SNYK finding: SNYK-PYTHON-CRYPTOGRAPHY-7161587

[FuhuXia]

Date of report: 2024-05-29 Severity: HIGH Due date: 2024-06-29

Due date is based on severity and described in RA-5. 15-days for Critical, 30-days for High, and 90-days for Moderate and lower.

• [ ] Analysis has been performed and an issue has been linked to address other occurrences for this class of vulnerability* (link)

* When a finding is identified, we create two issues. One to address the specific instance identified in the report. The other is to identify and address all other occurrences of this vulnerability within the application.

Brief description

SNYK-PYTHON-CRYPTOGRAPHY-7161587 found in catalog.data.gov

[FuhuXia]

snyk rates the Severity HIGH but OpenSSL Advisory mark it low, stating function SSL_free_buffers is rarely used.

[hkdctol]

Clarify that it's actually low impact? Requires some research to confirm we don't have to address

[Jin-Sun-tts]

searched the source code but did not find any references to the function SSL_free_buffers.

Added a test-ssl option to the Makefile to check for potential future use of this function.