You can't avoid the audit of your project packages (you just can't)...

Fantastic Vulnerabilities and Where To Find Them

You might already heard about CVE or Common Vulnerabilities or Exposures, which is an initiative sponsored by DHS (Department of Homeland and Security) and CISA (Cybersecurity and Infrastructure Security Agency), overseen by MITRE Corporation . All CVEs are listed on this website maintained by MITRE. If you want to know more about CVEs, how they are discovered, registered and how they are evaluated and approved, this document from RedHat has one or two words about it. Also, PYPA maintains the advisory-db project, for searching vulnerabilities of Python packages (this is where pip-audit comes into play).

Security is a limitless topic

It's not just about having an armored IPTABLES/Netfilter, and Nginx well configured with HSTS and other secure headers, and tunned Linux Kernel, and your Backend application demanding authenticated requests of 99,9% of your endpoints: from the packages that you download through APT, to PyPi packages that belong to your Python project, one of them could have a vulnerability, or a CVE registered and document.

In terms of security, we can go forever. It's a topic always on the table, from Infrastructure to Software, and it will always be like that.

Before pip-audit

You might be just like me, reviewing package by package from your requirements.txt with 50 different packages on it, searching on CVE listing websites like the one maintained by MITRE or even this one. What a pain, right? To review all packages (one by one) and document the vulnerabilities (if any) on your JIRA card, but, there's no other way. True that some services are available for searching PYSECs, but still not that pragmatic, in my opinion. I always felt more confident on searching CVE lists, manually. If you protect your API endpoints with all that you can, you can't avoid the audit of your project packages. You just can't..

After pip-audit

I think that everyone who cares about security, was craving for something like this. It was announced by Dustin Ingram yesterday, the stable release of pip-audit.

From time to time, I'm involved in security audits on companies that I work (I was a SysAdmin before being a Software Developer), so I can guarantee, that this comes from heaven:

Final Words

I'm pretty sure that this tool, will become a standard for all of us who develop software or maintain Python projects (open source or not). It's true that there's a great dependency on security at infrastructure level, being from network traffic to webservers and Operating Systems, but it's common to observe Software Developers not being concerned on reviewing security of packages, even though they are really worried about how protected is the API from a variety of vectors.

Your platform is also secure, by having components without vulnerabilities (keep in mind). If you don't audit your packages, it's time to make a change, now being more efficient. Cheers.

at
Labels: ,

Greatest Common Factor, Factors of a Number, and Juggling with List Comprehensions

It's always a good time, to open up a terminal and expressing calculations through code, just as any scientist would do, with the exception that I'm no scientist (at all), although I kind love Computer Science. I'm Software Developer so, it is expected, I guess.

Being from another country, speaking another language and having a different education at school when I was young, it feels a little bit different to read and identify mathematics content like Greatest Common Factor, Factors, and so on. Reading this article, I throught that would be nice to make some code that finds the factors of a number, and even better, the GCF from a list of numbers. I'm still wondering on what would be the best code, in terms of efficiency and with less time complexity, though.

Factors


Well, I started to perform a procedural code, 2 or 3 lines, but remembering how powerful are List Comprehensions (good source btw), many iterations and data strcutures can be performed with a single line.

Mission accomplished, with an easy and elegant code:


GCF (Greatest Common Factor) - 1° Round


This takes me back to my childhood, when I was 12, I guess.
Easy to put on a paper. To express the solution with code? Somewhat, at the beginning.
Here's the 1st approach, relying on the return of get_factors() function (list of factors).

Mission accomplished, but not meaningful (why using a list of lists of factors ?):


GCF (Greatest Common Factor) - 2° Round


No need of dealing with lists. It's just about numbers, just as you do on a paper.
A couple of variables were changed for the sake of readability, and the rest stills the same.
Mission accomplished and much better, isn't it?


Was an interesting task. It's a mix of childhood memories of mathematics from high school with my perspective nowadays as Software Developer, scratching the surface of Computer Science, but passionate on finding answers through programming languages, which in my case, is Python, most of the time.

I had fun today, indeed.

Thanks, Diary.

at
Labels: ,

Quick Commands for Docker Containers

It's being a while that I work with Docker, and some commands are on top of my head, some don't. These commands are commonly used on a normal container management routine (not including networking layer). If you are getting started with Docker or it's the situation like "can't remember that command...", this might be handy.


List Running Containers



Create Container



Rename Container



Run Container



List Container Processes



List Container Directory



Copy From Container



Attach to Container



Open BASH Inside Container



Stop Container



at
Labels:

Iterators: brief words about them

Generally, we all iterate through a variety of objects in Python, like:

Tuples
Lists
Dictionaries
Strings
Sets

But besides theses objects, you can create your own iterable object! Cool huh?

Not that often you might run on this situation, but it's good to know how to build your own iterator and also, you will learn a bit more of Python internals and how the iteration works behind the curtains.

The __iter__ and __next__ methods

Data structure objects like the ones listed above, are all iterable objects. You can get an iterator for any of them, by using the iter() method, and then iterating over it with next() method. If all elements from the iterator were called, then a StopIteration exception will be thrown.

Your Iterator

Built as class, your iterator should have __iter__() and __next__() methods implemented: one for initializing your iterator object, and the other for providing the current iterator value, also calculating the next iteration:
The problem here is that, without a condition, this iteration can go forever:

Depending on your code, you might want to have a condition externally expressed, but most of the cases, the condition of how many interations will be supported by the iterator, are defined on the class which provides the iterator.


Max Number of Iterations

Just as any class, you can define the __init__() method for the iterator class, where you can define the limit of the iterator:


Final Words

Hope you had fun while reviewing this topic and hope that it might help you some day. I decided to write it here, for I went thtough some situation where implementing an iterator was necessary, and here's a record of something that I initially tried, in order to understand how to build one.

From now on, everytime that you iterate through an iterable object, you can have an idea of what's going on with this object, how the data is being processed, stored, and understand that, there might be very specific scenarios where you would like to implement your own iterator.

For more examples and resources, here's a cool document from Python official documentation.

at
Labels: , , ,
Subscribe to: Posts (Atom)
Mastodon