search

pyupio / safety

Safety checks Python dependencies for known security vulnerabilities and suggests the proper remediations for vulnerabilities detected.
https://safetycli.com/product/safety-cli
MIT License
1.66k stars 141 forks source link

Report contains lots of duplicated vulnerabilities with tensorflow==2.4.0 and the commercial database #353

Closed millenc closed 2 years ago

millenc commented 2 years ago

Description

The safety report (either --full-report or --short-report) is huge and contains lots of duplicated lines when tensorflow 2.4.0 is installed and an API key is used.

What I Did

  1. Create a fresh virtual environment: virtualenv -p /usr/bin/python3.7 ~/.envs/tensorflow
  2. Activate the environment
  3. Install tensorflow (2.4.0) and the latest version of safety: pip3 install tensorflow==2.4.0 safety
  4. Run the analysis: safety check
  5. Export the API key environment variable: export SAFETY_API_KEY="<MY API KEY HERE>"
  6. Run the analysis again

Running safety with no API key (step 4.) the report looks like this:

+==============================================================================+
|                                                                              |
|                               /$$$$$$            /$$                         |
|                              /$$__  $$          | $$                         |
|           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
|          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
|         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
|          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
|          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
|         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
|                                                          /$$  | $$           |
|                                                         |  $$$$$$/           |
|  by pyup.io                                              \______/            |
|                                                                              |
+==============================================================================+
| REPORT                                                                       |
| checked 47 packages, using free DB (updated once a month)                    |
+============================+===========+==========================+==========+
| package                    | installed | affected                 | ID       |
+============================+===========+==========================+==========+
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40469    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40472    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40682    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40684    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40678    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40681    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40683    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40680    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40679    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40691    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40467    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40694    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40692    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40695    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40465    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40688    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40689    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40690    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40468    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40697    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40767    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40706    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40710    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40677    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40693    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40700    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40696    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40699    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40702    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40701    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40698    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40772    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40675    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40676    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40673    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40747    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40748    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40715    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40708    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40703    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40744    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40464    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40734    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40770    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40728    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40766    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40714    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40685    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40746    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40686    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40718    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40738    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40741    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40466    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40742    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40765    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40712    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40713    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40716    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40724    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40721    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40768    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40705    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40764    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40740    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40723    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40722    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40720    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40717    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40707    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40731    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40732    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40733    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40735    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40736    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40737    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40739    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40743    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40745    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40687    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40749    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40750    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40751    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40752    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40753    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40754    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40755    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40756    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40757    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40758    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40759    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40760    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40761    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40762    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40763    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40704    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40769    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40709    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40771    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40711    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40773    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40774    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40775    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40777    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40778    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40725    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40719    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40726    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40727    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40729    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40730    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40470    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40471    |
+==============================================================================+

If I export the API key (step 5.) and run the analysis again (step 6.) the result is the log included on the attached file:

safety-check-tensorflow-2.4.0-with-apikey.log

As you can see, there are more than 16k lines in there. Such a report is not useful at all and causes issues on CI/CD pipelines that impose limits on the size of logs. Using the --full-report option is even worse since the log turns out to have more than 160k lines (~14MB). The same thing happens with the JSON report.

yeisonvargasf commented 2 years ago

Hi @millenc , thanks for report this, looks like a bug in the Safety report only with Tensorflow, we are going to verify and inspect the possible cause and we will apply a fix as soon as possible.

yeisonvargasf commented 2 years ago

@millenc I closed this issue because it was fixed in our backend side, no update is needed, so you should be able to see the fix with no action from your side. Let me know if it's ok for you, don't hesitate to reach us if there is another issue.

millenc commented 2 years ago

@millenc I closed this issue because it was fixed in our backend side, no update is needed, so you should be able to see the fix with no action from your side. Let me know if it's ok for you, don't hesitate to reach us if there is another issue.

@yeisonvargasf I can confirm that the issue appears to be fixed. I've tried using safety on a fresh project with tensorflow==2.5.0 (one of the affected versions) and the report looks good now.

Thank you very much for your support!