IBMalok
commented
1 year ago @ShilpaJalaja -
1- ibm-cos-sdk's latest version is 2.12.2
2- certifi is a transitive dependency and goes as - ibm-cos-sdk -> ibm-cos-sdk-core -> requests -> certifi. And there is no direct dependency of certifi in ibm-cos-sdk, and always takes the latest package of requests -> certifi in this case - requests-2.28.2 and certifi-2022.12.7.
I did install it, and this is the output.
alokmgr@Aloks-MacBook-Pro all-repo % pip show certifi
WARNING: Package(s) not found: certifi
alokmgr@Aloks-MacBook-Pro all-repo % pip show requests
WARNING: Package(s) not found: requests
alokmgr@Aloks-MacBook-Pro all-repo % pip show ibm-cos-sdk
WARNING: Package(s) not found: ibm-cos-sdk
alokmgr@Aloks-MacBook-Pro all-repo % pip show ibm-cos-sdk-core
WARNING: Package(s) not found: ibm-cos-sdk-core
alokmgr@Aloks-MacBook-Pro all-repo % pip show ibm-cos-sdk-s3transfer
WARNING: Package(s) not found: ibm-cos-sdk-s3transfer
alokmgr@Aloks-MacBook-Pro all-repo % pip install ibm-cos-sdk
DEPRECATION: Configuring installation scheme with distutils config files is deprecated and will no longer work in the near future. If you are using a Homebrew or Linuxbrew Python, please see discussion at https://github.com/Homebrew/homebrew-core/issues/76621
Collecting ibm-cos-sdk
Using cached ibm_cos_sdk-2.12.2-py3-none-any.whl
Requirement already satisfied: jmespath<1.0.1,>=0.10.0 in /usr/local/lib/python3.9/site-packages (from ibm-cos-sdk) (0.10.0)
Collecting ibm-cos-sdk-s3transfer==2.12.2
Using cached ibm_cos_sdk_s3transfer-2.12.2-py3-none-any.whl
Collecting ibm-cos-sdk-core==2.12.2
Using cached ibm_cos_sdk_core-2.12.2-py3-none-any.whl
Requirement already satisfied: python-dateutil<3.0.0,>=2.8.2 in /usr/local/lib/python3.9/site-packages (from ibm-cos-sdk-core==2.12.2->ibm-cos-sdk) (2.8.2)
Collecting requests<3.0,>=2.28.1
Using cached requests-2.28.2-py3-none-any.whl (62 kB)
Requirement already satisfied: urllib3<1.27,>=1.26.13 in /usr/local/lib/python3.9/site-packages (from ibm-cos-sdk-core==2.12.2->ibm-cos-sdk) (1.26.14)
Requirement already satisfied: six>=1.5 in /usr/local/lib/python3.9/site-packages (from python-dateutil<3.0.0,>=2.8.2->ibm-cos-sdk-core==2.12.2->ibm-cos-sdk) (1.16.0)
Requirement already satisfied: charset-normalizer<4,>=2 in /usr/local/lib/python3.9/site-packages (from requests<3.0,>=2.28.1->ibm-cos-sdk-core==2.12.2->ibm-cos-sdk) (2.0.12)
Requirement already satisfied: idna<4,>=2.5 in /usr/local/lib/python3.9/site-packages (from requests<3.0,>=2.28.1->ibm-cos-sdk-core==2.12.2->ibm-cos-sdk) (2.6)
Collecting certifi>=2017.4.17
Using cached certifi-2022.12.7-py3-none-any.whl (155 kB)
Installing collected packages: certifi, requests, ibm-cos-sdk-core, ibm-cos-sdk-s3transfer, ibm-cos-sdk
Successfully installed certifi-2022.12.7 ibm-cos-sdk-2.12.2 ibm-cos-sdk-core-2.12.2 ibm-cos-sdk-s3transfer-2.12.2 requests-2.28.2
after installing Successfully installed certifi-2022.12.7 ibm-cos-sdk-2.12.2 ibm-cos-sdk-core-2.12.2 ibm-cos-sdk-s3transfer-2.12.2 requests-2.28.2
alokmgr@Aloks-MacBook-Pro all-repo % pip show certifi
Name: certifi
Version: 2022.12.7
Summary: Python package for providing Mozilla's CA Bundle.
Home-page: https://github.com/certifi/python-certifi
Author: Kenneth Reitz
Author-email: me@kennethreitz.com
License: MPL-2.0
Location: /usr/local/lib/python3.9/site-packages
Requires:
Required-by: requests, sentry-sdkLooks like certifi package is getting overridden with different dependencies in your application.
ShilpaJalaja
Hi team, We are using ibm-cos-sdk python latest version in our app . A CVE has been reported on certifi-2022.9.24 which is used by ibm-cos-sdk 2.12.0 . CVE URL: https://www.mend.io/vulnerability-database/CVE-2022-23491 Request you to kindly fix it at your end , so that we can pull a non-vulnerable version of ibm-cos-sdk python.