ActiveState Platform Demo: Python Bill of Materials

By instrumenting your Python application, any stakeholder in your development process can log into the ActiveState platform to identify security and compliance issues, and take action.

  • Gain a “Bill of Materials” view of all the packages in your Python applications
  • Identify outdated packages
  • Identify how each package is licensed
  • Identify vulnerable packages

Learn more about the ActiveState Platform for Open Source Languages.


I can go and I can see all these identity Deminar. So I click on my Deminar identity and I have no warnings. It shows me all of the different files that have all the different modules, so you can see Click and ItsDangerous, Netifaces, Numpy, Pipreqs, Requests, Six – these are all the different things that are run on this Tensorflow. So I click on Tensorflow and one of the things – I didn’t get a red alert about it – but one of the things it says is, this is an out-of-date version because Tensorflow updates, like, every week. 1.9 is out, so it’s telling me the latest is 1.9. There’s no security problems with Tensorflow 1.8, but it’s giving me a heads-up that, hey, this is out of date. Notice it also gives me information about the license. It says, is an Apache License 2.0. So if your organization doesn’t want any GPL code, then you could be able to monitor and see the licenses. And like I said with the Policies module that’s evolving, you’d eventually be able to filter that stuff out.

So you can see also another report that shows me all the identities using this component. If there wasn’t a warning with this, then I’d be able to see how widespread this warning is inside my organization, and in this case there’s only the one that’s using Tensorflow. If I go back here to different identities, you can see that if we had an error – so earlier, I created a thing called BadApp. We have something that has one high severity, so we have no active session with this.  But BadApp here has a warning, and you can see that it would give us this high severity warning for Bleach 2.1.1, which is not only – you can see it’s also out of date, this little X here signifies that it’s out of date – but there’s also a CVE against that, and it has a little explanation about that CVE. It’s an issue to discover for 2.13. It’s obviously recommending that I update to 2.13 here. So we’ve got out-of-date errors, but I’ve also got high severity CVE, so you can imagine that if I had a very large application or a large organization, this gives me a dashboard, a one-stop shop to see all of the errors that we have. I can click on “Warnings” and component warnings across any of the things in my organization will show up here. Here’s my high severity Bleach one, and it’s running on BadApp.

Moving forward, as I continue to develop, I don’t have to do anything. I’ve already configured it, set it up, it’s just gonna keep working and keep checking things for me. Then, whoever’s monitoring the dashboard here is gonna be able to see these errors and see these components and see these alerts and then be able to take action based on that.

Jason