locustio / locust

Write scalable load tests in plain Python 🚗💨
https://locust.cloud
MIT License
25.1k stars 3k forks source link

Setuptools CVE-2022-40897 #2986

Closed matthawley closed 1 week ago

matthawley commented 1 week ago

Prerequisites

Description

Version 2.32.2 of locust via the usage of the python 3.11.0-slim base image reports the usage of setuptools@65.5.0 which contains the vulnerability https://github.com/advisories/GHSA-r9hx-vwmv-q579

We are requesting locust to upgrade to a newer version of the python base image to a newer one (3.12.0-slim or 3.13.0-slim) to resolve this issue. Referencing #2761

Command line

n/a

Locustfile contents

n/a

Python version

3.11

Locust version

2.32.2

Operating system

Linux

cyberw commented 1 week ago

IIRC there was some reason we didnt already update to 3.12, but I've added a specific dependency on setuptools.

Will make a release some time next week. Thanks for reminding me!

matthawley commented 6 days ago

@cyberw Unfortunately, it doesn't seem as if this works - docker scout still detects v65.5.1 as it's directly referenced/installed in the Python 3.11 docker container.

docker pull locustio/locust:master
docker scout cves locustio/locust:master
pkg:pypi/setuptools@65.5.1

    x HIGH CVE-2024-6345 [Improper Control of Generation of Code ('Code Injection')]
      https://scout.docker.com/v/CVE-2024-6345
      Affected range : <70.0.0
      Fixed version  : 70.0.0
      CVSS Score     : 8.8
      CVSS Vector    : CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N