search

pyupio / safety

Safety checks Python dependencies for known security vulnerabilities and suggests the proper remediations for vulnerabilities detected.
https://safetycli.com/product/safety-cli
MIT License
1.66k stars 141 forks source link

False "affected" for Python package: httpx-gssapi #350

Closed adriantorrie closed 2 years ago

adriantorrie commented 2 years ago

Description

Running safety checks in CI provides a false "affected" for http-gssapi of <0.6. There is no such release for that package. It looks they have changed their SEMVER convention January 2021, and restarted at 0.1, which is lower than the "affected".

What I Did

+==============================================================================+
|                                                                              |
|                               /$$$$$$            /$$                         |
|                              /$$__  $$          | $$                         |
|           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
|          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
|         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
|          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
|          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
|         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
|                                                          /$$  | $$           |
|                                                         |  $$$$$$/           |
|  by pyup.io                                              \______/            |
|                                                                              |
+==============================================================================+
| REPORT                                                                       |
| checked 73 packages, using free DB (updated once a month)                    |
+============================+===========+==========================+==========+
| package                    | installed | affected                 | ID       |
+============================+===========+==========================+==========+
| httpx-gssapi               | 0.1.2.pos | <0.6                     | 39509    |
+==============================================================================+
| Httpx-gssapi 0.6 includes a security patch for CVE-2014-8650.                |
+==============================================================================+

Screenshot of httpx-gssapi tags from here image

yeisonvargasf commented 2 years ago

Hi @adriantorrie , thanks for reporting this, I confirm you this was solved.