search

pyupio / safety

Safety checks Python dependencies for known security vulnerabilities and suggests the proper remediations for vulnerabilities detected.
https://safetycli.com/product/safety-cli
MIT License
1.66k stars 141 forks source link

SQLAlchemy 1.4.xx can not be used #445

Closed dmitry-engineer closed 1 year ago

dmitry-engineer commented 1 year ago

Description

Safety tells that SQLAlchemy <2.0.0b1 has vulnerability. I don't want to migrate to SQLAlchemy 2. But I also can not use 1.4.x

soltanoff commented 1 year ago 
+==============================================================================+
-> Vulnerability found in sqlalchemy version 1.4.44
   Vulnerability ID: 51668
   Affected spec: <2.0.0b1
   ADVISORY: Sqlalchemy 2.0.0b1 avoids leaking cleartext passwords to
   the open for careless uses of str(engine.URL()) in logs and...
   PVE-2022-51668
   For more information, please visit https://pyup.io/v/51668/f17
 Scan was completed. 1 vulnerability was found. 
+==============================================================================+

Yes, it is incorrect rule for detection. SQLAlchemy 2.0.* is currently in beta release.

soltanoff commented 1 year ago

@Jwomers, hi! May you help us?

yeisonvargasf commented 1 year ago

Hi @dmitry-engineer and @soltanoff, if you aren't affected by this vulnerability, you can exclude this vulnerability using a policy file: https://docs.pyup.io/docs/safety-20-policy-file.

Issues related to the vulnerability data should be created on the safety db repo: https://github.com/pyupio/safety-db/issues.

Let me know if that helps.

soltanoff commented 1 year ago

@yeisonvargasf, thank you for recommendation. 

security:
    ignore-cvss-severity-below: 0
    ignore-cvss-unknown-severity: False
    ignore-vulnerabilities:
        51668:
            reason: we don't use SQLAlchemy 2.0.*
            expires: '2024-10-21'
    continue-on-vulnerability-error: False

It works well.