Managing Vulnerabilities with Thamos
Introducing a Vulnerability
The game_of_life.py program is a simple application that shows how Thamos manages known vulnerablities in the dependencies of a project.
To use this example application, follow the steps mentioned above relative to the installation of the Thamos CLI and to its configuration using .thoth.yaml.
To introduce voluntarily a known vulnerability in the project, specify that you would like to add pillow version 8.0.0 in your requirements:
thamos add pillow==8.0.02022-01-12 14:20:11,248 [217578] INFO thamos.lib: Adding 'pillow==8.0.0' to default requirements of runtime environment 'ubi8'This version of pillow is known for introducing a vulnerability further described on the pypa/advisory-db repository. Thamos can also manage user requirements for dependencies using constraints files. To add pillow version 8.0.0 in your dependency requirements this way, you can simply write the package with its version into this file.
Resolving Security Issues with Thamos
To get a stack guidance based on security, run the following command:
| The resolution process might take some time as the resolver explores resolution possibilities in the dependency graph (unless cached results are already available). |
thamos advise --recommendation-type security2022-03-16 13:40:31,223 [2827560] WARNING thamos: Development dependencies will not be considered during the resolution process - see https://thoth-station.ninja/j/no_dev
2022-03-16 13:40:31,223 [2827560] INFO thamos.lib: Using Pipenv files to manage dependencies located in '/home/fpokorny/git/thoth-station/cli-examples'
2022-03-16 13:40:31,223 [2827560] INFO thamos.lib: Submitting Pipfile.lock as a base for user's stack scoring - see https://thoth-station.ninja/j/user_stack
2022-03-16 13:40:31,224 [2827560] ERROR thamos.lib: Pipfile hash stated in Pipfile.lock 'f25c84' does not correspond to Pipfile hash 'fbca38' - was Pipfile adjusted? This error is not critical.
2022-03-16 13:40:31,394 [2827560] INFO thamos.lib: Using 'security' recommendation type - see https://thoth-station.ninja/recommendation-types/
2022-03-16 13:40:31,394 [2827560] INFO thamos.lib: Performing static analysis of sources to gather library usage
2022-03-16 13:40:32,610 [2827560] INFO thamos.lib: Successfully submitted advise analysis 'adviser-220316124032-c0ef51f179cf9e16' to 'https://khemenu.thoth-station.ninja/api/v1'
Application stack guidance
╷ ╷
Link │ Message │ Type
════════════════════════════════════════════════════════════════════════════════╪═══════════════════════════════════════════════════════════════════════════════╪═══════════
https://quay.io/repository/thoth-station/ps-cv-ocr │ Consider using a computer vision predictable stack 'ps-cv-ocr' that has │ ✔️ INFO
│ prepared environment with 'pillow' │
https://quay.io/repository/thoth-station/ps-cv-pytorch │ Consider using a computer vision predictable stack 'ps-cv-pytorch' that has │ ✔️ INFO
│ prepared environment with 'pillow' │
https://quay.io/repository/thoth-station/ps-cv-tensorflow │ Consider using a computer vision predictable stack 'ps-cv-tensorflow' that │ ✔️ INFO
│ has prepared environment with 'pillow' │
https://quay.io/repository/thoth-station/ps-ip-ifd │ Consider using a image processing predictable stack 'ps-ip-ifd' that has │ ✔️ INFO
│ prepared environment with 'pillow' │
https://thoth-station.ninja/search/adviser-220316124032-c0ef51f179cf9e16/summa │ Results can be browsed in Thoth search │ ✔️ INFO
ry │ │
https://thoth-station.ninja/j/cve_timestamp │ CVE database of known vulnerabilities for Python packages was updated at │ ✔️ INFO
│ '2022-03-16T00:34:23.507548' │
https://thoth-station.ninja/j/lax_version │ No version range specifier for 'asyncclick' found, it is recommended to │ ⚠️ WARNING
│ specify version ranges in requirements │
https://thoth-station.ninja/j/lax_version │ No version range specifier for 'click' found, it is recommended to specify │ ⚠️ WARNING
│ version ranges in requirements │
https://thoth-station.ninja/j/lax_version │ No version range specifier for 'pygame' found, it is recommended to specify │ ⚠️ WARNING
│ version ranges in requirements │
https://thoth-station.ninja/j/thoth_s2i │ It is recommended to use Thoth's s2i to have recommendations specific to │ ✔️ INFO
│ runtime environment │
https://thoth-station.ninja/j/rhel_ubi │ Using observations for RHEL instead of UBI, RHEL is ABI compatible with UBI │ ⚠️ WARNING
https://thoth-station.ninja/recommendation-types/ │ Using recommendation type 'security' │ ✔️ INFO
https://thoth-station.ninja/j/env │ Resolving for runtime environment named 'ubi8' │ ✔️ INFO
https://thoth-station.ninja/j/env │ Resolving for operating system 'rhel' in version '8' │ ✔️ INFO
https://thoth-station.ninja/j/env │ Resolving for Python version '3.8' │ ✔️ INFO
https://thoth-station.ninja/j/env │ Using platform 'linux-x86_64' │ ✔️ INFO
https://thoth-station.ninja/j/env │ No constraints supplied to the resolution process │ ✔️ INFO
https://thoth-station.ninja/j/env │ Using supplied static source code analysis │ ✔️ INFO
https://thoth-station.ninja/j/env │ No containerized environment used │ ✔️ INFO
https://thoth-station.ninja/j/env │ Using CPU family 'UNKNWON' model 'UNKNOWN' │ ✔️ INFO
https://thoth-station.ninja/j/env │ No CUDA used │ ✔️ INFO
https://thoth-station.ninja/j/env │ No cuDNN used │ ✔️ INFO
https://thoth-station.ninja/j/env │ No OpenBLAS used │ ✔️ INFO
https://thoth-station.ninja/j/env │ No OpenMPI used │ ✔️ INFO
https://thoth-station.ninja/j/env │ No MKL used │ ✔️ INFO
https://thoth-station.ninja/j/eol_env │ Runtime environment used is no longer supported, it is recommended to switch │ ⚠️ WARNING
│ to another runtime environment │
https://thoth-station.ninja/j/prescription │ Using prescriptions 'thoth' release 'v0.17.0' │ ✔️ INFO
https://github.com/thoth-station/prescriptions │ Using resolver prescriptions from thoth-station/prescriptions │ ✔️ INFO
https://thoth-station.ninja/j/no_cpu │ No CPU model provided, please state CPU model in your .thoth.yaml │ ⚠️ WARNING
│ configuration file to have recommendations optimized for your runtime │
│ environment │
https://thoth-station.ninja/j/no_cpu │ No CPU family provided, please state CPU family in your .thoth.yaml │ ⚠️ WARNING
│ configuration file to have recommendations optimized for your runtime │
│ environment │
https://thoth-station.ninja/j/rules │ Removing package 'click' in versions '<=6.6' from index │ ⚠️ WARNING
│ 'https://pypi.org/simple' based on rule: Package released before December │
│ 2016 │
https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287 │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as │ ⚠️ WARNING
-cve-2021-25288-fix-oob-read-in-jpeg2kdecode │ a CVE 'PYSEC-2021-137' was found │
https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287 │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as │ ⚠️ WARNING
-cve-2021-25288-fix-oob-read-in-jpeg2kdecode │ a CVE 'PYSEC-2021-138' was found │
https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28675 │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as │ ⚠️ WARNING
-fix-dos-in-psdimageplugin │ a CVE 'PYSEC-2021-139' was found │
https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as │ ⚠️ WARNING
│ a CVE 'PYSEC-2021-317' was found │
https://pillow.readthedocs.io/en/stable/releasenotes/index.html │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as │ ⚠️ WARNING
│ a CVE 'PYSEC-2021-331' was found │
https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as │ ⚠️ WARNING
│ a CVE 'PYSEC-2021-35' was found │
https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as │ ⚠️ WARNING
│ a CVE 'PYSEC-2021-36' was found │
https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as │ ⚠️ WARNING
│ a CVE 'PYSEC-2021-37' was found │
https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as │ ⚠️ WARNING
│ a CVE 'PYSEC-2021-38' was found │
https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as │ ⚠️ WARNING
│ a CVE 'PYSEC-2021-39' was found │
https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as │ ⚠️ WARNING
│ a CVE 'PYSEC-2021-40' was found │
https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as │ ⚠️ WARNING
│ a CVE 'PYSEC-2021-41' was found │
https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as │ ⚠️ WARNING
│ a CVE 'PYSEC-2021-42' was found │
https://pillow.readthedocs.io/en/stable/releasenotes/index.html │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as │ ⚠️ WARNING
│ a CVE 'PYSEC-2021-69' was found │
https://pillow.readthedocs.io/en/stable/releasenotes/index.html │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as │ ⚠️ WARNING
│ a CVE 'PYSEC-2021-70' was found │
https://pillow.readthedocs.io/en/stable/releasenotes/index.html │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as │ ⚠️ WARNING
│ a CVE 'PYSEC-2021-71' was found │
https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28676 │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as │ ⚠️ WARNING
-fix-fli-dos │ a CVE 'PYSEC-2021-92' was found │
https://github.com/python-pillow/Pillow/pull/5377 │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as │ ⚠️ WARNING
│ a CVE 'PYSEC-2021-93' was found │
https://github.com/python-pillow/Pillow/pull/5377 │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as │ ⚠️ WARNING
│ a CVE 'PYSEC-2021-94' was found │
https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict-built │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as │ ⚠️ WARNING
ins-available-to-imagemath-eval │ a CVE 'PYSEC-2022-10' was found │
https://github.com/python-pillow/Pillow/blob/c5d9223a8b5e9295d15b5a9b1ef1dae44 │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as │ ⚠️ WARNING
c8499f3/src/path.c#L331 │ a CVE 'PYSEC-2022-8' was found │
https://github.com/python-pillow/Pillow/blob/c5d9223a8b5e9295d15b5a9b1ef1dae44 │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as │ ⚠️ WARNING
c8499f3/src/path.c#L331 │ a CVE 'PYSEC-2022-9' was found │
https://thoth-station.ninja/j/unresolved │ Cannot satisfy direct dependencies: direct dependencies of type 'pillow' were │ ❌ ERROR
│ removed by pipeline sieves │
╵ ╵
Cannot satisfy direct dependencies: direct dependencies of type 'pillow' were removed by pipeline sievesOr modify the recommendation_type field to security in .thoth.yaml to set it as your default recommendation type, and simply run:
thamos adviseThamos report should show that an error occurred during the resolution process because a known vulnerability was found in pillow version 8.0.0. Thoth checks vulnerabilities of direct dependencies, but also possible vulnerabilities in indirect dependencies (also known as transitive dependencies of the application). The resolution process respects Python package index configuration to avoid possible dependency confusion attacks.
Running the Example Application
Now that you know how Thamos prevents the use of unsafe dependencies in your application, you can revert to another version of pillow to complete this part of the tutorial. To launch the example application with the resolved dependencies, run (Python 3.8 is required):
thamos run --no-pedantic ./game_of_life.pyTo launch a new game with the default parameters or choose your own parameters as specified in the help section. Click on the coordinates to select your first generation of individuals and press p to see next generations.