Skip to content
/ vulnerability-tracker Public

A FastAPI-based application that tracks vulnerabilities in Python project dependencies using the OSV.dev API.

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Sepidband/vulnerability-tracker

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
tests
tests
 
 
README.md
README.md
 
 
cache.py
cache.py
 
 
main.py
main.py
 
 
models.py
models.py
 
 
requirements.txt
requirements.txt
 
 
schemas.py
schemas.py
 
 
services.py
services.py
 
 

Repository files navigation

Python Project Vulnerability Tracking API

A FastAPI-based backend service for tracking and identifying vulnerabilities in Python project dependencies using the OSV.dev API.

✨ Features

  • 🔍 Vulnerability Scanning: Automatically scans Python dependencies for known vulnerabilities
  • 📦 Project Management: Create and manage multiple Python projects
  • 🔄 Caching: Intelligent caching system to optimize API response times
  • 📊 Dependency Tracking: Track dependencies across multiple projects
  • 🚨 Real-time Updates: Refresh vulnerability data on demand
  • 🛡️ Security Focus: Leverages OSV.dev's comprehensive vulnerability database

🚀 Tech Stack

  • FastAPI
  • Python 3.10+
  • HTTPX (for async requests to OSV)
  • Pytest (for unit tests)

Quick Start

📦 Installation

  1. Clone the repository:
git clone https://github.com/Sepidband/vulnerability-tracker.git
cd vulnerability-tracker
  1. Install dependencies:
python -m venv msvenv
source msvenv/bin/activate 
pip install -r requirements.txt
  1. Run the application:
uvicorn main:app --reload

The API will be available at http://localhost:8000

API Documentation

Once running, visit:

  • Swagger UI: http://localhost:8000/docs
  • ReDoc: http://localhost:8000/redoc

API Endpoints

Projects

  • POST /projects - Create a new project
  • GET /projects - List all projects
  • GET /projects/{id} - Get project details
  • GET /projects/{id}/dependencies - Get project dependencies
  • POST /projects/{id}/refresh - Refresh vulnerability data

Dependencies

  • GET /dependencies - List all dependencies
  • GET /dependencies/{name}/{version} - Get dependency details

System

  • GET /health - Health check
  • GET /cache/stats - Cache statistics
  • POST /cache/clear - Clear cache

Usage Examples

Creating a Project

curl -X POST "http://localhost:8000/projects" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "My Python Project",
    "description": "A sample project for testing",
    "requirements_txt": "fastapi==0.104.1\nuvicorn==0.24.0\npydantic==2.5.0"
  }'

Getting Project Vulnerabilities

curl "http://localhost:8000/projects/{project_id}"

Refreshing Vulnerability Data

curl -X POST "http://localhost:8000/projects/{project_id}/refresh"

Architecture

Core Components

  • main.py: FastAPI application and route definitions
  • models.py: Pydantic models for data structures
  • schemas.py: Request/response schemas
  • services.py: Business logic and external API integration
  • cache.py: Caching layer for performance optimization

Key Features

Intelligent Caching

  • 24-hour TTL for vulnerability data
  • Automatic cache invalidation on refresh
  • Thread-safe cache operations

Concurrent Processing

  • Parallel vulnerability checks using asyncio
  • Semaphore-based rate limiting for external API calls
  • Optimized performance for multiple dependencies

Robust Error Handling

  • Comprehensive exception handling
  • Graceful degradation on API failures
  • Detailed error responses

Testing

Run the test suite:

pytest tests/ -v

Test Coverage

  • Unit tests for all core components
  • Integration tests for API endpoints
  • Mock testing for external dependencies
  • Error handling scenarios

Performance Optimizations

  1. Caching: Reduces redundant API calls to OSV.dev
  2. Async Operations: Non-blocking I/O for better concurrency
  3. Batch Processing: Efficient handling of multiple dependencies
  4. Rate Limiting: Prevents API overload

Configuration

Environment Variables

  • CACHE_TTL_HOURS: Cache time-to-live (default: 24)
  • MAX_CONCURRENT_REQUESTS: Maximum concurrent OSV API requests (default: 5)

Customization

The application can be extended with:

  • Database persistence (replace in-memory storage)
  • Authentication and authorization
  • Webhook notifications
  • Custom vulnerability sources
  • Advanced reporting features

Security Considerations

  • All vulnerability data is sourced from OSV.dev
  • No persistent storage of sensitive information
  • Input validation on all endpoints
  • Rate limiting to prevent abuse

Development

Project Structure

vulnerability-tracker/
├── main.py              # FastAPI application
├── models.py            # Data models
├── schemas.py           # API schemas
├── services.py          # Business logic
├── cache.py             # Caching layer
├── requirements.txt     # Dependencies
├── tests/
│   └── test_api.py     # Test suite   
│   └── __init__.py     # init
└── README.md           # This file

Contributing

  1. Fork the repository
  2. Create a feature branch
  3. Make your changes
  4. Add tests for new functionality
  5. Ensure all tests pass
  6. Submit a pull request

Commit Message Guidelines

Use clear, descriptive commit messages:

  • feat: add new endpoint for bulk vulnerability refresh
  • fix: handle edge case in requirements.txt parsing
  • docs: update API documentation
  • test: add integration tests for dependency tracking

Changelog

Version 1.0.0

  • Initial release with core functionality
  • Project and dependency management
  • OSV.dev integration
  • Caching system
  • Comprehensive test suite

About

A FastAPI-based application that tracks vulnerabilities in Python project dependencies using the OSV.dev API.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages