search

pyupio / safety

Safety checks Python dependencies for known security vulnerabilities and suggests the proper remediations for vulnerabilities detected.
https://safetycli.com/product/safety-cli
MIT License
1.66k stars 141 forks source link

safety depends on vulnerable dparse version #400

Closed okuuva closed 1 year ago

okuuva commented 1 year ago

Description

Today our CI job running safety warned us about a new known vulnerability:

+==============================================================================+
|                                                                              |
|                               /$$$$$$            /$$                         |
|                              /$$__  $$          | $$                         |
|           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
|          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
|         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
|          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
|          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
|         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
|                                                          /$$  | $$           |
|                                                         |  $$$$$$/           |
|  by pyup.io                                              \______/            |
|                                                                              |
+==============================================================================+
| REPORT                                                                       |
| checked 184 packages, using free DB (updated once a month)                   |
+============================+===========+==========================+==========+
| package                    | installed | affected                 | ID       |
+============================+===========+==========================+==========+
| dparse                     | 0.5.1     | <0.5.2                   | 50571    |
+==============================================================================+
| Dparse 0.5.2 fixes a possible ReDoS vulnerability.                           |
| https://github.com/pyupio/dparse/commit/8c990170bbd6c0cf212f1151e90254865560 |
| 62d5                                                                         |
+==============================================================================+

Did some digging and turns out it's safety that pins the version to >=0.5.1. With a quick search in this repo it still seems to be affecting develop branch. Didn't check if it's really relevant but it's a bit awkward for sure.

yeisonvargasf commented 1 year ago

Thanks for the report @okuuva! The new release of Safety updates that dependency. Also, note that the dparse vulnerability doesn't affect Safety because Safety doesn't use the affected function; however, another external dependency might be using the affected version of Dparse, so the recommendation is to update to the latest Safety version.