[BUG] Regression on exit code since v1.2.0

romainrbr commented 2 years ago

Describe the bug Since v1.2.0, jake always exit with exit code 0, even when vulnerabilities are found

To Reproduce Steps to reproduce the behavior:

pip install pyjwt==1.3.0 jake==1.2.2
jake ddt
echo $?

Output:

❯ jake ddt
                   ___           ___           ___     
       ___        /  /\         /  /\         /  /\    
      /__/\      /  /::\       /  /:/        /  /::\   
      \__\:\    /  /:/\:\     /  /:/        /  /:/\:\  
  ___ /  /::\  /  /::\ \:\   /  /::\____   /  /::\ \:\ 
 /__/\  /:/\/ /__/:/\:\_\:\ /__/:/\:::::\ /__/:/\:\ \:\
 \  \:\/:/~~  \__\/  \:\/:/ \__\/~|:|~~~~ \  \:\ \:\_\/
  \  \::/          \__\::/     |  |:|      \  \:\ \:\  
   \__\/           /  /:/      |  |:|       \  \:\_\/  
                  /__/:/       |__|:|        \  \:\    
                  \__\/         \__\|         \__\/    

            /)                     /)             
        _/_(/    _     _  __   _  (/_   _         
 o   o  (__/ )__(/_   /_)_/ (_(_(_/(___(/_ o   o  

Jake Version: 1.2.2
Put your Python dependencies in a chokehold

🐍 Collected 29 packages from your environment                       ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% -:--:--
🐍 Successfully queried OSS Index for package and vulnerability info ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% -:--:--
🐍 Sane number of results from OSS Index                             ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% -:--:--

[15/29] - pkg:pypi/pyjwt@1.3.0 [VULNERABLE]
Vulnerability Details for pkg:pypi/pyjwt@1.3.0                                                                                                                                                                                                                                              
└── ⚠  ID: 4dc8bf86-e2ee-45b0-881f-bb4f03748b5b                                                                                                                                                                                                                                             
    └── ╭─ CVE-2017-11424 ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
        │                                                                                                                                                                                                                                                                                  │
        │ In PyJWT 1.5.0 and below the `invalid_strings` check in `HMACAlgorithm.prepare_key` does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string `-----BEGIN RSA PUBLIC KEY-----` which  │
        │ is not accounted for. This enables symmetric/asymmetric key confusion attacks against users using the PKCS1 PEM encoded public keys, which would allow an attacker to craft JWTs from scratch.                                                                                   │
        │                                                                                                                                                                                                                                                                                  │
        │ Details:                                                                                                                                                                                                                                                                         │
        │   - CVSS Score: 7.5 - High                                                                                                                                                                                                                                                       │
        │   - CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N                                                                                                                                                                                                                    │
        │   - CWE: Unknown                                                                                                                                                                                                                                                                 │
        │                                                                                                                                                                                                                                                                                  │
        │ References:                                                                                                                                                                                                                                                                      │
        │   - https://ossindex.sonatype.org/vulnerability/4dc8bf86-e2ee-45b0-881f-bb4f03748b5b?component-type=pypi&component-name=pyjwt&utm_source=python-oss-index-lib%400.2.1&utm_medium=integration                                                                                     │
        │   - https://github.com/jpadilla/pyjwt/pull/277                                                                                                                                                                                                                                   │
        │   - https://nvd.nist.gov/vuln/detail/CVE-2017-11424                                                                                                                                                                                                                              │
        │                                                                                                                                                                                                                                                                                  │
        ╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯

                    Summary                     
┏━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Audited Dependencies ┃ Vulnerabilities Found ┃
┡━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━┩
│ 29                   │ 1                     │
└──────────────────────┴───────────────────────┘
(test-jake) 
/tmp via 🐍 v3.8.11 (test-jake) on ☁️  (eu-central-1) 
❯ echo $?
0

Expected behavior Jake should exit with a code 1. This works when using jake==1.1.5

Desktop (please complete the following information):

OS: MacOS 12.1 / Debian11
Python Version: 3.8.11 / 3.9.9
Version 1.2+

madpah commented 2 years ago

Thanks for the report @romainrbr - will take a look.

madpah commented 2 years ago

I have reproduced this - confirmed as a BUG.

madpah commented 2 years ago

@romainrbr - jake 1.2.3 has been released which resolves this.

Thanks for the report.

madpah commented 2 years ago

Released 1.2.0 through 1.2.2 have been yanked from PyPi.

sonatype-nexus-community / jake

[BUG] Regression on exit code since v1.2.0 #83