Skip to content

Vulnerability Report

Pulp Python provides vulnerability scanning capabilities to help you identify known security vulnerabilities in your Python packages. This feature integrates with the Open Source Vulnerabilities (OSV) database to scan Pulp RepositoryVersions for vulnerable packages.

Prerequisites

Before generating the vulnerability report, ensure that:

  1. You have a Python repository with synced or uploaded content
  2. Pulp has connectivity to the OSV API

Generating a vulnerability report

To scan a RepositoryVersion for vulnerabilities, you need to pass the name of the repository and optionally the version:

pulp vulnerability-report create --repository my-repo --version 1

Understanding Scan Results

After a scan completes, vulnerability information is available in two places:

1. Repository Version Level

The RepositoryVersion includes a vuln_report field that references a vulnerability report containing all vulnerabilities found in that version:

pulp python repository version show --repository my-repo

The response includes:

{
    "pulp_href": "/pulp/api/v3/repositories/python/python/.../versions/1/",
    "number": 1,
    ...
    "vuln_report": "/pulp/api/v3/vuln-reports/..."
}

2. Content Level

Individual Python package content units also include vulnerability report references:

pulp python content list

Each package in the response includes:

{
    "pulp_href": "/pulp/api/v3/content/python/packages/.../",
    "name": "Django",
    ...
    "vuln_report": "/pulp/api/v3/vuln-reports/...",
    ...
}

Viewing Vulnerability Details

To view the actual vulnerability data, retrieve the vulnerability report:

# Get vulnerability report details
pulp vulnerability-report show --href ${VULN_REPORT_HREF}

The report contains detailed information about each vulnerability, including:

  • CVE identifiers: Common Vulnerabilities and Exposures identifiers
  • Affected versions: Which package versions are vulnerable
  • Fixed versions: Which versions contain fixes
  • References: Links to advisories and patches
  • Repository and Content: Pulp RepositoryVersion and Content impacted

Example Workflow

Here's a complete example of scanning a repository for vulnerabilities:

# 1. Create a repository
pulp python repository create --name security-scan-repo

# 2. Create a remote pointing to PyPI
pulp python remote create \
    --name pypi-remote \
    --url https://pypi.org/ \
    --includes '["django==5.2.1"]'

# 3. Sync the repository
pulp python repository sync \
    --name security-scan-repo \
    --remote pypi-remote

# 4. Scan for vulnerabilities
pulp vulnerability-report create --repository security-scan-repo

# 5. View the vulnerability report
VULN_REPORT=$(pulp python repository version show --repository security-scan-repo | jq -r '.vuln_report')
pulp vulnerability-report show --href $VULN_REPORT