CVE-2024-47874 not detected

pyupio / safety

Safety checks Python dependencies for known security vulnerabilities and suggests the proper remediations for vulnerabilities detected.

https://safetycli.com/product/safety-cli

MIT License

1.73k stars 148 forks source link

CVE-2024-47874 not detected #623

Open drupol opened 3 weeks ago

drupol commented 3 weeks ago

Checklist

[X] I agree to the terms within the Safety Code of Conduct.

Safety version

3.2.8

Python version

3.12.5

Operating System

Linux

Describe the problem you'd like to have solved

In our Python project using Poetry, we are using Starlette (https://pypi.org/project/starlette/, https://github.com/encode/starlette).

To check for CVE, we are using:

poetry export --without-hashes -f requirements.txt | safety check --full-report --stdin

The requirements.txt file contains the following line:

starlette==0.37.2 ; python_version >= "3.11" and python_version < "4.0"

Since the vulnerability affect all versions < 0.40.0, it should trigger CVE-2024-47874 but it is not.

Describe the ideal solution

The tool should report a security issue.

Alternatives and current workarounds

No response

Additional context

No response

What I Did

   poetry export --without-hashes -f requirements.txt | safety check --full-report --stdin

github-actions[bot] commented 3 weeks ago

Hi @drupol, thank you for opening this issue!

We appreciate your effort in reporting this. Our team will review it and get back to you soon. If you have any additional details or updates, feel free to add them to this issue.

Note: If this is a serious security issue that could impact the security of Safety CLI users, please email security@safetycli.com immediately.

Thank you for contributing to Safety CLI!

dylanpulver commented 2 weeks ago

Hi @drupol thank you for bringing this to our attention! The safety check command is now deprecated and we have the safety scan command available now. More details on this are available in our docs here: https://docs.safetycli.com/safety-docs/safety-cli-3/scanning-for-vulnerable-and-malicious-packages

drupol commented 2 weeks ago

Hello,

Thanks for your reply. I just used safety scan, but the error is now:

❯ poetry check --lock
All set!
❯ safety scan
Safety 3.2.9 scanning /home/pol/Code/<redacted>
2024-10-29 14:31:08 UTC

Account: Pol Dellaiera, <redacted>
 Git branch: 
 Environment: Stage.development
 Scan policy: None, using Safety CLI default policies

Python detected. Found 1 Python poetry lock file and 1 Python environment
Unhandled exception happened: 'Malformed poetry lock file'

dylanpulver commented 2 weeks ago

Thank you @drupol! Are you able to share the contents of the poetry files you are using? With these we can make sure to replicate the error you are facing to get it resolved!

drupol commented 2 weeks ago

Argh... sadly, I'm not allowed to share them. I would jeopardize my job position if I do so. I'm totally aware that sharing those files is not a big deal, but you know... I am not the one deciding sadly...