False positive for numpy

[nbhargava]

• safety version: 1.10.3
• Python version: 3.8.12
• Operating System: Ubuntu 20.04.3 LTS

Description

Ran safety against the latest update and got a report of a failure on numpy, despite being on 1.22.1.

In the free safety DB, the values for numpy are expressed as:

"numpy": [
        "<1.13.2",
        "<1.16.3",
        "<1.21.0",
        "<1.22.0",
        "<1.8.1",
        ">0"
    ],

I'm not sure why >0 was added in the February release, but it seems to be causing this problem

What I Did

2022-02-01T15:10:46.7671452Z +==============================================================================+
2022-02-01T15:10:46.7677519Z |                                                                              |
2022-02-01T15:10:46.7726508Z |                               /$$$$$$            /$$                         |
2022-02-01T15:10:46.7726760Z |                              /$$__  $$          | $$                         |
2022-02-01T15:10:46.7727062Z |           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
2022-02-01T15:10:46.7727279Z |          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
2022-02-01T15:10:46.7727504Z |         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
2022-02-01T15:10:46.7727745Z |          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
2022-02-01T15:10:46.7727979Z |          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
2022-02-01T15:10:46.7728200Z |         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
2022-02-01T15:10:46.7728430Z |                                                          /$$  | $$           |
2022-02-01T15:10:46.7728651Z |                                                         |  $$$$$$/           |
2022-02-01T15:10:46.7728876Z |  by pyup.io                                              \______/            |
2022-02-01T15:10:46.7729111Z |                                                                              |
2022-02-01T15:10:46.7729338Z +==============================================================================+
2022-02-01T15:10:46.7729569Z | REPORT                                                                       |
2022-02-01T15:10:46.7729828Z | checked 147 packages, using free DB (updated once a month)                   |
2022-02-01T15:10:46.7730086Z +============================+===========+==========================+==========+
2022-02-01T15:10:46.7730332Z | package                    | installed | affected                 | ID       |
2022-02-01T15:10:46.7730578Z +============================+===========+==========================+==========+
2022-02-01T15:10:46.7730786Z | numpy                      | 1.22.1    | >0                       | 44715    |
2022-02-01T15:10:46.7731010Z +==============================================================================+

[vinayvaddiparthi]

Thanks for reporting this. Ran into the same issue this morning.

[SCH227]

Good day! CVE-2021-41495 for NumPy hasn't been fixed yet in any release. See here: https://github.com/numpy/numpy/issues/19038 Note that in the same thread, NumPy devs argue about the validity and correct severity of this issue. To be on the secure side, we chose to report this as a possible vulnerability so users of NumPy can make the best informed decision considering their use-cases.

[pcoccoli]

@SCH227 Unfortunately, the only thing users of Numpy can really do here is ignore safety.

Am I missing something here? numpy is a python package; if the attacker can run arbitrary python code, then they have much better attacks available than causing a null pointer dereference inside numpy.

[chakpak]

Why do you think it is a false positive and how do you plan to proceed? Ignore this safety warning?

[emartynov]

Hi people, I was looking for the same issue. I'm coming from java/android word where use OWASP checks also. There is a mechanism to check all project dependencies and instruct it to ignore or lower the severity of the issue for specific dependency with a specific version. Would it be a good feature request for the safety?

[shotarok]

@emartynov safety has the option -i --ignore: https://github.com/pyupio/safety/#--ignore--i. So I decided to use --ignore 44715 to acknowledge the issue until a fixed numpy version is released in my case.

[Jwomers]

We are also working on some bigger updates to Safety, including an optional local policy file where one can set thresholds for severity that get surfaced, as well as ignore certain vulnerabilities or even allow-list a package version.

[fredrikaverpil]

@emartynov came to me with a nice suggestion (outside of this conversation). What if safety could have the ignores specified in a separate file? @Jwomers you mentioned a policy file too.

That way you wouldn't have to put the --ignore in your GitHub workflows (which in my opinion should be agnostic to this, if possible). So a suggestion from me would be to support specifying the ignores in pyproject.toml and/or a safety.yml file?

[fredrikaverpil]

So, numpy 1.22.2 is out and mentions "Deal with https://github.com/advisories/GHSA-5545-2q6w-2gh6 complaint.". However, I still get a problem reported by safety. Is this expected?

The >0 comparison looks weird.

$ poetry run safety check --full-report

+==============================================================================+
|                                                                              |
|                               /$$$$$$            /$$                         |
|                              /$$__  $$          | $$                         |
|           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
|          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
|         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
|          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
|          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
|         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
|                                                          /$$  | $$           |
|                                                         |  $$$$$$/           |
|  by pyup.io                                              \______/            |
|                                                                              |
+==============================================================================+
| REPORT                                                                       |
| checked 95 packages, using free DB (updated once a month)                    |
+============================+===========+==========================+==========+
| package                    | installed | affected                 | ID       |
+============================+===========+==========================+==========+
| numpy                      | 1.22.2    | >0                       | 44715    |
+==============================================================================+
| All versions of Numpy are affected by CVE-2021-41495: A null Pointer         |
| Dereference vulnerability exists in numpy.sort, in the PyArray_DescrNew      |
| function due to missing return-value validation, which allows attackers to   |
| conduct DoS attacks by repetitively creating sort arrays.                    |
| https://github.com/numpy/numpy/issues/19038                                  |
+==============================================================================+

[vinayvaddiparthi]

@fredrikaverpil Yes, that is expected. The error in safety check will not go away until the safety-db is updated to remove the >0 version from the list of vulnerable versions

[SCH227]

@fredrikaverpil @vinayvaddiparthi our db has been already updated and now the specs for CVE-2021-41495 are <1.22.2. You will see this immediately in the safety db paid version, and in the next monthly update of the free db (in March).