.0.0b9 wrapt 1.15.0 wsproto 1.2.0 zeep 4.2.1 zope.event 5.0 zope.interface 6.0

Is there a way to find out this information in a simple manner?

I have installed the modules, but I'm unsure whether these modules are truly secure.

Legendview
  • 9
  • 1

1 Answers1

0

PyPi will remove malicious code immediately, so there isn't a chance that known malware will be found in those dependencies.

If you are worried that a particular package may have unknown malware, you can use sysdig to look into what events are occurring when you install the package. This is a ton of work, but look at this article for some pointers: https://jordan-wright.com/blog/post/2020-11-12-hunting-for-malicious-packages-on-pypi/

To determine if the code the run is possibly dangerous, or has a vulnerability you can use pip-audit: https://github.com/pypa/pip-audit

To install

pip install --upgrade pip pip-audit

It works best with virtual environments by reading the requirements.txt file. If you have the source installed in a virtual environment you can use

pip freeze > requirements.txt

You could also just write those files above manually into a requirements.txt but I don't recommend that. It would be in the form:

altgraph==0.17.3
atlassian-python-api==3.39.0

Once you have your requirements.txt run the following command:

pip-audit --requirement requirements.txt
David Rinck
  • 6,637
  • 4
  • 45
  • 60