Support for Python 3

[jhg]

https://wiki.python.org/moin/Python2orPython3

Support for Python 3.

[jbremer]

I'm not sure if we have people that care about Python3 support - I don't.

[KillerInstinct]

I don't either, but as a long term project, Python2 will eventually depricate.

[jbremer]

Personally doubt it :p

[botherder]

Currently very unlikely that we'll port to Python 3 any time soon. Closing until this becomes a realistic opportunity.

[csala]

Is this realistic enough?

https://pythonclock.org/

[csala]

Now, seriously, are there any plans regarding python 3 compatibility? It would be interesting to not have cuckoo staying behind on this.

[jbremer]

This is on our longterm roadmap - we've already started to port some of our libraries that are used by Cuckoo to be Python 3-compatible (e.g., https://github.com/jbremer/sflock, https://github.com/jbremer/roach) and most of our external dependencies are Python 3-compatible already.

Unfortunately Cuckoo becoming both Python 2 and Python 3 compatible (my personal preference for now) is a long development plan requiring lots of manual testing and new unit tests for all the code paths that are currently not tested. Otherwise we'll get daily reports of str vs bytes problems ;-)

Concluding: yes, but will take some time still.. unless somebody would like to donate resources in terms of time or money to sponsor such development.

[csala]

Great! Thanks for the response! Perhaps it would be a good idea to reopen this issue to let people know that there is work in progress.

[jbremer]

Sure, I guess ;-)

[blshkv]

https://github.com/hatching/httpreplay/issues/19

[LetMeR00t]

Hi, Another proof that we need Python3 support (this happened when I run pip2) : DEPRECATION: Python 2.7 will reach the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 won't be maintained after that date. A future version of pip will drop support for Python 2.7.

[LetMeR00t]

Hi @jbremer , Do you have an idea of which dependencies need to be supported to Python3 ? Once we know that all dependencies are supported, we could start migrate to Python3 Thank you

[LetMeR00t]

Oh, here is the answer :) :

Dependency (current used release)	Current version is Python2/3 compatible	Last release => Python3 supported ?
alembic==0.8.8	Yes	Yes, last release 1.0.9
androguard==3.0.1	Unknown	Yes, last release 3.3.5
beautifulsoup4==4.5.3	Yes	Yes, last release 4.7.1
chardet==2.3.0	Yes	Yes, last release 3.0.4
click==6.6	Yes	Yes, last release 7.0
django==1.8.4	Yes	Yes, last release 2.2
django_extensions==1.6.7	Yes	Yes, last release 2.1.6
dpkt==1.8.7	Yes	Yes, last release 1.9.2
egghatch>=0.2.3, <0.3	No	Yes shortly (I hope) : https://github.com/hatching/egghatch/pull/2
elasticsearch==5.3.0	Yes	Yes, last release (if we keep the v5) 5.5.5
flask==0.12.2	Yes	Yes , last release 1.0.2
flask-sqlalchemy==2.1	Yes	Yes, last release 2.4.0
httpreplay>=0.2.4, <0.3	No (new PR will be only Python3)	Yes shortly (I hope) : https://github.com/hatching/httpreplay/pull/25
jinja2==2.9.6	Yes	Yes, last release 2.10.1
jsbeautifier==1.6.2	Unknown	Seems to be, last release is 1.9.1, I assume yes because the last release is recent
oletools==0.51	Yes	Yes, last release 0.54.1
peepdf>=0.4.2, <0.5	No	Seems to be, not sure
pefile2==1.2.11	Yes	Seems to be, last release is recent, it seems to be this repository : https://github.com/erocarrera/pefile
pillow==3.2	Yes	Yes, last release is 6.0.0
pyelftools==0.24	Yes	Yes, last release is 0.25
pyguacamole==0.6	Yes	Yes, last release is 0.8
pymisp==2.4.103	Yes	Yes, last release is 2.4.103 (enjoy, nothing to do)
pymongo==3.0.3	Yes	Yes, last release is 3.8.0
python-dateutil==2.4.2	Yes	Yes, last release is 2.8.0
python-magic==0.4.12	Yes	Yes, last release is 0.4.15
roach>=0.1.2, <0.2	No (new PR will be Python2/3 compatible)	Yes shortly (I hope) : https://github.com/hatching/roach/pull/7
sflock>=0.3.8, <0.4	Yes	Yes, last release is 0.3.9
sqlalchemy==1.0.8	Yes	Yes, last release is 1.3.3
unicorn==1.0.1	Yes	Yes, last release is 1.0.1
wakeonlan==0.2.2	Yes (Python3.2)	Yes, last release is 1.1.6
yara-python==3.6.3	Yes	Yes, last release is 3.9.0
requests==2.13.0	Yes	Yes, last release is 2.21.0
scapy==2.3.2	Unknown	Yes, last release is 2.4.2
gevent==1.1.1	Yes	Yes, last release is 1.4.0
psycopg2==2.6.2	Yes	Seems to be, not sure : https://pypi.org/project/psycopg2/
weasyprint==0.36	Yes	Yes, last release is 47 (One year development since)

=> Current version is Python2/3 compatible : No need to update, or few fixes :) I think that the migration should be first to Python3.4, maybe Python3.5

[EDIT] 3 i'm not sure 3 soon (my PRs) :)

[jaredthecoder]

Where does this issue stand? @LetMeR00t has open PRs on the unsupported libraries. It has been 2 months. We're less than 6 months from Python 2 EOL across the board.

Cuckoo Sandbox is the only open-source, commercially competitive tool for sandboxing; this project needs to stay alive. The only non-compatible libraries are the ones written by a single GitHub organization (github.com/hatching). Additionally, there isn't a reason to keep support for Python 2, especially because mitmproxy won't work with it on the latest version. Why make it compatible with Python 2, when in 6 months people can't use this software for any project that they're not okay getting wrecked with a Python 2 zero-day.

IMO (and I'm sure of many others as well if they realized the full problem), Python 3 should be the only priority until its implemented. Non-critical bugs and stability issues (like rewriting the results processor in the 2.0.7 release) make zero sense when Cuckoo will be unusable for any company or person that only uses officially supported software (here, Python is the underlying foundation that won't be supported for version 2).

I see Cuckoo up there with projects like Tensorflow, Requests, and similar major players, and they all moved to Python 3 long ago: https://python3statement.org/.

[SparkyNZL]

Hi Jared,

I dont think you will find much argument here. I too am concerned that this is going to go to the wayside. There are a number of concerning vulnerabilities in Cuckoo as it currently stands "Python, and ES" being two.

There is nothing stopping people from forking it, but it would require a large investment in time to get the architecture under their belt.

Im pretty saddened that its got to this point, ive been a cuckoobox user since about 2010 and while i do understand that if you are going to do this full time you need an income, its also important to understand that many many people have contributed to the project as well.

On Thu, Jul 4, 2019 at 9:05 AM Jared M. Smith notifications@github.com wrote:

Where does this issue stand? @LetMeR00t https://github.com/LetMeR00t has open PRs on the unsupported libraries. It has been 2 months. We're less than 6 months from Python 2 EOL across the board.

Cuckoo Sandbox is the only open-source, commercially competitive tool for sandboxing; this project needs to stay alive. The only non-compatible libraries are the ones written by a single GitHub organization ( github.com/hatching). Additionally, there isn't a reason to keep support for Python 2, especially because mitmproxy won't work with it on the latest version. Why make it compatible with Python 2, when in 6 months people can't use this software for any project that they're not okay getting wrecked with a Python 2 zero-day.

IMO (and I'm sure of many others as well if they realized the full problem), Python 3 should be the only priority until its implemented. Non-critical bugs and stability issues (like rewriting the results processor in the 2.0.7 release) make zero sense when Cuckoo will be unusable for any company or person that only uses officially supported software (here, Python is the underlying foundation that won't be supported for version 2).

I see Cuckoo up there with projects like Tensorflow, Requests, and similar major players, and they all moved to Python 3 long ago: https://python3statement.org/.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/cuckoosandbox/cuckoo/issues/594?email_source=notifications&email_token=AEH6FGG3GJF5J52ICABZ3TTP5UIDNA5CNFSM4BJ6ZT62YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZFVUPA#issuecomment-508254780, or mute the thread https://github.com/notifications/unsubscribe-auth/AEH6FGBXHNLEYOELL4UHVGTP5UIDNANCNFSM4BJ6ZT6Q .

[wroersma]

It's being worked on and it's something the cuckoo developers are well aware of. Making posts like this does little to add to the conversation or help in any way.

It's actually ultra toxic and doesn't really inspire motivation to spend free time helping people that can't help themselves.

Even if cuckoo fully supported 3 volatility and many other projects still don't. I have cuckoo mostly working in python 3 with only a few bugs to finish out. Though it will only be useful when major libraries it uses also move to python 3.

On Thu, Jul 4, 2019, 3:30 PM SparkyNZL notifications@github.com wrote:

Hi Jared,

I dont think you will find much argument here. I too am concerned that this is going to go to the wayside. There are a number of concerning vulnerabilities in Cuckoo as it currently stands "Python, and ES" being two.

There is nothing stopping people from forking it, but it would require a large investment in time to get the architecture under their belt.

Im pretty saddened that its got to this point, ive been a cuckoobox user since about 2010 and while i do understand that if you are going to do this full time you need an income, its also important to understand that many many people have contributed to the project as well.

On Thu, Jul 4, 2019 at 9:05 AM Jared M. Smith notifications@github.com wrote:

Where does this issue stand? @LetMeR00t https://github.com/LetMeR00t has open PRs on the unsupported libraries. It has been 2 months. We're less than 6 months from Python 2 EOL across the board.

Cuckoo Sandbox is the only open-source, commercially competitive tool for sandboxing; this project needs to stay alive. The only non-compatible libraries are the ones written by a single GitHub organization ( github.com/hatching). Additionally, there isn't a reason to keep support for Python 2, especially because mitmproxy won't work with it on the latest version. Why make it compatible with Python 2, when in 6 months people can't use this software for any project that they're not okay getting wrecked with a Python 2 zero-day.

IMO (and I'm sure of many others as well if they realized the full problem), Python 3 should be the only priority until its implemented. Non-critical bugs and stability issues (like rewriting the results processor in the 2.0.7 release) make zero sense when Cuckoo will be unusable for any company or person that only uses officially supported software (here, Python is the underlying foundation that won't be supported for version 2).

I see Cuckoo up there with projects like Tensorflow, Requests, and similar major players, and they all moved to Python 3 long ago: https://python3statement.org/.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub < https://github.com/cuckoosandbox/cuckoo/issues/594?email_source=notifications&email_token=AEH6FGG3GJF5J52ICABZ3TTP5UIDNA5CNFSM4BJ6ZT62YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZFVUPA#issuecomment-508254780 , or mute the thread < https://github.com/notifications/unsubscribe-auth/AEH6FGBXHNLEYOELL4UHVGTP5UIDNANCNFSM4BJ6ZT6Q

.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/cuckoosandbox/cuckoo/issues/594?email_source=notifications&email_token=ABGVQIUPGAFN7FF7LTRAVF3P5ZTWTA5CNFSM4BJ6ZT62YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZIE6KA#issuecomment-508579624, or mute the thread https://github.com/notifications/unsubscribe-auth/ABGVQIQGM4IJOMXHTCOLY53P5ZTWTANCNFSM4BJ6ZT6Q .

[jaredthecoder]

What’s toxic is not informing those of us that depend on this system what the state of development is. I’m super glad that Python 3 is a priority. But not informing us is exactly what causes me to post these kinds of requests.

You have to remember that the people that use Cuckoo are not just independent individuals, but entire companies that depend on it (which is where I come from). Though I wish we could support it officially, we don’t have the ability to do so. To that end, that’s why I’m asking if this is still a priority two months after the last comment as made on this post.

[SparkyNZL]

I think you have mis-understood things here. I don't think anyone is as you put it "Toxic" its about having an adult conversation about this. I think you would also find there are many many people willing to help address the issues.

On Fri, Jul 5, 2019 at 11:16 AM Wyatt Roersma notifications@github.com wrote:

It's being worked on and it's something the cuckoo developers are well aware of. Making posts like this does little to add to the conversation or help in any way.

It's actually ultra toxic and doesn't really inspire motivation to spend free time helping people that can't help themselves.

Even if cuckoo fully supported 3 volatility and many other projects still don't. I have cuckoo mostly working in python 3 with only a few bugs to finish out. Though it will only be useful when major libraries it uses also move to python 3.

On Thu, Jul 4, 2019, 3:30 PM SparkyNZL notifications@github.com wrote:

Hi Jared,

I dont think you will find much argument here. I too am concerned that this is going to go to the wayside. There are a number of concerning vulnerabilities in Cuckoo as it currently stands "Python, and ES" being two.

There is nothing stopping people from forking it, but it would require a large investment in time to get the architecture under their belt.

Im pretty saddened that its got to this point, ive been a cuckoobox user since about 2010 and while i do understand that if you are going to do this full time you need an income, its also important to understand that many many people have contributed to the project as well.

On Thu, Jul 4, 2019 at 9:05 AM Jared M. Smith notifications@github.com wrote:

Where does this issue stand? @LetMeR00t https://github.com/LetMeR00t has open PRs on the unsupported libraries. It has been 2 months. We're less than 6 months from Python 2 EOL across the board.

Cuckoo Sandbox is the only open-source, commercially competitive tool for sandboxing; this project needs to stay alive. The only non-compatible libraries are the ones written by a single GitHub organization ( github.com/hatching). Additionally, there isn't a reason to keep support for Python 2, especially because mitmproxy won't work with it on the latest version. Why make it compatible with Python 2, when in 6 months people can't use this software for any project that they're not okay getting wrecked with a Python 2 zero-day.

IMO (and I'm sure of many others as well if they realized the full problem), Python 3 should be the only priority until its implemented. Non-critical bugs and stability issues (like rewriting the results processor in the 2.0.7 release) make zero sense when Cuckoo will be unusable for any company or person that only uses officially supported software (here, Python is the underlying foundation that won't be supported for version 2).

I see Cuckoo up there with projects like Tensorflow, Requests, and similar major players, and they all moved to Python 3 long ago: https://python3statement.org/.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <

https://github.com/cuckoosandbox/cuckoo/issues/594?email_source=notifications&email_token=AEH6FGG3GJF5J52ICABZ3TTP5UIDNA5CNFSM4BJ6ZT62YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZFVUPA#issuecomment-508254780

, or mute the thread <

https://github.com/notifications/unsubscribe-auth/AEH6FGBXHNLEYOELL4UHVGTP5UIDNANCNFSM4BJ6ZT6Q

.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub < https://github.com/cuckoosandbox/cuckoo/issues/594?email_source=notifications&email_token=ABGVQIUPGAFN7FF7LTRAVF3P5ZTWTA5CNFSM4BJ6ZT62YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZIE6KA#issuecomment-508579624 , or mute the thread < https://github.com/notifications/unsubscribe-auth/ABGVQIQGM4IJOMXHTCOLY53P5ZTWTANCNFSM4BJ6ZT6Q

.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/cuckoosandbox/cuckoo/issues/594?email_source=notifications&email_token=AEH6FGDIZ66FGRWX76RRYE3P52AFDA5CNFSM4BJ6ZT62YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZIHIKQ#issuecomment-508589098, or mute the thread https://github.com/notifications/unsubscribe-auth/AEH6FGCMWUN6UZCDACS7FGTP52AFDANCNFSM4BJ6ZT6Q .

[blshkv]

@jaredthecoder Disclaimer: I'm not involved in this project. I totally understand your frustration but is very common with any open source projects. You will get a frustrated reply from developers that they are not getting paid and so on. But it was company decision to use this project accepting all risks. So now, since it is important for you, there are multiple options available to make it kicking. You can make an arrangement and donate/pay to authors for this bug to be resolved. You can fork this project and fix it yourself or hire programmers to do it for you.

@wroersma You have created something useful during your free time. There is no point replying in toxic way too. Github introduced an interesting initiative https://github.com/sponsors. You might want to think how to get paid for doing what you like.

[rhertzog]

Hello everybody, as a Debian and Kali packager, I'm super interested in having a python 3 version of cuckoo. Is the python 3 port happening privately or in some public branch? Or is the master branch getting compatible with py2 and py3 at the same time?

FWIW, volatility3 is out and supports Python 3: https://github.com/volatilityfoundation/volatility3

[noraj]

:clock10: We are in 2020 and python 2 is deprecated now https://www.python.org/doc/sunset-python-2/

We have decided that January 1, 2020, will be the day that we sunset Python 2. That means that we will not improve it anymore after that day, even if someone finds a security problem in it. You should upgrade to Python 3 as soon as you can.

Python 2 was dead for years, but now it is officially really dead :laughing:

[nscaife]

Just dropping a note to say that I was not able to get Cuckoo to work on Ubuntu 20.04 with KVM. I can install and use Cuckoo in Python 2.7, but the current libvirt requires python-libvirt>=6.0.0, which does not support Python 2.7.

[blshkv]

Somebody suggested https://github.com/kevoreilly/CAPEv2/ in our tracker

[benignbala]

@wroersma - Do you think some of us can be of help in your efforts to getting this to be py3 compatible ? I see that you have said that you have got this mostly working. So wondering if some additional help would be of use to you. Thanks

[wroersma]

@benignbala So I have the front end converted to python 3 with a lot of changes here https://github.com/AUCR/cuckoo_plugin the actual python3 version I should release at some point here in a fork of cuckoo https://github.com/AUCR/cuckoo Really I was pretty close and just lost passion for working on any open source projects. If you want to help still lmk I could attempt to make it so I can have help. In the past, any offered help just ends up in more work splitting things up just to not have anyone help with anything.

[mrtnrdl]

@wroersma I'd be interested in helping you - if @benignbala would also be up to it even better.