Ubuntu
python-tabulate package

Bug #1862773
Comment #4

Comment 4 for bug 1862773

Revision history for this message

Mike Salvatore (mikesalvatore) wrote on 2020-03-16:

I reviewed python-tabulate 0.8.6-0ubuntu2 as checked into focal. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

python-tabulate is both a library and command-line utility that pretty-prints
tabular data. It is written in Python and can create tables in a wide variety
of formats.

- CVE History:
  None
- Build-Depends?
  - dh-python
  - python3-all
  - python3-nose
  - python3-setuptools
  - python3-wcwidth
- pre/post inst/rm scripts?
  None
- init scripts?
  None
- systemd units?
  None
- dbus services?
  None
- setuid binaries?
  None
- binaries in PATH?
  /usr/bin/tabulate
- sudo fragments?
  None
- polkit files?
  None
- udev rules?
  None
- unit tests / autopkgtests?
  python-tabulate provides a test suite with 83% code coverage. This test suite runs during the build.
- cron jobs?
  None
- Build logs:
  - Lintian
W: python-tabulate source: ancient-standards-version 3.9.8 (released 2016-04-06) (current is 4.5.0)
  - Build Errors
/usr/lib/python3.8/subprocess.py:838: RuntimeWarning: line buffering (buffering=1) isn't supported in binary mode, the default buffer size will be used
subprocess.py is used by the test suite
- Processes spawned?
  The test suite invokes `python tabulate.py` using the subprocess module. The test suite is run during build and does not get included in the .deb.
- Memory management?
  All code is written in python.
- File IO?
  - Input and output files are specified by the user.
  - It may be possible to provide input that causes tabulate.py or the tabulate() function to crash. Code that calls tabulate() should use try/except to avoid crashes.
- Logging?
  None
- Environment variable usage?
  None
- Use of privileged functions?
  None
- Use of cryptography / random number sources etc?
  None
- Use of temp files?
  None
- Use of networking?
  None
- Use of WebKit?
  None
- Use of PolicyKit?
  None
- Any significant bandit results?
  tabulate.py:1457: B101[bandit]: LOW: Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
- Any significant Coverity results?
  Coverity was not run.

In general, the mission of python-tabulate is straight forward: take input, create table. It therefore has a very limited attack surface. The pace of development seems reasonable and, coupled with the test suite that covers 83% of the code, python-tabulate should be fairly maintainable.

Security team ACK for promoting python-tabulate to main.

I reviewed python-tabulate 0.8.6-0ubuntu2 as checked into focal.  This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

python-tabulate is both a library and command-line utility that pretty-prints
tabular data. It is written in Python and can create tables in a wide variety
of formats.

- CVE History:
  None
- Build-Depends?
  - dh-python
  - python3-all
  - python3-nose
  - python3-setuptools
  - python3-wcwidth
- pre/post inst/rm scripts?
  None
- init scripts?
  None
- systemd units?
  None
- dbus services?
  None
- setuid binaries?
  None
- binaries in PATH?
  /usr/bin/tabulate
- sudo fragments?
  None
- polkit files?
  None
- udev rules?
  None
- unit tests / autopkgtests?
  python-tabulate provides a test suite with 83% code coverage. This test suite runs during the build.
- cron jobs?
  None
- Build logs:
  - Lintian
	W: python-tabulate source: ancient-standards-version 3.9.8 (released 2016-04-06) (current is 4.5.0)
  - Build Errors
	/usr/lib/python3.8/subprocess.py:838: RuntimeWarning: line buffering (buffering=1) isn't supported in binary mode, the default buffer size will be used
	subprocess.py is used by the test suite
- Processes spawned?
  The test suite invokes `python tabulate.py` using the subprocess module. The test suite is run during build and does not get included in the .deb.
- Memory management?
  All code is written in python.
- File IO?
  - Input and output files are specified by the user.
  - It may be possible to provide input that causes tabulate.py or the tabulate() function to crash. Code that calls tabulate() should use try/except to avoid crashes.
- Logging?
  None
- Environment variable usage?
  None
- Use of privileged functions?
  None
- Use of cryptography / random number sources etc?
  None
- Use of temp files?
  None
- Use of networking?
  None
- Use of WebKit?
  None
- Use of PolicyKit?
  None
- Any significant bandit results?
  tabulate.py:1457: B101[bandit]: LOW: Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
- Any significant Coverity results?
  Coverity was not run.

Security team ACK for promoting python-tabulate to main.

Ubuntupython-tabulate package

Comment 4 for bug 1862773

Ubuntu
python-tabulate package