Managing Vulnerabilities with Thamos

Introducing a Vulnerability

The game_of_life.py program is a simple application that shows how Thamos manages known vulnerablities in the dependencies of a project. To use this example application, follow the steps mentioned above relative to the installation of the Thamos CLI and to its configuration using .thoth.yaml.

To introduce voluntarily a known vulnerability in the project, specify that you would like to add pillow version 8.0.0 in your requirements:

thamos add pillow==8.0.0
2022-01-12 14:20:11,248 [217578] INFO     thamos.lib: Adding 'pillow==8.0.0' to default requirements of runtime environment 'ubi8'

This version of pillow is known for introducing a vulnerability further described on the pypa/advisory-db repository. Thamos can also manage user requirements for dependencies using constraints files. To add pillow version 8.0.0 in your dependency requirements this way, you can simply write the package with its version into this file.

Resolving Security Issues with Thamos

To get a stack guidance based on security, run the following command:

The resolution process might take some time as the resolver explores resolution possibilities in the dependency graph (unless cached results are already available).
thamos advise --recommendation-type security
2022-03-16 13:40:31,223 [2827560] WARNING  thamos: Development dependencies will not be considered during the resolution process - see https://thoth-station.ninja/j/no_dev
2022-03-16 13:40:31,223 [2827560] INFO     thamos.lib: Using Pipenv files to manage dependencies located in '/home/fpokorny/git/thoth-station/cli-examples'
2022-03-16 13:40:31,223 [2827560] INFO     thamos.lib: Submitting Pipfile.lock as a base for user's stack scoring - see https://thoth-station.ninja/j/user_stack
2022-03-16 13:40:31,224 [2827560] ERROR    thamos.lib: Pipfile hash stated in Pipfile.lock 'f25c84' does not correspond to Pipfile hash 'fbca38' - was Pipfile adjusted? This error is not critical.
2022-03-16 13:40:31,394 [2827560] INFO     thamos.lib: Using 'security' recommendation type - see https://thoth-station.ninja/recommendation-types/
2022-03-16 13:40:31,394 [2827560] INFO     thamos.lib: Performing static analysis of sources to gather library usage
2022-03-16 13:40:32,610 [2827560] INFO     thamos.lib: Successfully submitted advise analysis 'adviser-220316124032-c0ef51f179cf9e16' to 'https://khemenu.thoth-station.ninja/api/v1'
                                                                          Application stack guidance
                                                                                 ╷                                                                               ╷
  Link                                                                           │ Message                                                                       │ Type
 ════════════════════════════════════════════════════════════════════════════════╪═══════════════════════════════════════════════════════════════════════════════╪═══════════
  https://quay.io/repository/thoth-station/ps-cv-ocr                             │ Consider using a computer vision predictable stack 'ps-cv-ocr' that has       │ ✔️ INFO
                                                                                 │ prepared environment with 'pillow'                                            │
  https://quay.io/repository/thoth-station/ps-cv-pytorch                         │ Consider using a computer vision predictable stack 'ps-cv-pytorch' that has   │ ✔️ INFO
                                                                                 │ prepared environment with 'pillow'                                            │
  https://quay.io/repository/thoth-station/ps-cv-tensorflow                      │ Consider using a computer vision predictable stack 'ps-cv-tensorflow' that    │ ✔️ INFO
                                                                                 │ has prepared environment with 'pillow'                                        │
  https://quay.io/repository/thoth-station/ps-ip-ifd                             │ Consider using a image processing predictable stack 'ps-ip-ifd' that has      │ ✔️ INFO
                                                                                 │ prepared environment with 'pillow'                                            │
  https://thoth-station.ninja/search/adviser-220316124032-c0ef51f179cf9e16/summa │ Results can be browsed in Thoth search                                        │ ✔️ INFO
  ry                                                                             │                                                                               │
  https://thoth-station.ninja/j/cve_timestamp                                    │ CVE database of known vulnerabilities for Python packages was updated at      │ ✔️ INFO
                                                                                 │ '2022-03-16T00:34:23.507548'                                                  │
  https://thoth-station.ninja/j/lax_version                                      │ No version range specifier for 'asyncclick' found, it is recommended to       │ ⚠️ WARNING
                                                                                 │ specify version ranges in requirements                                        │
  https://thoth-station.ninja/j/lax_version                                      │ No version range specifier for 'click' found, it is recommended to specify    │ ⚠️ WARNING
                                                                                 │ version ranges in requirements                                                │
  https://thoth-station.ninja/j/lax_version                                      │ No version range specifier for 'pygame' found, it is recommended to specify   │ ⚠️ WARNING
                                                                                 │ version ranges in requirements                                                │
  https://thoth-station.ninja/j/thoth_s2i                                        │ It is recommended to use Thoth's s2i to have recommendations specific to      │ ✔️ INFO
                                                                                 │ runtime environment                                                           │
  https://thoth-station.ninja/j/rhel_ubi                                         │ Using observations for RHEL instead of UBI, RHEL is ABI compatible with UBI   │ ⚠️ WARNING
  https://thoth-station.ninja/recommendation-types/                              │ Using recommendation type 'security'                                          │ ✔️ INFO
  https://thoth-station.ninja/j/env                                              │ Resolving for runtime environment named 'ubi8'                                │ ✔️ INFO
  https://thoth-station.ninja/j/env                                              │ Resolving for operating system 'rhel' in version '8'                          │ ✔️ INFO
  https://thoth-station.ninja/j/env                                              │ Resolving for Python version '3.8'                                            │ ✔️ INFO
  https://thoth-station.ninja/j/env                                              │ Using platform 'linux-x86_64'                                                 │ ✔️ INFO
  https://thoth-station.ninja/j/env                                              │ No constraints supplied to the resolution process                             │ ✔️ INFO
  https://thoth-station.ninja/j/env                                              │ Using supplied static source code analysis                                    │ ✔️ INFO
  https://thoth-station.ninja/j/env                                              │ No containerized environment used                                             │ ✔️ INFO
  https://thoth-station.ninja/j/env                                              │ Using CPU family 'UNKNWON' model 'UNKNOWN'                                    │ ✔️ INFO
  https://thoth-station.ninja/j/env                                              │ No CUDA used                                                                  │ ✔️ INFO
  https://thoth-station.ninja/j/env                                              │ No cuDNN used                                                                 │ ✔️ INFO
  https://thoth-station.ninja/j/env                                              │ No OpenBLAS used                                                              │ ✔️ INFO
  https://thoth-station.ninja/j/env                                              │ No OpenMPI used                                                               │ ✔️ INFO
  https://thoth-station.ninja/j/env                                              │ No MKL used                                                                   │ ✔️ INFO
  https://thoth-station.ninja/j/eol_env                                          │ Runtime environment used is no longer supported, it is recommended to switch  │ ⚠️ WARNING
                                                                                 │ to another runtime environment                                                │
  https://thoth-station.ninja/j/prescription                                     │ Using prescriptions 'thoth' release 'v0.17.0'                                 │ ✔️ INFO
  https://github.com/thoth-station/prescriptions                                 │ Using resolver prescriptions from thoth-station/prescriptions                 │ ✔️ INFO
  https://thoth-station.ninja/j/no_cpu                                           │ No CPU model provided, please state CPU model in your .thoth.yaml             │ ⚠️ WARNING
                                                                                 │ configuration file to have recommendations optimized for your runtime         │
                                                                                 │ environment                                                                   │
  https://thoth-station.ninja/j/no_cpu                                           │ No CPU family provided, please state CPU family in your .thoth.yaml           │ ⚠️ WARNING
                                                                                 │ configuration file to have recommendations optimized for your runtime         │
                                                                                 │ environment                                                                   │
  https://thoth-station.ninja/j/rules                                            │ Removing package 'click' in versions '<=6.6' from index                       │ ⚠️ WARNING
                                                                                 │ 'https://pypi.org/simple' based on rule: Package released before December     │
                                                                                 │ 2016                                                                          │
  https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287 │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as  │ ⚠️ WARNING
  -cve-2021-25288-fix-oob-read-in-jpeg2kdecode                                   │ a CVE 'PYSEC-2021-137' was found                                              │
  https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287 │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as  │ ⚠️ WARNING
  -cve-2021-25288-fix-oob-read-in-jpeg2kdecode                                   │ a CVE 'PYSEC-2021-138' was found                                              │
  https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28675 │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as  │ ⚠️ WARNING
  -fix-dos-in-psdimageplugin                                                     │ a CVE 'PYSEC-2021-139' was found                                              │
  https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html                │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as  │ ⚠️ WARNING
                                                                                 │ a CVE 'PYSEC-2021-317' was found                                              │
  https://pillow.readthedocs.io/en/stable/releasenotes/index.html                │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as  │ ⚠️ WARNING
                                                                                 │ a CVE 'PYSEC-2021-331' was found                                              │
  https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html                │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as  │ ⚠️ WARNING
                                                                                 │ a CVE 'PYSEC-2021-35' was found                                               │
  https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html                │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as  │ ⚠️ WARNING
                                                                                 │ a CVE 'PYSEC-2021-36' was found                                               │
  https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html                │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as  │ ⚠️ WARNING
                                                                                 │ a CVE 'PYSEC-2021-37' was found                                               │
  https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html                │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as  │ ⚠️ WARNING
                                                                                 │ a CVE 'PYSEC-2021-38' was found                                               │
  https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html                │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as  │ ⚠️ WARNING
                                                                                 │ a CVE 'PYSEC-2021-39' was found                                               │
  https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html                │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as  │ ⚠️ WARNING
                                                                                 │ a CVE 'PYSEC-2021-40' was found                                               │
  https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html                │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as  │ ⚠️ WARNING
                                                                                 │ a CVE 'PYSEC-2021-41' was found                                               │
  https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html                │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as  │ ⚠️ WARNING
                                                                                 │ a CVE 'PYSEC-2021-42' was found                                               │
  https://pillow.readthedocs.io/en/stable/releasenotes/index.html                │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as  │ ⚠️ WARNING
                                                                                 │ a CVE 'PYSEC-2021-69' was found                                               │
  https://pillow.readthedocs.io/en/stable/releasenotes/index.html                │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as  │ ⚠️ WARNING
                                                                                 │ a CVE 'PYSEC-2021-70' was found                                               │
  https://pillow.readthedocs.io/en/stable/releasenotes/index.html                │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as  │ ⚠️ WARNING
                                                                                 │ a CVE 'PYSEC-2021-71' was found                                               │
  https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28676 │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as  │ ⚠️ WARNING
  -fix-fli-dos                                                                   │ a CVE 'PYSEC-2021-92' was found                                               │
  https://github.com/python-pillow/Pillow/pull/5377                              │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as  │ ⚠️ WARNING
                                                                                 │ a CVE 'PYSEC-2021-93' was found                                               │
  https://github.com/python-pillow/Pillow/pull/5377                              │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as  │ ⚠️ WARNING
                                                                                 │ a CVE 'PYSEC-2021-94' was found                                               │
  https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict-built │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as  │ ⚠️ WARNING
  ins-available-to-imagemath-eval                                                │ a CVE 'PYSEC-2022-10' was found                                               │
  https://github.com/python-pillow/Pillow/blob/c5d9223a8b5e9295d15b5a9b1ef1dae44 │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as  │ ⚠️ WARNING
  c8499f3/src/path.c#L331                                                        │ a CVE 'PYSEC-2022-8' was found                                                │
  https://github.com/python-pillow/Pillow/blob/c5d9223a8b5e9295d15b5a9b1ef1dae44 │ Skipping including package ('pillow', '8.0.0', 'https://pypi.org/simple') as  │ ⚠️ WARNING
  c8499f3/src/path.c#L331                                                        │ a CVE 'PYSEC-2022-9' was found                                                │
  https://thoth-station.ninja/j/unresolved                                       │ Cannot satisfy direct dependencies: direct dependencies of type 'pillow' were │ ❌ ERROR
                                                                                 │ removed by pipeline sieves                                                    │
                                                                                 ╵                                                                               ╵
                                   Cannot satisfy direct dependencies: direct dependencies of type 'pillow' were removed by pipeline sieves

Or modify the recommendation_type field to security in .thoth.yaml to set it as your default recommendation type, and simply run:

thamos advise

Thamos report should show that an error occurred during the resolution process because a known vulnerability was found in pillow version 8.0.0. Thoth checks vulnerabilities of direct dependencies, but also possible vulnerabilities in indirect dependencies (also known as transitive dependencies of the application). The resolution process respects Python package index configuration to avoid possible dependency confusion attacks.

Running the Example Application

Now that you know how Thamos prevents the use of unsafe dependencies in your application, you can revert to another version of pillow to complete this part of the tutorial. To launch the example application with the resolved dependencies, run (Python 3.8 is required):

thamos run --no-pedantic ./game_of_life.py

To launch a new game with the default parameters or choose your own parameters as specified in the help section. Click on the coordinates to select your first generation of individuals and press p to see next generations.