search

pyupio / safety

Safety checks Python dependencies for known security vulnerabilities and suggests the proper remediations for vulnerabilities detected.
https://safetycli.com/product/safety-cli
MIT License
1.66k stars 141 forks source link

Python dependency is compared to the wrong project #309

Closed normoes closed 3 years ago

normoes commented 3 years ago

Description

safety compares the pypi monero package with a different package, maybe with the monero project (https://github.com/monero-project/monero) itself?

The most recent release of the monero package installed: pip install monero==0.7.3 is in fact 0.7.3.

So, I assume, something might be wrong in the database.

I see the following:

+==============================================================================+
|                                                                              |
|                               /$$$$$$            /$$                         |
|                              /$$__  $$          | $$                         |
|           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
|          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
|         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
|          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
|          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
|         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
|                                                          /$$  | $$           |
|                                                         |  $$$$$$/           |
|  by pyup.io                                              \______/            |
|                                                                              |
+==============================================================================+
| REPORT                                                                       |
| checked 68 packages, using local DB                                          |
+============================+===========+==========================+==========+
| package                    | installed | affected                 | ID       |
+============================+===========+==========================+==========+
| monero                     | 0.7.3     | <0.10.0                  | 37447    |
+==============================================================================+
| Monero 0.10.0 includes a temporary patch (via a predefined user-agent) for   |
| the Cross-Site Request Forgery attack against monero-wallet-cli's RPC API.   |
+==============================================================================+
| monero                     | 0.7.3     | <0.12.0.0                | 37446    |
+==============================================================================+
| Monero 0.12.0.0 includes tweaked PoW to block DoS attacks from ASICs, as     |
| well as a way to securely erase keys from memory, for most cases, when no    |
| longer in use.                                                               |
+==============================================================================+
| monero                     | 0.7.3     | <0.9.1                   | 37448    |
+==============================================================================+
| Monero 0.9.1 includes a bug fix for the block 913193 attack, plus            |
| checkpoints.                                                                 |
+==============================================================================+

What I Did

Using the provided safety database: git clone --single-branch --depth 1 https://github.com/pyupio/safety-db.git safety-db.git

Running safety like this: safety check --db=safety-db.git/data --full-report

normoes commented 3 years ago

Closing this issue, because I created another one here: https://github.com/pyupio/safety-db/issues/2318