Python
This article shows you how to analyze your applications written in Python using preZero.
- Python (Source) - Preferred
- Python 3.8, 3.9
Requirements
See Prerequisites for more information.
Analyzing your Python application
sl analyze --app <name> --pythonsrc [<path>]
| Parameter | Description |
|---|---|
--app <name> | The name of the application to be analyzed |
--pythonsrc | The flag identifying the application as written in Python |
<path> | The path to the Python application to be analyzed |
Additional parameters
The analysis accepts additional parameters after a double hyphen --.
| Additional parameter | Description |
|---|---|
--ignore-paths | Ignores the specified paths from the analysis. Accepts both absolute and relative file paths; relative file paths are interpreted in relation to the directory provided as part of sl analyze... |
--ignore-dir-names | Excludes all files where the relative path (from directory provided in sl analyze) contains at least one of names specified here |
Such parameters, if valid, are passed directly to the Python analyzer.
Sample usage of additional parameters
To ignore a specific path from the analysis:
sl analyze --app <name> --pythonsrc [<path>] -- --ignore-paths [<path>]
SCA
To identify open-source vulnerabilities, Qwiet preZero automatically searches for build manifests in the project path you provided when running sl analyze. However, depending on your build system you may need to run an additional step before invoking sl - specifically, sl supports requirements.txt and poetry.lock files. You can generate the former e.g. with pip freeze > requirements.txt - from your activated venv. And poetry lock generates the latter.
Requirements
See Prerequisites for more information.
Analyzing your Python application
Qwiet offers a sample application that you can use to run and test preZero. It also includes a functioning configuration file to demonstrate how you can leverage GitHub Actions to automate code analysis whenever you open a new Pull Request (PR).
We also offer samples for GitLab integration, as well as configurations for Docker, Linux, macOS, and Windows.
Before running code analysis, please run pip install using the version of Python you used to write the application and make sure this is successful.
pip install -r requirements.txt
On macOS and in some Linux environments, pip and python may be using Python 2 instead of Python 3. If so, use pip3 and python3 instead.
To analyze your Python application:
sl analyze --app <name> --python [<path>]
| Parameter | Description |
|---|---|
--app <name> | The name of the application to be analyzed (maximum length: 100 characters) |
--python | The flag identifying the application as written in Python |
<path> | The path to the Python application to be analyzed |
Additional parameters
The analysis accepts additional parameters after a double hyphen --.
For example, the following CLI invocation ignores the dev-folder directory and all directories named experiments and adds a new entry to Python's module search path:
sl analyze --app <name> --python [<path>] -- --ignore-paths /path/to/dev-folder --ignore-dir-names experiments --extra-sys-paths /path/to/lib/python3.8/site-packages
| Additional parameter | Description |
|---|---|
--extra-sys-paths [<path>] | Include additional module search paths in the analysis. Required for applications that aren't written using Python 3.8 |
--strict-deps | Requires that all of the project's module paths can be followed for analysis to proceed |
--ignore-paths | Ignores the specified paths from the analysis. Requires the full path, not a relative path, to be provided |
--ignore-dir-names | Excludes all matching directories from the analysis. You must provide the exact directory name |
Such parameters, if valid, are passed directly to the Python analyzer.
Sample usage of additional parameters
To provide an additional module search path for the analysis:
sl analyze --app <name> --python [<path>] -- --extra-sys-paths [<path>]
To specify that the analysis should only continue if all the project's modules can be followed:
sl analyze --app <name> --python [<path>] -- --strict-deps
To ignore specific paths from the analysis:
sl analyze --app <name> --python [<path>] -- --ignore-paths [<ignore_path_1>] [<ignore_path_2>]
To ignore specific directory names from the analysis:
sl analyze --app <name> --python [<path>] -- --ignore-dir-names [<ignore_dir_name_1>] [<ignore_dir_name_2>]
To enable detailed logging of the analysis in case of troubleshooting:
sl analyze --app <name> --python [<path>] -- -l debug # append --verbose if providing logs to Qwiet for support
See the CLI reference for additional sl analyze options.
SCA
To identify open-source vulnerabilities, Qwiet preZero automatically searches for build manifests in the project path you provided when running sl analyze. However, depending on how your project repo is structured, you may need to provide --oss-project-dir <project-path> so that Qwiet preZero can identify where your dependencies are located.
Considerations
Qwiet's Python analyzer attempts to gather as much information about your project as possible to achieve accuracy. It expects an environment set up close to the one you have for running your project. This means that the Python interpreter must find all of the project's dependencies set up in one of the directories of its module search path. The most straightforward way to do this is to create a virtual environment and install the project's dependencies in it.
Qwiet supports setups that do not use virtual environments as long as the Python interpreter can find the dependencies in its search path. You can specify additional directories to look for dependencies using the --extra-sys-paths flag.
Additionally, the Python analyzer goes through your project's files and modules in a similar way to the Python interpreter. This process is crucial for gathering necessary information and can be fragile for certain setups. If the analyzer cannot follow one of the imports in your project, the analysis will proceed. Still, the files related to the import may not be included in the resulting analysis and preZero may also not detect security vulnerabilities related to these files. To receive a complete analysis, include the --strict-deps flag.
Tagging results with your branch name
To include the branch name in your preZero results, allowing you to distinguish one set of results from another, add the following to your invocation of Qwiet:
sl analyze --tag branch=`git symbolic-ref --short HEAD`
If you're working in a GitHub environment (e.g., GitHub Actions), you can also use --tag branch=${{ github.head_ref }} to populate your branch name.
If you don't provide a branch name, but Qwiet detects one available in your environment, it will use that name.
Troubleshooting
If you have any issues scanning your project, please see our general troubleshooting page, as well as our Python-specific suggestions that follow.
Package installation
Before running analysis on your Python application, make sure to run pip install:
pip install -r requirements.txt
Python versions
If you receive the following error when analyzing your Python application, please make sure that you have Python v3.8 installed (regardless of which version of Python you app uses):
Error: analyze: python3.8 is required but not found | issuer=/go/src/github.com/ShiftLeftSecurity/go-services/cmd/sl/main.go:1824
analyze: python3.8 is required but not found
Error: Process completed with exit code 1.
Module import errors
-
Check to see if running
pip installfor your application was successful. -
If using a private registry, such as Sonatype or JFrog, ensure the
.pypircfile contains the authentication token required to install all the dependencies. -
Some applications might have a common directory referred to by multiple packages. To provide this additional module search path for the analysis:
sl analyze --app <name> --python [<path>] -- --extra-sys-paths [<path>] -
Some applications have development and test scripts that contain errors preventing security analysis. To omit specific paths from the analysis:
sl analyze --app <name> --python [<path>] -- --ignore-paths [<ignore_path_1>] [<ignore_path_2>]The paths are separated by spaces.
-
To ignore specific directory by name from the analysis:
sl analyze --app <name> --python [<path>] -- --ignore-dir-names [<ignore_dir_name_1>] [<ignore_dir_name_2>] -
To enable detailed logging of the analysis in case of troubleshooting:
sl analyze --verbose --app <name> --python [<path>] -- -l debugThe detailed log file can then be found in the user's temporary directory.
Analyzing Jupyter notebooks
To submit a Jupyter notebook for analysis with preZero, you must first convert all of your .ipynb files to .py files:
# convert the notebooks (*.ipynb) into Python files (*.py)
jupyter nbconvert --to python *.ipynb
# analyze the Python files with preZero
sl analyze --app ipynb-pythonsrc --pythonsrc .