How to Easily Identify Conda Vulnerabilities Using Sonatype Jake

Vulnerabilities in our Python environments are really irritating. They slow us down, are difficult to identify, and can delay the development process. What makes them more frustrating is that most of these vulnerabilities are known. Countless developers would have faced them before and they report these issues online. However, we use so many open source libraries these days, it’s almost impossible to keep up-to-date with all the dependencies and known vulnerabilities.

So wouldn’t it be nice if someone checked for known vulnerabilities in your Conda environment?

That’s why Sonatype decided to develop Jake. Jake is a tool that scans the open source packages in your current Conda environment. It then identifies all the known, publicly disclosed vulnerabilities! This check is performed against Sonatype’s OSS Index. OSS Index is a comprehensive collection of all vulnerability information for open source software. It’s derived from public sources across the web. So when you fire up Jake, it identifies the dependencies in your environment. Then it checks OSS Index to see if those dependencies have any known vulnerabilities. And the best part is that it’s free!

In this post, you will learn how to set up and run Jake to check for vulnerabilities in your environment.

Who Is Jake For?

This tool is specifically for Python developers who work with Conda environments. However, maybe you should be using Conda even if you don’t know about it. In that case, Jake will make your life easier.

So, who should use Conda?

Conda is a virtual environment management system. You should ideally create separate virtual environments for each of your Python projects. This way packages installed for some other project will not create vulnerabilities in your current one. There isn’t much of a downside really to using virtual environments. Hence, it’s advisable to use separate virtual (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Aditya Khanduri. Read the original post at: