-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open Source Security Foundation (OpenSSF) best practices: Dynamic code analysis #7873
Comments
From IRC,
Thanks IRC folks! And because I can't help myself, here's what ChatGPT thinks from PIL import Image
import os
# Define a configuration variable to enable dynamic analysis assertions
dynamic_analysis_enable_assertions = True
# Define a function to perform dynamic analysis
def perform_dynamic_analysis(image_path):
if dynamic_analysis_enable_assertions:
# Perform assertions or other checks during dynamic analysis
assert os.path.exists(image_path), "Image file does not exist"
assert os.path.splitext(image_path)[1].lower() in ['.jpg', '.jpeg', '.png'], "Unsupported image format"
# Load the image using Pillow
image = Image.open(image_path)
# Further processing...
# Example: image.show()
# Example usage
if __name__ == "__main__":
# Path to the image file
image_path = "example_image.jpg"
# Perform dynamic analysis on the image
perform_dynamic_analysis(image_path)
|
@python-pillow/pillow-team Can anyone point me in some tangible direction to try to do some work on this one? Thank you! |
You could see how other Python projects have handled it: |
I asked @sethmlarson and he reckons Google's CIFuzz is suitable for this one, so I've checked it off as "Met" with this description:
And we now have the green "passing" badge! https://www.bestpractices.dev/en/projects/6331 (It might a bit of time for the cached badge to update in docs/README.) |
We are only one best practice away from transitioning our OpenSSF badge from in-progress to passing! Thanks @hugovk and @radarhere for re-raising this in #7610.
I remember discussing this in the past and if I recall correctly, we never gained a consensus. At a glance, I'm not sure I fully understand what the challenges to declaring this "met" are. Here's the best practice details:
So, ignoring the "using in production" aspect, what does "use a configuration for at least some dynamic analysis which enables many assertions" require in our case?
Are we talking specifically about
assert
statements and if so do any of these count? Assuming some are security related, maybe we just need an "on/off". (Actually I assume none are security related… and when I say security-related I mean corresponding to a CVE fix.)The text was updated successfully, but these errors were encountered: