This PR changes update_cpes.py so that it uses yaml.safe_load() instead of yaml.load(). This should reduce the risk when loading YAML. I've also run it against our fingerprint databases using the latest data from NIST.
I've also added a .snyk file in order to suppress the Synk warning on PyYAML. We don't currently use a vulnerable code path, Snyk doesn't check to see if you are using the vulnerable code path, and there is no full library level fix for this other than to use safe_load() (which this PR does) or the SafeLoader loader.
Description
This PR changes
update_cpes.pyso that it usesyaml.safe_load()instead ofyaml.load(). This should reduce the risk when loading YAML. I've also run it against our fingerprint databases using the latest data from NIST.I've also added a
.snykfile in order to suppress the Synk warning on PyYAML. We don't currently use a vulnerable code path, Snyk doesn't check to see if you are using the vulnerable code path, and there is no full library level fix for this other than to usesafe_load()(which this PR does) or theSafeLoaderloader.https://app.snyk.io/vuln/SNYK-PYTHON-PYYAML-590151
Motivation and Context
Risk reduction
How Has This Been Tested?
rspec, Github PR hooksTypes of changes
Checklist: