safety-2.3.5 fails because of the code that safety installs when using docker/compose:1.29.2 runner in pipeline

[sunlao]

• safety version: 2.3.5
• Using container: docker/compose:1.29.2

Description

Latest Safety fails because of the code that safety installs when using latest docker/compose runner

When the following runs in CICD:

pip3 uninstall -y urllib3 safety pip3 install urllib3==1.26.14 pip3 install safety==2.3.5

The output:

Successfully installed Click-8.1.3 dparse-0.6.2 packaging-21.3 ruamel.yaml-0.17.21 ruamel.yaml.clib-0.2.7 safety-2.3.5 urllib3-1.25.11

Then CICD command

safety check

with output:

Vulnerability found in urllib3 version 1.25.11 Vulnerability ID: 43975 Affected spec: <1.26.5 ADVISORY: Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue was discovered in urllib3 before 1.26.5. When provided with a URL... CVE-2021-33503

[yeisonvargasf]

Hi @sunlao, Safety 2.3.5 doesn't pin requests, so this should be related to the dependency tree resolved by pip.

There isn't something to do from the Safety side, as I don't think it is okay to force >=1.26.5.

I will close this issue but feel free to re-open it or comment if you have more detail that suggests this is a Safety issue.

[sunlao]

It looks to me that safety is saying it is "unsafe" to use an unpinned requests because 1.25.11 is vulnerable. So safety can't run safely with it's own unpinned requirements.