Because such a large percentage of applications are made of open source components, choosing quality OSS dependencies is critical. Inside Endor Labs, you can easily compare packages you’re already using or considering - this list is a public summary of the open source tools most commonly used for Maven applications, with their Endor Scores. 

Endor Scores provide a high-level, easy-to-understand metric of how well a package does based on factors such as security, activity, popularity, and code quality.

‍

• Security: Indicates the number of security-related issues a package may have such as known vulnerabilities, following security best practices when developing code, and the results of static code analysis. Packages with lower security scores can be expected to have many security-related issues when compared with packages with higher scores. 

‍

• Activity: Indicates the level of development activity for a package as observed through the source code management system. Packages with higher activity scores will be more active and presumably better maintained when compared to packages with a lower activity score. 

‍

• Popularity: Indicates how widely a package is used in its ecosystem by tracking both source code management system metrics (for example, the number of stars in GitHub) as well as counting how many other packages import it. A package with a high popularity score indicates that it is used widely.

‍

• Code Quality: Indicates how well the package complies with best practices for code development and includes the results of static code analysis of that package’s source code. A package with a higher quality score has fewer code issues. 

‍

The scores for each category range between 0 and 10. For example, a score of 5 indicates inconclusive analysis and the package is neutral. A score higher than 5 indicates that the package mostly has positive factors while a score lower than 5 indicates negative factors. A score of 10 indicates that the package meets all the positive conditions, while a score of 0 indicates that a package meets all negative conditions.

The most commonly used Python packages among Endor Labs customers are…

The following open source Python packages are the most popular among Endor Labs customers, categorized by functionality and listed in alphabetical order. Endor Scores are a high-level metric of how well a package does based on factors such as security, activity, popularity, and code quality, and do not constitute a ranking of packages.

Networking and HTTP Clients

certifi

Certifi provides Mozilla’s Certificate Authority (CA) Bundle, which is used to verify the SSL certificates of websites. This package is commonly chosen because it helps ensure secure HTTPS connections in Python applications by using a reliable, maintained source of CA certificates.

‍

httplib2

httplib2 is a comprehensive HTTP client library that supports many features, such as caching, persistent connections, and HTTP authentication. It's popular for applications that require more control over HTTP requests and responses than higher-level libraries like requests provide.

requests

Requests is a user-friendly HTTP library that abstracts the complexities of making HTTP requests in Python. It’s widely used for its simplicity, readability, and extensive documentation, making it a go-to choice for developers needing to interact with web services.

urllib3

urllib3 is a powerful HTTP client for Python, with features like connection pooling, client-side SSL/TLS verification, and retries. It’s favored for its robustness and is often used under the hood by other libraries like requests to handle HTTP connections efficiently.

Security and Cryptography

asn1crypto

asn1crypto is a library for parsing and serializing ASN.1 data structures in Python. It’s often used in cryptographic applications for handling certificates, keys, and other security-related data structures due to its reliability and comprehensive ASN.1 support.

cffi

cffi is a Foreign Function Interface for Python calling C code. It’s popular because it simplifies the process of interacting with C libraries from Python, providing a simple interface for binding to native libraries while still being safe and Pythonic.

cryptography

Cryptography is a robust package for cryptographic operations, offering both high-level recipes and low-level interfaces. It’s favored for its wide range of features, comprehensive documentation, and strong security practices, making it a standard choice for implementing cryptography in Python.

pyasn1

pyasn1 is a pure-Python library for ASN.1 data structures, often used in network protocols and cryptography. Its popularity stems from its flexibility in handling various ASN.1 data representations and its extensive use in security-focused Python libraries.

pyasn1-modules

pyasn1-modules extends pyasn1 with a collection of pre-built ASN.1 data structures. It’s commonly used in cryptographic and network applications where standardized data structures are needed, and it’s chosen for its ease of integration with the pyasn1 library.

pycparser

pycparser is a complete parser of the C language, written in pure Python. It's used mainly to parse C source code into an Abstract Syntax Tree (AST), making it invaluable for projects that involve analyzing or manipulating C code.

pyjwt

pyjwt is a Python library for working with JSON Web Tokens (JWT). It’s popular in web applications for securely transmitting information between parties, and it’s widely used due to its simplicity and comprehensive JWT implementation.

pyopenssl

pyOpenSSL is a Python wrapper around a subset of the OpenSSL library, enabling Python programs to perform SSL/TLS operations. It's chosen for its ability to provide a higher-level interface for secure network communications, making it easier to implement cryptographic protocols.

rsa

rsa is a pure-Python RSA implementation. It’s used for encrypting and signing data in a way that is easy to integrate into Python projects, making it a popular choice for educational purposes and lightweight cryptographic operations.

six

Six is a utility library for writing Python code that is compatible with both Python 2 and 3. It's essential for maintaining compatibility across Python versions, which makes it widely adopted in legacy codebases and libraries that aim to support both versions.

Date and Time Utilities

pytz

pytz is a library for accurate and cross-platform timezone calculations using the Olson database. It’s a popular choice for developers needing to handle timezone conversions and aware datetimes in a reliable and standard-compliant manner.

‍

python-dateutil

python-dateutil is a powerful extension to Python’s datetime module, providing features like time zone handling, parsing, and recurring dates. It's popular for its ability to simplify complex date manipulations, making it a go-to tool for developers working with time-related data.

tzdata

tzdata provides the IANA Time Zone Database for Python. It’s used to ensure up-to-date time zone information, particularly in environments where the system’s time zone data might be outdated or unavailable, making it essential for applications with global users.

tzlocal

tzlocal is a small utility that returns the local timezone info for the host machine. It’s frequently used in applications that need to perform timezone-aware datetime operations based on the user’s local time.

Data Parsing and Processing

attrs

attrs is a Python package that simplifies writing classes by reducing boilerplate code for attribute management. It’s favored for its ease of use and flexibility, allowing developers to quickly create well-structured, readable, and maintainable classes.

charset-normalizer

charset-normalizer is a Python library for detecting and normalizing character encodings. It’s widely used in web scraping and text processing, where handling various encodings correctly is essential, and it's appreciated for its efficiency and accuracy.

idna

idna is a Python library that implements the Internationalized Domain Names in Applications (IDNA) standard. It's commonly used for processing Unicode domain names, which is important for ensuring that web addresses are correctly interpreted across different languages and scripts.

packaging

Packaging is a library that provides core utilities for Python package developers, including version handling and dependency management. It’s a popular choice among developers for ensuring that Python projects are correctly packaged and distributed.

pyparsing

pyparsing is a library for defining and executing grammars used to parse text. It’s commonly chosen for its simplicity and flexibility in creating complex parsers, which is why it’s often used in projects involving text processing or DSL (domain-specific language) implementations.

pyyaml

pyyaml is a YAML parser and emitter for Python. It’s a popular choice for configuration files and data serialization, providing a human-readable format that’s easy to edit and process within Python applications.

zipp

zipp is a simple Python utility for working with ZIP files and providing a more convenient interface to zipfile. It’s favored for its lightweight design and ease of use, making it a handy tool for developers dealing with compressed files.

Testing and Coverage

coverage

Coverage is a tool for measuring code coverage in Python programs. It’s widely used in testing frameworks to ensure that code is well-tested, providing detailed reports on which parts of the codebase are exercised by tests and which are not.

CLI and Command Line Tools

click

Click is a Python package for creating command-line interfaces (CLI). It’s widely used because of its simplicity, composability, and the robust ecosystem it offers for building and managing complex command-line utilities.

colorama

Colorama makes ANSI escape character sequences (for producing colored terminal text and cursor positioning) work in Windows as well as on other platforms. It's a popular choice for developers who want to ensure consistent terminal output across different operating systems.

docutils

Docutils is a text processing system for processing plaintext documentation into useful formats, such as HTML or LaTeX. It’s commonly used in Python documentation projects due to its integration with reStructuredText, the standard markup language for Python documentation.

futures

Futures is a backport of the concurrent.futures module from Python 3.2+ to earlier Python versions. It’s popular for enabling asynchronous programming patterns in older Python versions, providing a simple and consistent API for concurrent task execution.

greenlet

Greenlet is a Python package that provides lightweight in-process concurrency by allowing the creation of green threads (micro-threads). It’s widely used in asynchronous frameworks like gevent for managing concurrent I/O-bound tasks.

Web Development

jinja2

Jinja2 is a fast and expressive template engine for Python, widely used in web frameworks such as Flask. It’s popular for its ability to render HTML with dynamic data, offering an easy-to-use syntax that integrates seamlessly with Python.

markupsafe

MarkupSafe is a Python library that implements a string subclass for safe handling of HTML and XML data. It's commonly used in web frameworks like Flask to prevent cross-site scripting (XSS) attacks by ensuring that data is properly escaped.

werkzeug

Werkzeug is a comprehensive WSGI web application library. It's popular for its flexibility and rich feature set, making it the underlying foundation for many Python web frameworks, including Flask.

Database Interaction

psycopg2-binary

psycopg2-binary is a PostgreSQL adapter for Python, enabling Python programs to interact with PostgreSQL databases. It’s widely chosen for its performance, stability, and the fact that it provides a complete implementation of the Python DB API 2.0.

sqlalchemy

SQLAlchemy is the Python SQL toolkit and Object-Relational Mapping (ORM) library. It’s popular for its flexibility in database interaction, offering both a high-level ORM for easy database manipulation and a low-level SQL expression language for complex queries.

Serialization and Protocol Buffers

google-api-core

google-api-core is a set of core libraries for Google's Python API client. It’s commonly used for interacting with Google Cloud services, providing standardized methods for making API requests and handling responses.

google-auth

Google Auth is a Python library for handling authentication with Google APIs. It’s popular because it simplifies the process of obtaining and managing OAuth2 credentials, making it easier to authenticate with Google services securely.

googleapis-common-protos

googleapis-common-protos provides Python libraries for common Google API proto files. It’s used in conjunction with Google Cloud services and is chosen for its ability to streamline the integration of Google API protocols into Python projects.

protobuf

Protobuf is a protocol buffer library for Python, used for serializing structured data. It’s popular for its efficiency and cross-platform compatibility, making it a standard choice for data serialization in network communication and storage.

Miscellaneous Utilities

botocore

Botocore is a low-level core component of the Boto3 library, providing the necessary functionality for making AWS API calls. It’s essential for interacting with AWS services, and is favored for its comprehensive coverage of AWS APIs.

dataclasses

Dataclasses is a Python module that provides a decorator and functions for automatically adding generated special methods to user-defined classes. It’s commonly used for reducing boilerplate code and is especially popular in Python 3.7+.

importlib-metadata

importlib-metadata is a library that provides access to Python package metadata. It’s often used in packaging and distribution to query installed package details, and it’s popular for its integration with Python’s import system.

importlib-resources

importlib-resources is a Python library that provides a way to access resources within packages. It’s commonly used for handling package data files, ensuring that resources are accessible regardless of how a package is deployed.

jmespath

JMESPath is a Python library for searching and transforming JSON documents. It’s popular for its simplicity and power in querying JSON data, making it a valuable tool for developers working with APIs and complex JSON structures.

setuptools

Setuptools is a Python package that facilitates the packaging, distribution, and installation of Python projects. It’s a critical tool in the Python ecosystem, widely adopted for managing project dependencies and distribution.

Machine Learning and Data Analysis

numpy

Numpy is the fundamental package for numerical computing in Python, providing support for arrays, matrices, and a wide range of mathematical functions. It’s the foundation of most scientific computing in Python and is popular for its performance and versatility.

‍

pydantic

Pydantic is a data validation and settings management library for Python, using Python's type annotations. It's popular for its ability to parse and validate complex data structures, making it a powerful tool in modern Python applications, particularly in web development and API design.

Best practices for selecting open source tools for your Python application

In this tutorial, we demonstrate how you can use Endor Labs' DroidGPT feature to quickly and easily research open source software (OSS) packages in a conversational manner. DroidGPT combines the power of ChatGPT and Endor Labs' proprietary risk data. Ask questions like "what are the best logging packages for Java" and receive instant answers. All results are overlaid with risk scores revealing the quality, popularity, trustworthiness, and security of each package.

‍