vulnerabilities in future 0.18.2

davis-anthony commented 1 year ago

Nipyapi version: 0.19.1
NiFi version: N/A
NiFi-Registry version: N/A
Python version: N/A
Operating System: N/A

Description

Vulnerability outlined in CVE-2022-40899. Unfortunately it looks like that project is dead and will likely not be updated. This will need to be dropped as a dependency and use of future refactored to some other component.

What I Did

Including the dependency for nipyapi 0.19.1 in my local project and running it through OWASP results in a failure due to the dependency on future 0.18.2. If I exclude this dependency, I get a build failure with a reference to this CVE:

https://nvd.nist.gov/vuln/detail/CVE-2022-40899

Urgency

This blocks our build pipelines and poses a security risk in our production environment.

ottobackwards commented 1 year ago

It doesn't look to me that future is maintained anymore. Here is the PR to fix it: https://github.com/PythonCharmers/python-future/pull/610.

One option that comes to mind for me would be:

move future internal to nipyapi, ie move the code into nipyapi as a private package
patch that
plan for python3 only with nifi 2.0 release

Chaffelson commented 8 months ago

I see that the patched version of future was created as 0.18.3 We have been testing with it for several releases, but I will explicitly set it as a requirement in the next release.

Chaffelson / nipyapi