search

pyupio / safety

Safety checks Python dependencies for known security vulnerabilities and suggests the proper remediations for vulnerabilities detected.
https://safetycli.com/product/safety-cli
MIT License
1.66k stars 141 forks source link

CVE's #513

Open mcandre opened 2 months ago

mcandre commented 2 months ago

The Snyk CLI reports vulnerabilities on the PyPI safety package.

https://snyk.io/

$ cat requirements.txt
safety

$ snyk test

Testing /Users/andrew...

Tested 13 dependencies for known issues, found 1 issue, 1 vulnerable path.

Issues to fix by upgrading dependencies:

  Pin idna@3.6 to idna@3.7 to fix
  ✗ Resource Exhaustion (new) [Medium Severity][https://security.snyk.io/vuln/SNYK-PYTHON-IDNA-6597975] in idna@3.6
    introduced by safety@2.3.5 > requests@2.31.0 > idna@3.6

Organization:      mcandre
Package manager:   pip
Target file:       requirements.txt
Project name:      andrew
Open source:       no
Project path:      /Users/andrew
Licenses:          enabled

Tip: Try `snyk fix` to address these issues.`snyk fix` is a new CLI command in that aims to automatically apply the recommended updates for supported ecosystems.
See documentation on how to enable this beta feature: https://docs.snyk.io/snyk-cli/fix-vulnerabilities-from-the-cli/automatic-remediation-with-snyk-fix#enabling-snyk-fix

By the way, the requests library may be overkill. It's just a wrapper. One way to resolve the vulnerability is to drop that dependency and use the standard library directly.

yeisonvargasf commented 2 months ago

Thanks, @mcandre, for this report.

As a solution, you can pin idna, and yes, we will drop requests in a future minor release.

Safety makes the best effort to avoid pinning dependencies and prevent compatibility issues. Nevertheless, we will look to integrate suggested minimum constraints for dependencies or document them for users who want to enforce them.

mcandre commented 1 month ago

Hi, it's been a month.

When can we expect this security enhancement to be released?