Closed dmitry-engineer closed 1 year ago
+==============================================================================+
-> Vulnerability found in sqlalchemy version 1.4.44
Vulnerability ID: 51668
Affected spec: <2.0.0b1
ADVISORY: Sqlalchemy 2.0.0b1 avoids leaking cleartext passwords to
the open for careless uses of str(engine.URL()) in logs and...
PVE-2022-51668
For more information, please visit https://pyup.io/v/51668/f17
Scan was completed. 1 vulnerability was found.
+==============================================================================+
Yes, it is incorrect rule for detection. SQLAlchemy
2.0.* is currently in beta release.
@Jwomers, hi! May you help us?
Hi @dmitry-engineer and @soltanoff, if you aren't affected by this vulnerability, you can exclude this vulnerability using a policy file: https://docs.pyup.io/docs/safety-20-policy-file.
Issues related to the vulnerability data should be created on the safety db repo: https://github.com/pyupio/safety-db/issues.
Let me know if that helps.
@yeisonvargasf, thank you for recommendation.
security:
ignore-cvss-severity-below: 0
ignore-cvss-unknown-severity: False
ignore-vulnerabilities:
51668:
reason: we don't use SQLAlchemy 2.0.*
expires: '2024-10-21'
continue-on-vulnerability-error: False
It works well.
Description
Safety tells that SQLAlchemy <2.0.0b1 has vulnerability. I don't want to migrate to SQLAlchemy 2. But I also can not use 1.4.x