Regarding usage of boxsdk in python - Security Issue
I want to use boxsdk module for my python application. Due to some issues, i am unable to install it on my linux machine using pip.
Although I just tried to use it by downloading the source from pypi and making a build of that using following command:
python setup.py build
Also, the modules used by boxsdk such as enum, chardet, attrs, etc are placed along with my application folder by making build of each using above command.
So, the issue is regarding the security of those modules and your package boxsdk as all of them are available on pypi .ie open source platform(anyone can upload over there).
How the security is managed in this case of using boxsdk module and other dependent modules?
Thanks
-
thanks for bringing this up, it's a very good question.
In general, most SDKs have external dependencies, although often they are kept to a minimum to limit the security surface area.
A good practice for any library would be to ensure that external dependencies are fixed to a specific minor release of that dependency (e.g. 1.2.X). As you can see, our Python SDK does this here.
A second good practice is to check for known vulnerabilities in any dependencies using a vulnerability tracker. Our code for the Python SDK is hosted on GitHub and GitHub introduced this feature last year.
If you want to know more about how we build our SDKs, I'd recommend opening an issue on the Python SDK GitHub repo so that our SDK team can get back to you with any answers you may need. They would love to hear and understand about your issue installing the SDK on Linux.
Please sign in to leave a comment.
Comments
1 comment