Closed lvaylet closed 1 year ago
pipdeptree
can help identify the packages that rely on gitpython
and certifi
:
$ pip install pipdeptree
$ pipdeptree | grep -i gitpython -B 3
bandit==1.7.5
├── GitPython [required: >=1.0.1, installed: 3.1.31]
So GitPython
is only used by bandit
.
certifi
is used by a lot more packages:
└── typing-extensions [required: >=3.10.0.0, installed: 4.6.3]
datadog==0.45.0
└── requests [required: >=2.6.0, installed: 2.31.0]
├── certifi [required: >=2017.4.17, installed: 2023.5.7]
--
└── urllib3 [required: >=1.21.1,<3, installed: 1.26.16]
elasticsearch==8.8.0
└── elastic-transport [required: >=8,<9, installed: 8.4.0]
├── certifi [required: Any, installed: 2023.5.7]
--
│ │ └── protobuf [required: >=3.19.5,<5.0.0dev,!=4.21.5,!=4.21.4,!=4.21.3,!=4.21.2,!=4.21.1,!=3.20.1,!=3.20.0, installed: 3.20.3]
│ ├── protobuf [required: >=3.19.5,<5.0.0dev,!=4.21.5,!=4.21.4,!=4.21.3,!=4.21.2,!=4.21.1,!=4.21.0,!=3.20.1,!=3.20.0, installed: 3.20.3]
│ └── requests [required: >=2.18.0,<3.0.0dev, installed: 2.31.0]
│ ├── certifi [required: >=2017.4.17, installed: 2023.5.7]
--
│ │ └── protobuf [required: >=3.19.5,<5.0.0dev,!=4.21.5,!=4.21.4,!=4.21.3,!=4.21.2,!=4.21.1,!=3.20.1,!=3.20.0, installed: 3.20.3]
│ ├── protobuf [required: >=3.19.5,<5.0.0dev,!=4.21.5,!=4.21.4,!=4.21.3,!=4.21.2,!=4.21.1,!=4.21.0,!=3.20.1,!=3.20.0, installed: 3.20.3]
│ └── requests [required: >=2.18.0,<3.0.0dev, installed: 2.31.0]
│ ├── certifi [required: >=2017.4.17, installed: 2023.5.7]
--
│ │ │ └── protobuf [required: >=3.19.5,<5.0.0dev,!=4.21.5,!=4.21.4,!=4.21.3,!=4.21.2,!=4.21.1,!=3.20.1,!=3.20.0, installed: 3.20.3]
│ │ ├── protobuf [required: >=3.19.5,<5.0.0dev,!=4.21.5,!=4.21.4,!=4.21.3,!=4.21.2,!=4.21.1,!=4.21.0,!=3.20.1,!=3.20.0, installed: 3.20.3]
│ │ └── requests [required: >=2.18.0,<3.0.0dev, installed: 2.31.0]
│ │ ├── certifi [required: >=2017.4.17, installed: 2023.5.7]
--
├── python-dateutil [required: >=2.7.2,<3.0dev, installed: 2.8.2]
│ └── six [required: >=1.5, installed: 1.16.0]
└── requests [required: >=2.18.0,<3.0.0dev, installed: 2.31.0]
├── certifi [required: >=2017.4.17, installed: 2023.5.7]
--
│ │ └── protobuf [required: >=3.19.5,<5.0.0dev,!=4.21.5,!=4.21.4,!=4.21.3,!=4.21.2,!=4.21.1,!=3.20.1,!=3.20.0, installed: 3.20.3]
│ ├── protobuf [required: >=3.19.5,<5.0.0dev,!=4.21.5,!=4.21.4,!=4.21.3,!=4.21.2,!=4.21.1,!=4.21.0,!=3.20.1,!=3.20.0, installed: 3.20.3]
│ └── requests [required: >=2.18.0,<3.0.0dev, installed: 2.31.0]
│ ├── certifi [required: >=2017.4.17, installed: 2023.5.7]
--
│ │ └── protobuf [required: >=3.19.5,<5.0.0dev,!=4.21.5,!=4.21.4,!=4.21.3,!=4.21.2,!=4.21.1,!=3.20.1,!=3.20.0, installed: 3.20.3]
│ ├── protobuf [required: >=3.19.5,<5.0.0dev,!=4.21.5,!=4.21.4,!=4.21.3,!=4.21.2,!=4.21.1,!=4.21.0,!=3.20.1,!=3.20.0, installed: 3.20.3]
│ └── requests [required: >=2.18.0,<3.0.0dev, installed: 2.31.0]
│ ├── certifi [required: >=2017.4.17, installed: 2023.5.7]
--
├── tomli [required: >=1.1.0, installed: 2.0.1]
└── typing-extensions [required: >=3.10, installed: 4.6.3]
opensearch-py==2.3.1
├── certifi [required: >=2022.12.07, installed: 2023.5.7]
├── python-dateutil [required: Any, installed: 2.8.2]
│ └── six [required: >=1.5, installed: 1.16.0]
├── requests [required: >=2.4.0,<3.0.0, installed: 2.31.0]
│ ├── certifi [required: >=2017.4.17, installed: 2023.5.7]
--
prometheus-client==0.17.0
prometheus-http-client==1.0.0
└── requests [required: Any, installed: 2.31.0]
├── certifi [required: >=2017.4.17, installed: 2023.5.7]
--
├── packaging [required: >=21.0,<22.0, installed: 21.3]
│ └── pyparsing [required: >=2.0.2,!=3.0.5, installed: 3.0.9]
├── requests [required: Any, installed: 2.31.0]
│ ├── certifi [required: >=2017.4.17, installed: 2023.5.7]
Mostly by backends like Cloud Monitoring, Datadog, ElasticSearch, and also by bandit
again. Almost always as a depdency of requests
.
bandit
1.7.5 is already the latest version at the time of writing, according to https://pypi.org/project/bandit/. So let's specify a minimum version to install for gitpython
in setup.cfg
instead, and 3.1.35 fixes all three CVEs:
dev =
[...]
bandit
GitPython >=3.1.35
Run make install
again and confirm safety check
no longer returns any violation for GitPython
:
$ make install
[...]
Downloading GitPython-3.1.37-py3-none-any.whl (190 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 190.0/190.0 kB 9.8 MB/s eta 0:00:00
Building wheels for collected packages: slo-generator
Building editable for slo-generator (pyproject.toml) ... done
Created wheel for slo-generator: filename=slo_generator-2.4.0-0.editable-py2.py3-none-any.whl size=11498 sha256=71a4d4b61fe4fcfde73123f988aea7bf1776a89456781ce7489436e1556985f0
Stored in directory: /tmp/pip-ephem-wheel-cache-ublt7juf/wheels/cb/fa/70/8459fdf9ec77e5fc583a34349d29f2124c29ebe1389648c385
Successfully built slo-generator
Installing collected packages: slo-generator, GitPython
Attempting uninstall: slo-generator
Found existing installation: slo-generator 2.4.0
Uninstalling slo-generator-2.4.0:
Successfully uninstalled slo-generator-2.4.0
Attempting uninstall: GitPython
Found existing installation: GitPython 3.1.31
Uninstalling GitPython-3.1.31:
Successfully uninstalled GitPython-3.1.31
Successfully installed GitPython-3.1.37 slo-generator-2.4.0
$ safety check
+====================================================================================================================================+
/$$$$$$ /$$
/$$__ $$ | $$
/$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$
/$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$
| $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$
\____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$
/$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$
|_______/ \_______/|__/ \_______/ \___/ \____ $$
/$$ | $$
| $$$$$$/
by pyup.io \______/
+====================================================================================================================================+
REPORT
Safety is using PyUp's free open-source vulnerability database. This data is 30 days old and limited.
For real-time enhanced vulnerability data, fix recommendations, severity reporting, cybersecurity support, team and project
policy management and more sign up at https://pyup.io or email sales@pyup.io
Safety v2.3.5 is scanning for Vulnerabilities...
Scanning dependencies in your environment:
-> /home/user/workspace/github/google/slo-generator/venv3.9/lib/python3.9/site-packages
Using non-commercial database
Found and scanned 125 packages
Timestamp 2023-10-06 12:20:01
1 vulnerability found
0 vulnerabilities ignored
+====================================================================================================================================+
VULNERABILITIES FOUND
+====================================================================================================================================+
-> Vulnerability found in certifi version 2023.5.7
Vulnerability ID: 59956
Affected spec: >=2015.04.28,<2023.07.22
ADVISORY: Certifi 2023.07.22 includes a fix for CVE-2023-37920: Certifi prior to version 2023.07.22 recognizes "e-Tugra"
root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in...
CVE-2023-37920
For more information, please visit https://pyup.io/v/59956/f17
Scan was completed. 1 vulnerability was found.
+====================================================================================================================================+
REMEDIATIONS
1 vulnerability was found in 1 package. For detailed remediation & fix recommendations, upgrade to a commercial license.
+====================================================================================================================================+
Safety is using PyUp's free open-source vulnerability database. This data is 30 days old and limited.
For real-time enhanced vulnerability data, fix recommendations, severity reporting, cybersecurity support, team and project
policy management and more sign up at https://pyup.io or email sales@pyup.io
+====================================================================================================================================+
Let's fix certifi
the same way:
[options]
[...]
install_requires =
[...]
setuptools >=65.5.1 # https://pyup.io/v/52495/f17 (reported by `safety check`)
certifi >=2023.07.22 # avoid CVE-2023-37920 (reported by `safety check`)
Then make install
and safety check
confirm there are no CVEs left:
$ make install
Downloading certifi-2023.7.22-py3-none-any.whl (158 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 158.3/158.3 kB 9.1 MB/s eta 0:00:00
Building wheels for collected packages: slo-generator
Building editable for slo-generator (pyproject.toml) ... done
Created wheel for slo-generator: filename=slo_generator-2.4.0-0.editable-py2.py3-none-any.whl size=11513 sha256=b8248333e3597e7ef6faf74b4d0b79b354db724135ae8072077d69e0aa4b3381
Stored in directory: /tmp/pip-ephem-wheel-cache-16wvmu18/wheels/cb/fa/70/8459fdf9ec77e5fc583a34349d29f2124c29ebe1389648c385
Successfully built slo-generator
Installing collected packages: certifi, slo-generator
Attempting uninstall: certifi
Found existing installation: certifi 2023.5.7
Uninstalling certifi-2023.5.7:
Successfully uninstalled certifi-2023.5.7
Attempting uninstall: slo-generator
Found existing installation: slo-generator 2.4.0
Uninstalling slo-generator-2.4.0:
Successfully uninstalled slo-generator-2.4.0
Successfully installed certifi-2023.7.22 slo-generator-2.4.0
$ safety check
+====================================================================================================================================+
/$$$$$$ /$$
/$$__ $$ | $$
/$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$
/$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$
| $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$
\____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$
/$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$
|_______/ \_______/|__/ \_______/ \___/ \____ $$
/$$ | $$
| $$$$$$/
by pyup.io \______/
+====================================================================================================================================+
REPORT
Safety is using PyUp's free open-source vulnerability database. This data is 30 days old and limited.
For real-time enhanced vulnerability data, fix recommendations, severity reporting, cybersecurity support, team and project
policy management and more sign up at https://pyup.io or email sales@pyup.io
Safety v2.3.5 is scanning for Vulnerabilities...
Scanning dependencies in your environment:
-> /home/user/workspace/github/google/slo-generator/venv3.9/lib/python3.9/site-packages
Using non-commercial database
Found and scanned 125 packages
Timestamp 2023-10-06 12:30:04
0 vulnerabilities found
0 vulnerabilities ignored
+====================================================================================================================================+
No known security vulnerabilities found.
+====================================================================================================================================+
Safety is using PyUp's free open-source vulnerability database. This data is 30 days old and limited.
For real-time enhanced vulnerability data, fix recommendations, severity reporting, cybersecurity support, team and project
policy management and more sign up at https://pyup.io or email sales@pyup.io
+====================================================================================================================================+
SLO Generator Version
v2.4.0
Python Version
3.9
What happened?
safety check
reports 4 vulnerabilities at the last stage ofmake lint
.What did you expect?
No vulnerabilities found.
Screenshots
Relevant log output
Code of Conduct