search

google / slo-generator

SLO Generator computes SLIs, SLOs, Error Budgets and Burn Rates from supported backends, then exports an SLO report to supported targets.
Apache License 2.0
489 stars 78 forks source link

🐛 [BUG] - `safety` reports CVE in `pip` with Python 3.11 #403

Closed lvaylet closed 9 months ago

lvaylet commented 11 months ago

SLO Generator Version

2.x

Python Version

3.11

What happened?

Error in CI pipeline. safety reports a CVE in pip, only with Python 3.11.

https://github.com/google/slo-generator/actions/runs/7138187266/job/19439339635?pr=402

What did you expect?

safety check completes successfully.

Screenshots

No response

Relevant log output

$ safety check
+==============================================================================+

                               /$$$$$$            /$$
                              /$$__  $$          | $$
           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$
          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$
         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$
          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$
          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$
         |_______/  \_______/|__/     \_______/   \___/   \____  $$
                                                          /$$  | $$
                                                         |  $$$$$$/
  by pyup.io                                              \______/

+==============================================================================+

 REPORT 

  Safety is using PyUp's free open-source vulnerability database. This
data is 30 days old and limited. 
  For real-time enhanced vulnerability data, fix recommendations, severity
reporting, cybersecurity support, team and project policy management and more
sign up at https://pyup.io or email sales@pyup.io

  Safety v2.3.4 is scanning for Vulnerabilities...
  Scanning dependencies in your environment:

  -> /opt/hostedtoolcache/Python/3.11.7/x64/lib/python3.11/site-packages

  Using non-commercial database
  Found and scanned 114 packages
  Timestamp 2023-12-08 06:32:57
  1 vulnerability found
  0 vulnerabilities ignored

+==============================================================================+
 VULNERABILITIES FOUND 
+==============================================================================+

-> Vulnerability found in pip version 23.2.1
   Vulnerability ID: 62044
   Affected spec: <23.3
   ADVISORY: Pip 23.3 includes a fix for CVE-2023-5752: When installing
   a package from a Mercurial VCS URL (ie "pip install hg+...") with pip...
   CVE-2023-5752
   For more information, please visit
   https://data.safetycli.com/v/62044/f17

 Scan was completed. 1 vulnerability was found. 

+==============================================================================+
   REMEDIATIONS

  1 vulnerability was found in 1 package. For detailed remediation & fix 
  recommendations, upgrade to a commercial license. 

+==============================================================================+

Code of Conduct

lvaylet commented 11 months ago

This only happens for Python 3.11. Other versions install pip v23.3, as requested by setup.cfg.

dev =
    pip >=23.3  # avoid known vulnerabilities in pip <23.3 (reported by `safety check`)

Not sure why Python 3.11 is ignoring these requirements.

mrtergl commented 10 months ago

Actually, python tries to get 23.3 or above while installing dependencies in Python 3.11 but it says Requirement already satisfied in that path:

Requirement already satisfied: pip>=23.3 in /opt/hostedtoolcache/Python/3.11.7/x64/lib/python3.11/site-packages (from slo-generator==2.5.2) (23.3.2)

Then safety check command runs:

Safety v2.3.4 is scanning for Vulnerabilities... Scanning dependencies in your environment:

-> /opt/hostedtoolcache/Python/3.11.7/x64/lib/python3.11/site-packages

it is scanning exactly the same path v23.3 supposed to be but however it scans v23.2.1 and vuln come up.

Vulnerability found in pip version 23.2.1 Vulnerability ID: 62044 Affected spec: <23.3 ADVISORY: Pip 23.3 includes a fix for CVE-2023-5752: When installing

Note: I've tried with v2.3.5 for safety as well (in a point while installing dependencies, it downgrades safety) but no change occurred.

I've tried to pass lint test for Python 3.11 in related PR : https://github.com/google/slo-generator/pull/413 @lvaylet

lvaylet commented 10 months ago

Thanks @mrtergl for investigating. I will dedicate some time to this issue and your PR tomorrow afternoon.

lvaylet commented 10 months ago

safety completes successfully within make docker_test when the base image is set to Python 3.11 instead of 3.9 currently (with FROM python:3.11-slim, resulting in Python 3.11.7 being installed, same version as in the CI pipeline). So Python 3.11 might not be the issue here.

lvaylet commented 10 months ago

The Dockerfile runs pip install -U setuptools before installing the remaining packages:

FROM python:3.11-slim
[...]
RUN pip install -U setuptools
RUN pip install ."[api, datadog, dynatrace, prometheus, elasticsearch, opensearch, splunk, pubsub, cloud_monitoring, cloud_service_monitoring, cloud_storage, bigquery, cloudevent, dev]"

Would it make sense to include pip install -U setuptools at the beginning of make install too?

lvaylet commented 10 months ago

I tried forcing an update of setuptools and pip in #424 before installing the other packages but safety still reports a CVE with pip 23.2.1 while 23.3.2 is actually installed (as confirmed by running pip --version just before safety check).

More details: https://github.com/google/slo-generator/actions/runs/7640294745/job/20815118754#step:5:92

lvaylet commented 9 months ago

The issue disappeared on the latest PRs. For example, every check in #422 completes just fine.