December update? Or, is safety-db dying?

[chezou]

I couldn't find the December update of this repository, while README says it updates monthly. Do you have a plan to execute the December update? I've found that after the August update, there's no meaningful update for JSON files. Does this mean there's no security vuln since September?

Also, according to the LinkedIn profile, Jwomers, was the CEO of pyup, had left the company.

Is safety-db active project?

[Yenthe666]

@chezou actually, If you look further you'll also find that the november 'update' didn't contain any CVE's:
f41304a
8189820

Same for october:
4398cda
af7d953

Same for september:
43a8f9e
8508267

It looks like the last meaningful CVE updates date back from august 2019. (df9a75c)

Besides of this it also seems to miss CVE's from way back, for example paramiko which has vulnerabilities since 03/2018 and 10/2018. See https://www.cvedetails.com/vulnerability-list/vendor_id-17787/product_id-44430/Paramiko-Paramiko.html which are not found in this db.

[Yenthe666]

@Jwomers could I please ask for your feedback here please? I really love this package so I'm curious what the state of it is and if it is still actively managed.

[ghost]

As someone working at a paying customer, we tried to get in touch with their support by email on 2020-02-13 (22 days ago) and again on 2020-02-27 after many API errors, but they never responded. It looks like the API was unable to respond (or throttled) to multiple requests within the same second, even though we have our own API key. The "solution" was to check all dependencies in a single request, but the support failure is telling.

[chezou]

JFYI, trivy has been started to move on GitHub Advisory Database
aquasecurity/trivy#344

Personally, I migrated from safety to snyk.io.

[ghost]

Looks like the DB just got an update. Can we get a post mortem from the project, possibly with some assurances that the safety DB is going to continue being updated? Ideally an SLA of some sort, with some realistic numbers, so we know when the project is dead again.

[153957]

It got an update, but it only contains a few new vulnerabilities, it appears to be incomplete.

[Yenthe666]

I actually got feedback from Justin who is one of the main people responsible for Safetydb. This was his response:

It is still being managed - we've been re-organizing our team which has meant we haven't been updating it for the last few months but we'll be back online and keeping the safety database up to date within the next few weeks.

[harlekeyn]

I am writing to personally apologize and admit that the PyUp Safety database had not been updated for a couple of months. This is entirely unacceptable for a service that thousands of developers depend on for their Python projects.

This is definitely not how we like to do business. We take full responsibility for dropping the ball and for the frustrations it must have caused to all our users.

Rest assured, the database is again current and actively maintained. We have hired additional staff and are doing everything in our power to not let this happen again. We want PyUp to be an outstanding Python vulnerability scanner, backed by an accurate, complete, and up-to-date database.

PyUp remains a huge priority for our team, and we will make sure that this will never happen again.

[Yenthe666]

Thanks for the clarification and the mature response @harlekeyn 🙏
I guess we can close this issue of now. Good luck on managing safety-db its a great product!