5 comments

[ 3.3 ms ] story [ 15.2 ms ] thread
What does vulnerable mean in this context? Methods which forward input in a way that unlocks arbitrary code execution?
SourceClear identifies libraries you use that have security vulnerabilities in them. We also do the extra work to find which methods in those libraries are the vulnerable methods.

When you scan your python projects now, we can actually tell you if you have a call chain to those particular methods in the vulnerable library or not.

Most security tools aim to scare people about the sky falling. Here we're taking a saner approach and letting you know if you're directly impacted by a vulnerability or not, so you can update at a more leisurely pace.

What is a security vulnerability in a library here? Do you mean something like using `numpy.frombuffer` to mutate strings in place, or using `numpy.lib.stride_tricks` to access invalid addresses?

Maybe this is something like functions calls which use improper sql escaping? I am not sure what is being detected.

Based on "update at a more leisurely pace" I'm guessing it's literally just looking for specific methods from libraries covered by security advisories, which is much less interesting than what you are imagining.
A specific disclosed vulnerability found in an open source library. As you might guess, most folks don't file CVEs (https://cve.mitre.org/). Our research team maintains a database of vulnerabilities that includes published CVEs, but also includes vulnerabilities we've identified.

Here's an example of some vulnerabilities that we discovered, disclosed, and now have in our database: https://blog.sourceclear.com/copy-paste-vulnerability-disclo...

The full vulnerability database is online here: https://www.sourceclear.com/registry/explore