Clean Dependency Project

Fannie Mae is proud to announce the launch of the Clean Dependency Project?, an open source project that supports our ongoing efforts to reduce the vulnerabilities of open source dependencies that remain without fixes. ?

As part of this launch, we are releasing patches to our python packages Pandas 1.5.2. to increase immunity against remote code execution attacks and limit potentials of human errors We started the Clean Dependency Project to solve the problem of open source dependencies reporting high and/or critical vulnerabilities, with CVSS scores of 9+ and no published fixes that patch these vulnerabilities. As a first step, we wanted to change these libraries to reduce their vulnerable surface area. Then we decided to take the additional step of publishing these patches publicly, allowing others to benefit from our work and share theirs as well.

This launch marks an exciting milestone for Fannie Mae’s Open Source Program Office (OSPO), that was launched in April 2021 to enhance our management of open source software. Through the work of the OSPO, we identified the opportunity to publish patches for intractable vulnerabilities, resulting in the Clean Dependency Project. This is OSPOs’ first external facing open source project, and there are more queued up for 2023.

I would like to thank the Director of our OSPO John Mark Walker , OSPO Strategist Brittany Istenes and team for ensuring a successful launch of this project. They are an instrumental part of the launch and seeing through the succession of the next steps.?

About Pandas

Pandas, a Python package, aims to be the fundamental high-level building block for doing practical,?real world?data analysis in Python. Additionally, it has the broader goal of becoming?the most powerful and flexible open source data analysis/manipulation tool available in any language. However, because Pandas relies on Python’s data pickling capabilities, there are scenarios where an attacker could execute code remotely. Fortunately, there are also steps a developer can take to help prevent remote code execution attacks, which requires training on best security practices.

To aid the effort of reducing the attack surface area and the potential for human error, Fannie Mae has decided to release patches for Pandas that use Python’s find class method? to deny the use of classes and functions or only allow those specified by the developer. The patches include documentation on how to customize the list according to specific application development needs. This means that the only way Pandas can import a particular class or function is if the developer specifically adds it to the allow list, reducing the possibility of inadvertently releasing vulnerable code.

Licensed under the BSD 3-clause open source license, this software patch is provided as is without any warranty of any sort. We think our version is more reliable, but like all software, it is by no means fail-safe.

About Yi-Lun Ding

Yilun Ding is a data scientist for Fannie Mae. He implemented this Pandas change as part of an employer supported side project. In a past career, he was familiar with JavaScript.

What’s Next?

This Pandas patch release is only the first for the Clean Dependency Project. We are looking at areas to improve vulnerabilities found in other popular dependencies with no imminent fix. We are gearing up for more library patches soon!?