search

fecgov / fecfile-web-api

Back-end API for FECfile application
Other
8 stars 2 forks source link

josepy/pyopenssl vulnerability #1090

Open lbeaufort opened 1 month ago

lbeaufort commented 1 month ago

Snyk links https://app.snyk.io/org/fecfile/project/e7c50dce-96a9-4313-818b-069a631aa5bc#issue-SNYK-PYTHON-PYOPENSSL-6157250 https://app.snyk.io/org/fecfile/project/e7c50dce-96a9-4313-818b-069a631aa5bc#issue-SNYK-PYTHON-PYOPENSSL-6149520 https://app.snyk.io/org/fecfile/project/e7c50dce-96a9-4313-818b-069a631aa5bc#issue-SNYK-PYTHON-PYOPENSSL-6592766

Introduced through josepy@1.14.0 › pyopenssl@24.2.1

We'll probably need to wait until a new version of josepy is released and https://github.com/certbot/josepy/issues/181 is resolved. This may have breaking changes. https://github.com/certbot/josepy/pull/182

QA Notes

null

DEV Notes

null

Design

null

See full ticket and images here: FECFILE-1634

exalate-issue-sync[bot] commented 1 week ago

David Heitzer commented: After doing some research, the solution may be to move to jwcrypto for all jwk/jws operations. This is what the [trussworks library|https://github.com/trussworks/logindotgov-oidc-py/blob/main/logindotgov/oidc.py] does and according to [pyopenssl|https://pypi.org/project/pyOpenSSL/], the cryptography library should be used instead where possible (this is what jwcrypto uses).

exalate-issue-sync[bot] commented 1 week ago

Shelly Wise commented: No QA review needed on this ticket.

Moved to Stage Ready.