Closed a13zen closed 1 month ago
After digging deeper. Looks like release from Jinja addressing issue is still pending....
This is not a bug as we cannot update Jinja yet - but we will review a scan on CI
@LeonLuttenberger lets huddle and come up with a path forward
Hey.
Regarding jinja2
, safety-cli claims that the most recent version of jinja2 (3.1.4) has the vulnerability. Other tools such as Snyk claim that the issue was fixed in 3.1.4. This is also backed up by the security advisory on GitHub. Based on this thread, it seems like this vulnerability from Safety is likely a false positive.
With regards to implementing an automated security scanner, we looked at Safety CLI along with other options and decided to go with Snyk, mainly as Safety only updates their database every 30 days in the free tier. I'll send a PR implementing the security scanner shortly.
Best regards, Leon
Describe the bug Current Jinja dependency is being flagged as containing vuln. https://data.safetycli.com/v/70612/97c/
Recommendation Add https://pypi.org/project/safety/ dependency vuln checker as CI job.