search

awslabs / seed-farmer

Seed-Farmer is an orchestration tool that works with AWS CodeSeeder and acts as an orchestration tool modeled after GitOps deployments. It has a CommandLine Interface based in Python, leverages modular code deployments defined by declarative manifests, and includes change detection and deployment optimization.
https://seed-farmer.readthedocs.io/en/latest/
Apache License 2.0
43 stars 15 forks source link

[BUG] Update Jinja Dependency #603

Closed a13zen closed 1 month ago

a13zen commented 1 month ago

Describe the bug Current Jinja dependency is being flagged as containing vuln. https://data.safetycli.com/v/70612/97c/

Recommendation Add https://pypi.org/project/safety/ dependency vuln checker as CI job.

a13zen commented 1 month ago

After digging deeper. Looks like release from Jinja addressing issue is still pending....

dgraeber commented 1 month ago

This is not a bug as we cannot update Jinja yet - but we will review a scan on CI

dgraeber commented 1 month ago

@LeonLuttenberger lets huddle and come up with a path forward

LeonLuttenberger commented 1 month ago

Hey.

Regarding jinja2, safety-cli claims that the most recent version of jinja2 (3.1.4) has the vulnerability. Other tools such as Snyk claim that the issue was fixed in 3.1.4. This is also backed up by the security advisory on GitHub. Based on this thread, it seems like this vulnerability from Safety is likely a false positive.

With regards to implementing an automated security scanner, we looked at Safety CLI along with other options and decided to go with Snyk, mainly as Safety only updates their database every 30 days in the free tier. I'll send a PR implementing the security scanner shortly.

Best regards, Leon