Alec Koumjian

**Name of the Vulnerable Software and Affected Versions** safety (affected versions not specified) **Description** The command-line "safety" package for Python has a potential security issue due to two Python characteristics that allow malicious code to disguise or obfuscate other malicious or non-secure packages. This issue is considered to be of low severity because it makes use of an existing Python condition, not the Safety tool itself. It can occur when running Safety in an untrusted Python environment, from the same environment where dependencies are installed, or when installing dependencies arbitrarily or without proper verification. **Recommendations** To mitigate this issue, perform a static analysis by installing Docker and running the Safety Docker image: $ docker run --rm -it pyupio/safety check -r requirements.txt Run Safety against a static dependencies list, such as the requirements.txt file, in a separate, clean Python environment. Run Safety from a Continuous Integration pipeline. Use PyUp.io, which runs Safety in a controlled environment and checks Python for dependencies without any need to install them. Use PyUp's Online Requirements Checker.