snorkel-team / snorkel

A system for quickly generating training data with weak supervision
https://snorkel.org
Apache License 2.0
5.81k stars 857 forks source link

networkx 2.5 has a high priority Snyk vulnerability - upgrade to networkx 2.6 #1673

Closed rjurney closed 2 years ago

rjurney commented 3 years ago

Issue description

We can't have Snorkel as part of our build with a Snyk high priority vulnerability, something that is going to affect many users.

The versions affected are described here: https://snyk.io/vuln/pip:networkx

The vulnerability enables arbitrary code execution when saving unknown data - such as in a real application that accepts user input - to YAML: https://snyk.io/vuln/SNYK-PYTHON-NETWORKX-1062709

For SOC2 compliance, having this hanging around is a problem for an audit. Those companies requiring ISO27001, HIPAA (snorkel is big in a medical context) and PCI are likely to have similar issues.

Expected behavior

Snorkel should upgrade its libraries at least annually to remain runnable by a broad base of users. Networkx 2.5 was released in August 2020.

Additional Information

@bhancock8 if you can outline what is required to upgrade to networkx 2.6 I can have my team make swing at it.

rsmith49 commented 3 years ago

Hi @rjurney, thanks for flagging this and we’d be happy to work with your team on updating the networkx requirement. To maintain compatibility with Python 3.6, we’ll need to make sure that networkx 2.5 can still be installed if the user so choose. If your team wants to get started on a PR, we recommend starting by loosening the version in requirements.txt and seeing if unit tests reveal any major incompatibilities.

Edit: Clarified suggested approach

rjurney commented 3 years ago

@marekmodry can you check out this project, update requirements.txt and see if any unit tests fail?

rjurney commented 3 years ago

@rsmith49 note that the PR at https://github.com/snorkel-team/snorkel/pull/1675 actually passes all tests locally. Is the CI broken?

rsmith49 commented 3 years ago

@rjurney sorry for the trouble - something is going on with CI and we are currently investigating - if you have any ideas as to what is causing the build errors we would be happy for extra input!

rjurney commented 2 years ago

@bhancock8 thanks!