Ubuntu
python-cssselect package

  1. Bug #2048760
  2. Comment #3

Comment 3 for bug 2048760

Revision history for this message
Nishit Majithia (0xnishit) wrote :

I reviewed python-cssselect 1.2.0-2 as checked into noble. This shouldn't
be considered a full audit but rather a quick gauge of maintainability.

python-cssselect is a python library to parse CSS3 selectors and translate
them to XPath 1.0 expressions. XPath 1.0 expressions can be used in lxml or
another XPath engine to find the matching elements in an XML or HTML
document.

- CVE History
  - No history and no current CVE to this package
- Build-Depends
  - python3-all, python3-lxml, python3-pytest, python3-setuptools
- pre/post inst/rm scripts
  - post-inst: byte compile python3-cssselect
  - pre-rm: removes .pyc and .pyo files for python3-cssselect
- init scripts
  - Not-available
- systemd units
  - Not-available
- dbus services
  - Not-available
- setuid binaries
  - Not-available
- binaries in PATH
  - Not-available
- sudo fragments
  - Not-available
- polkit files
  - Not-available
- udev rules
  - Not-available
- unit tests / autopkgtests
  - autopkgtests contains unit tests and it is running fine
- cron jobs
  - Not-available
- Build logs
  - These warnings are generated:
```
dpkg-source: warning: extracting unsigned source package (python-cssselect_1.2.0-2.dsc)
warning: no files found matching 'py.typed'
/usr/lib/python3/dist-packages/setuptools/_distutils/cmd.py:66: SetuptoolsDeprecationWarning: setup.py install is deprecated.
dpkg-gencontrol: warning: package python3-cssselect: substitution variable ${python3:Depends} unused, but is defined
```

- Processes spawned
  - None
- Memory management
  - None
- File IO
  - Looks good
- Logging
  - Not much of a logging in the code except in xpath.py where
    `warnings.warn()` is being used for logging
- Environment variable usage
  - None
- Use of privileged functions
  - None
- Use of cryptography / random number sources etc
  - None
- Use of temp files
  - None
- Use of networking
  - None
- Use of WebKit
  - None
- Use of PolicyKit
  - None

- Any significant cppcheck results
  - No result
- Any significant Coverity results
  - No result
- Any significant shellcheck results
  - No result
- Any significant bandit results
  - None, looks fine
- Any significant govulncheck results
  - No result
- Any significant Semgrep results
  - No result

There are no open security issues upstream. The maintainers are not very
active in fixing opened issues/enhancement PRs. Their last few commits on
the package were to add support for new Python versions. The last version
published for this package was in Oct'22. The noble release uses the latest
available version upstream.

One recommendation for the owning team is to review and fix the build
warnings. Security team ACK for promoting python-cssselect to main.