Manage vulnerablities in your dependencies with an example application

See different branches for different examples

This is an example of an application which uses Thoth's recommendations to recommend a software stack for specific security requirements. The application is showing one of the Integration of Thoth using Thamos CLI.

For OpenShift s2i (Source-To-Image) examples, visit thoth-station/s2i-example repository.

Running the application

One of the integration for Thoth is Thamos. You can use Thoth's recommendation engine directly from within your terminal. First, you need to clone this example repo and install Thamos CLI:

git clone https://github.com/thoth-station/cli-examples.git && cd cli-examples
pip3 install thamos
thamos --help

The pre-configured template for Thamos CLI is available in the .thoth.yaml file:

cat .thoth.yaml

Now you are ready to ask for advises:

thamos advise

This might take some time. Once Thoth recommends you the application stack to be used for running the application, you can use Thamos to create a Python environment (based on configuration in .thoth.yaml) and install the recommended requirements into it:

thamos install

And finally, run the application:

thamos run ./game_of_life.py

To browse Thoth's logs produced during the resolution:

thamos log

About the application

The game_of_life.py program is a simple application that shows how Thamos manages known vulnerablities in the dependencies of a project. To use this example application, follow the steps mentioned above relative to the installation of the Thamos CLI and to its configuration using .thoth.yaml.

To introduce voluntarily a known vulnerability in the project, specify that you would like to add pillow version 8.0.0 in your requirements:

thamos add pillow==8.0.0

This version of pillow is known for introducing a vulnerability further described on the pypa/advisory-db repository. Thamos can also manage user requirements for dependencies using constraints files. To add pillow version 8.0.0 in your dependency requirements this way, you can simply write the package with its version into this file.

To get a stack guidance based on security, run the following command:

thamos advise --recommendation-type security

or modify the recommendation_type field to security in .thoth.yaml to set it as your default recommendation type, and simply run:

thamos advise

Thamos report should show that an error occured during the resolution process because a known vulnerability was found in pillow version 8.0.0 .

Run the example application

Now that you know how Thamos prevents the use of unsafe dependencies in your application, you can revert to another version of pillow to complete this part of the tutorial. To run the example application with the resolved dependencies, run:

thamos run ./game_of_life.py

To launch a new game with the default parameters or choose your own parameters as specified in the help section. Click on the coordinates to select your first generation of individuals and press p to see next generations.