search

twisted / incremental

A library for versioning your Python projects.
Other
139 stars 22 forks source link

Fix CVE-2023-5752: Update setuptools >= 70.0.0 #121

Closed bjsmiley closed 2 months ago

bjsmiley commented 2 months ago

Hello, I've scanned my python application for vulnerabilities and am seeing a HIGH vuln coming from setuptools as a transitive package.

Severity VulnerabilityID PkgName    Status InstalledVersion FixedVersion PrimaryURL
-------- --------------- -------    ------ ---------------- ------------ ----------
HIGH     CVE-2024-6345   setuptools fixed  65.5.1           70.0.0       https://avd.aquasec.com/nvd/cve-2024-6345

If i am reading my application's dependency tree correctly, the vulnerable setuptools comes from the incremental package.

➜ poetry show --tree | grep setuptools -B 1
│       └── pyasn1 >=0.4.6,<0.7.0 (circular dependency aborted here)
├── setuptools *
--
│   ├── incremental >=24.7.0
│   │   ├── setuptools >=61.0
--
│   └── zope-interface >=5
│       └── setuptools * (circular dependency aborted here)
--
└── zope-interface >=5.1.0
    └── setuptools *
--
    │       └── pyasn1 >=0.4.6,<0.7.0 (circular dependency aborted here)
    ├── setuptools *
--
    │   ├── incremental >=24.7.0
    │   │   ├── setuptools >=61.0 (circular dependency aborted here)
--
    │   └── zope-interface >=5
    │       └── setuptools * (circular dependency aborted here)
--
    └── zope-interface >=5.1.0 (circular dependency aborted here)
setuptools 74.1.2 Easily download, build, install, upgrade, and uninstall Python packages

I see in the last build of incremental, setuptools>=61.0 is used (to be fair, I am not sure what an isolated environment refers to in this context)

* Installing packages in isolated environment:
  - setuptools >= 61.0
  ...

I am not primarily a python developer so I apologize if I am on the wrong track, but if incremental is referencing a vulnerable version of setuptools, would it be possible to release a new version of incremental with setuptools upgraded to >= 70.0.0 to resolve the vuln? I appreciate any help you can offer.

cjwatson commented 2 months ago

incremental's pyproject.toml just specifies the minimum version of setuptools that it will work with, in API terms. It's not necessary to bump it in order for you to have a newer setuptools in your environment. You should just tell poetry to upgrade it.

bjsmiley commented 2 months ago

Thank you for the quick reply and suggestion. Closing this issue as it does not appear to be an issue with incremental per your answer.

I've attempted to update any packages relying on setuptools but with no luck. It also appears poetry does not allow for overriding transitive packages https://github.com/python-poetry/poetry/issues/697.

output ``` ➜ poetry update Updating dependencies Resolving dependencies... (2.9s) No dependencies to install or update ➜ poetry update scrapy Updating dependencies Resolving dependencies... (0.2s) No dependencies to install or update ➜ poetry update twisted Updating dependencies Resolving dependencies... (0.3s) No dependencies to install or update ➜ poetry update incremental Updating dependencies Resolving dependencies... (0.2s) No dependencies to install or update ➜ poetry update setuptools Updating dependencies Resolving dependencies... (0.3s) No dependencies to install or update ➜ poetry update setuptools=74.1.2 Updating dependencies Resolving dependencies... (0.2s) No dependencies to install or update ```
cjwatson commented 2 months ago

As far as I can see, that issue is more about ignoring conflicts, and I don't see any obvious conflicts in your poetry show --tree output. Can you not do poetry add 'setuptools>=70.0.0' to declare that your application specifically wants at least that version, which should then cause Poetry to update it (or tell you why it can't)?

bjsmiley commented 2 months ago

Ok something fishy is definitely going on on my side. I ran your suggested command and then shared a bunch of other commands and sanity checks I ran afterwards. the tldr is the python tool safety tells me the setuptools vuln is gone. our docker image scanner, trivy, tells me the vuln is still there. BUT, azure image scans and vanta image scans tell me the vuln is gone. So I am going to consider this a false positive by trivy and the vuln resolved. Thank you for the assistance with this, was a big python TIL for me.

running the command:

➜ poetry add 'setuptools>=70.0.0'

Updating dependencies
Resolving dependencies... (0.3s)

No dependencies to install or update

Writing lock file

confirming everything is up to date:

➜ poetry update
Updating dependencies
Resolving dependencies... (2.8s)

No dependencies to install or update

checking what changes were made:

➜ git diff
diff --git a/tools/webscraper/poetry.lock b/tools/webscraper/poetry.lock
index b7e6e53..9c8869f 100644
--- a/tools/webscraper/poetry.lock
+++ b/tools/webscraper/poetry.lock
@@ -1536,4 +1536,4 @@ testing = ["coverage (>=5.0.3)", "zope.event", "zope.testing"]
 [metadata]
 lock-version = "2.0"
 python-versions = ">=3.10, <3.12"
-content-hash = "e00844026257747e25e415808edb4114601511526697b67b97f35481337b059c"
+content-hash = "518935d68ca857ba9c581254332fd863089c13f81a16c870ebc0b4c765b0fd2f"
diff --git a/tools/webscraper/pyproject.toml b/tools/webscraper/pyproject.toml
index 4fa38d8..addae1c 100644
--- a/tools/webscraper/pyproject.toml
+++ b/tools/webscraper/pyproject.toml
@@ -12,6 +12,7 @@ uvicorn = "^0.27.0.post1"
 python-magic = "^0.4.27"
 scrapy = "^2.11.2"
 scrapy-playwright = "^0.0.41"
+setuptools = ">=70.0.0"

 [tool.poetry.group.dev.dependencies]
 black = "^24.3.0"
sanity check: poetry show --tree ``` ➜ poetry show --tree black 24.8.0 The uncompromising code formatter. ├── click >=8.0.0 │ └── colorama * ├── mypy-extensions >=0.4.3 ├── packaging >=22.0 ├── pathspec >=0.9.0 ├── platformdirs >=2 ├── tomli >=1.1.0 └── typing-extensions >=4.0.1 fastapi 0.109.2 FastAPI framework, high performance, easy to learn, fast to code, ready for production ├── pydantic >=1.7.4,<1.8 || >1.8,<1.8.1 || >1.8.1,<2.0.0 || >2.0.0,<2.0.1 || >2.0.1,<2.1.0 || >2.1.0,<3.0.0 │ ├── annotated-types >=0.6.0 │ ├── pydantic-core 2.23.3 │ │ └── typing-extensions >=4.6.0,<4.7.0 || >4.7.0 │ └── typing-extensions >=4.6.1 (circular dependency aborted here) ├── starlette >=0.36.3,<0.37.0 │ └── anyio >=3.4.0,<5 │ ├── exceptiongroup >=1.0.2 │ ├── idna >=2.8 │ ├── sniffio >=1.1 │ └── typing-extensions >=4.1 └── typing-extensions >=4.8.0 httpx 0.27.2 The next generation HTTP client. ├── anyio * │ ├── exceptiongroup >=1.0.2 │ ├── idna >=2.8 │ ├── sniffio >=1.1 │ └── typing-extensions >=4.1 ├── certifi * ├── httpcore ==1.* │ ├── certifi * │ └── h11 >=0.13,<0.15 ├── idna * └── sniffio * pytest 8.3.3 pytest: simple powerful testing with Python ├── colorama * ├── exceptiongroup >=1.0.0rc8 ├── iniconfig * ├── packaging * ├── pluggy >=1.5,<2 └── tomli >=1 python-magic 0.4.27 File type identification using libmagic scrapy 2.11.2 A high-level Web Crawling and Web Scraping framework ├── cryptography >=36.0.0 │ └── cffi >=1.12 │ └── pycparser * ├── cssselect >=0.9.1 ├── defusedxml >=0.7.1 ├── itemadapter >=0.1.0 ├── itemloaders >=1.0.1 │ ├── itemadapter >=0.1.0 │ ├── jmespath >=0.9.5 │ ├── parsel >=1.5.0 │ │ ├── cssselect >=1.2.0 │ │ ├── jmespath * (circular dependency aborted here) │ │ ├── lxml * │ │ ├── packaging * │ │ └── w3lib >=1.19.0 │ └── w3lib >=1.17.0 (circular dependency aborted here) ├── lxml >=4.4.1 ├── packaging * ├── parsel >=1.5.0 │ ├── cssselect >=1.2.0 │ ├── jmespath * │ ├── lxml * │ ├── packaging * │ └── w3lib >=1.19.0 ├── protego >=0.1.15 ├── pydispatcher >=2.0.5 ├── pyopenssl >=21.0.0 │ └── cryptography >=41.0.5,<44 │ └── cffi >=1.12 │ └── pycparser * ├── pypydispatcher >=2.1.0 ├── queuelib >=1.4.2 ├── service-identity >=18.1.0 │ ├── attrs >=19.1.0 │ ├── cryptography * │ │ └── cffi >=1.12 │ │ └── pycparser * │ ├── pyasn1 * │ └── pyasn1-modules * │ └── pyasn1 >=0.4.6,<0.7.0 (circular dependency aborted here) ├── setuptools * ├── tldextract * │ ├── filelock >=3.0.8 │ ├── idna * │ ├── requests >=2.1.0 │ │ ├── certifi >=2017.4.17 │ │ ├── charset-normalizer >=2,<4 │ │ ├── idna >=2.5,<4 (circular dependency aborted here) │ │ └── urllib3 >=1.21.1,<3 │ └── requests-file >=1.4 │ └── requests >=1.0.0 (circular dependency aborted here) ├── twisted >=18.9.0 │ ├── attrs >=21.3.0 │ ├── automat >=0.8.0 │ ├── constantly >=15.1 │ ├── hyperlink >=17.1.1 │ │ └── idna >=2.5 │ ├── incremental >=24.7.0 │ │ ├── setuptools >=61.0 │ │ └── tomli * │ ├── typing-extensions >=4.2.0 │ └── zope-interface >=5 │ └── setuptools * (circular dependency aborted here) ├── w3lib >=1.17.0 └── zope-interface >=5.1.0 └── setuptools * scrapy-playwright 0.0.41 Playwright integration for Scrapy ├── playwright >=1.15 │ ├── greenlet 3.0.3 │ └── pyee 12.0.0 │ └── typing-extensions * └── scrapy >=2.0,<2.4.0 || >2.4.0 ├── cryptography >=36.0.0 │ └── cffi >=1.12 │ └── pycparser * ├── cssselect >=0.9.1 ├── defusedxml >=0.7.1 ├── itemadapter >=0.1.0 ├── itemloaders >=1.0.1 │ ├── itemadapter >=0.1.0 (circular dependency aborted here) │ ├── jmespath >=0.9.5 │ ├── parsel >=1.5.0 │ │ ├── cssselect >=1.2.0 (circular dependency aborted here) │ │ ├── jmespath * (circular dependency aborted here) │ │ ├── lxml * │ │ ├── packaging * │ │ └── w3lib >=1.19.0 │ └── w3lib >=1.17.0 (circular dependency aborted here) ├── lxml >=4.4.1 (circular dependency aborted here) ├── packaging * (circular dependency aborted here) ├── parsel >=1.5.0 (circular dependency aborted here) ├── protego >=0.1.15 ├── pydispatcher >=2.0.5 ├── pyopenssl >=21.0.0 │ └── cryptography >=41.0.5,<44 (circular dependency aborted here) ├── pypydispatcher >=2.1.0 ├── queuelib >=1.4.2 ├── service-identity >=18.1.0 │ ├── attrs >=19.1.0 │ ├── cryptography * (circular dependency aborted here) │ ├── pyasn1 * │ └── pyasn1-modules * │ └── pyasn1 >=0.4.6,<0.7.0 (circular dependency aborted here) ├── setuptools * ├── tldextract * │ ├── filelock >=3.0.8 │ ├── idna * │ ├── requests >=2.1.0 │ │ ├── certifi >=2017.4.17 │ │ ├── charset-normalizer >=2,<4 │ │ ├── idna >=2.5,<4 (circular dependency aborted here) │ │ └── urllib3 >=1.21.1,<3 │ └── requests-file >=1.4 │ └── requests >=1.0.0 (circular dependency aborted here) ├── twisted >=18.9.0 │ ├── attrs >=21.3.0 (circular dependency aborted here) │ ├── automat >=0.8.0 │ ├── constantly >=15.1 │ ├── hyperlink >=17.1.1 │ │ └── idna >=2.5 (circular dependency aborted here) │ ├── incremental >=24.7.0 │ │ ├── setuptools >=61.0 (circular dependency aborted here) │ │ └── tomli * │ ├── typing-extensions >=4.2.0 │ └── zope-interface >=5 │ └── setuptools * (circular dependency aborted here) ├── w3lib >=1.17.0 (circular dependency aborted here) └── zope-interface >=5.1.0 (circular dependency aborted here) setuptools 74.1.2 Easily download, build, install, upgrade, and uninstall Python packages uvicorn 0.27.1 The lightning-fast ASGI server. ├── click >=7.0 │ └── colorama * ├── h11 >=0.8 └── typing-extensions >=4.0 ```
sanity check: poetry export --without-hashes -f requirements.txt ``` ➜ poetry export --without-hashes -f requirements.txt annotated-types==0.7.0 ; python_version >= "3.10" and python_version < "3.12" anyio==4.4.0 ; python_version >= "3.10" and python_version < "3.12" attrs==24.2.0 ; python_version >= "3.10" and python_version < "3.12" automat==24.8.1 ; python_version >= "3.10" and python_version < "3.12" certifi==2024.8.30 ; python_version >= "3.10" and python_version < "3.12" cffi==1.17.1 ; python_version >= "3.10" and python_version < "3.12" and platform_python_implementation != "PyPy" charset-normalizer==3.3.2 ; python_version >= "3.10" and python_version < "3.12" click==8.1.7 ; python_version >= "3.10" and python_version < "3.12" colorama==0.4.6 ; python_version >= "3.10" and python_version < "3.12" and platform_system == "Windows" constantly==23.10.4 ; python_version >= "3.10" and python_version < "3.12" cryptography==43.0.1 ; python_version >= "3.10" and python_version < "3.12" cssselect==1.2.0 ; python_version >= "3.10" and python_version < "3.12" defusedxml==0.7.1 ; python_version >= "3.10" and python_version < "3.12" exceptiongroup==1.2.2 ; python_version >= "3.10" and python_version < "3.11" fastapi==0.109.2 ; python_version >= "3.10" and python_version < "3.12" filelock==3.16.0 ; python_version >= "3.10" and python_version < "3.12" greenlet==3.0.3 ; python_version >= "3.10" and python_version < "3.12" h11==0.14.0 ; python_version >= "3.10" and python_version < "3.12" hyperlink==21.0.0 ; python_version >= "3.10" and python_version < "3.12" idna==3.8 ; python_version >= "3.10" and python_version < "3.12" incremental==24.7.2 ; python_version >= "3.10" and python_version < "3.12" itemadapter==0.9.0 ; python_version >= "3.10" and python_version < "3.12" itemloaders==1.3.1 ; python_version >= "3.10" and python_version < "3.12" jmespath==1.0.1 ; python_version >= "3.10" and python_version < "3.12" lxml==5.3.0 ; python_version >= "3.10" and python_version < "3.12" packaging==24.1 ; python_version >= "3.10" and python_version < "3.12" parsel==1.9.1 ; python_version >= "3.10" and python_version < "3.12" playwright==1.47.0 ; python_version >= "3.10" and python_version < "3.12" protego==0.3.1 ; python_version >= "3.10" and python_version < "3.12" pyasn1-modules==0.4.1 ; python_version >= "3.10" and python_version < "3.12" pyasn1==0.6.1 ; python_version >= "3.10" and python_version < "3.12" pycparser==2.22 ; python_version >= "3.10" and python_version < "3.12" and platform_python_implementation != "PyPy" pydantic-core==2.23.3 ; python_version >= "3.10" and python_version < "3.12" pydantic==2.9.1 ; python_version >= "3.10" and python_version < "3.12" pydispatcher==2.0.7 ; python_version >= "3.10" and python_version < "3.12" and platform_python_implementation == "CPython" pyee==12.0.0 ; python_version >= "3.10" and python_version < "3.12" pyopenssl==24.2.1 ; python_version >= "3.10" and python_version < "3.12" pypydispatcher==2.1.2 ; python_version >= "3.10" and python_version < "3.12" and platform_python_implementation == "PyPy" python-magic==0.4.27 ; python_version >= "3.10" and python_version < "3.12" queuelib==1.7.0 ; python_version >= "3.10" and python_version < "3.12" requests-file==2.1.0 ; python_version >= "3.10" and python_version < "3.12" requests==2.32.3 ; python_version >= "3.10" and python_version < "3.12" scrapy-playwright==0.0.41 ; python_version >= "3.10" and python_version < "3.12" scrapy==2.11.2 ; python_version >= "3.10" and python_version < "3.12" service-identity==24.1.0 ; python_version >= "3.10" and python_version < "3.12" setuptools==74.1.2 ; python_version >= "3.10" and python_version < "3.12" sniffio==1.3.1 ; python_version >= "3.10" and python_version < "3.12" starlette==0.36.3 ; python_version >= "3.10" and python_version < "3.12" tldextract==5.1.2 ; python_version >= "3.10" and python_version < "3.12" tomli==2.0.1 ; python_version >= "3.10" and python_version < "3.11" twisted==24.7.0 ; python_version >= "3.10" and python_version < "3.12" typing-extensions==4.12.2 ; python_version >= "3.10" and python_version < "3.12" urllib3==2.2.3 ; python_version >= "3.10" and python_version < "3.12" uvicorn==0.27.1 ; python_version >= "3.10" and python_version < "3.12" w3lib==2.2.1 ; python_version >= "3.10" and python_version < "3.12" zope-interface==7.0.3 ; python_version >= "3.10" and python_version < "3.12" ```
sanity check: poetry export --without-hashes -f requirements.txt | safety check --full-report --stdin ``` ➜ poetry export --without-hashes -f requirements.txt | safety check --full-report --stdin ... +==============================================================================+ REPORT Safety v3.2.7 is scanning for Vulnerabilities... Scanning dependencies in your stdin: annotated-types, anyio, attrs, automat, certifi, cffi, charset-normalizer, click, colorama, constantly, cryptography, cssselect, defusedxml, exceptiongroup, fastapi, filelock, greenlet, h11, hyperlink, idna, incremental, itemadapter, itemloaders, jmespath, lxml, packaging, parsel, playwright, protego, pyasn1-modules, pyasn1, pycparser, pydantic-core, pydantic, pydispatcher, pyee, pyopenssl, pypydispatcher, python-magic, queuelib, requests-file, requests, scrapy-playwright, scrapy, service- identity, setuptools, sniffio, starlette, tldextract, tomli, twisted, typing- extensions, urllib3, uvicorn, w3lib, zope-interface Using open-source vulnerability database Found and scanned 56 packages Timestamp 2024-09-13 10:25:18 1 vulnerability reported 0 vulnerabilities ignored +==============================================================================+ VULNERABILITIES REPORTED +==============================================================================+ -> Vulnerability found in pyopenssl version 24.2.1 Vulnerability ID: 65213 Affected spec: >=22.0.0 ADVISORY: CVE-2023-6129 affects PyOpenSSL versions starting from 22.0.0 due to a vulnerability in the POLY1305 MAC algorithm on PowerPC CPUs. This issue could lead to state corruption in applications, causing inaccurate outcomes or service disruptions. Attackers need specific conditions to exploit this flaw, including the ability to manipulate the algorithm's use and reliance on certain system registers by the application. CVE-2023-6129 For more information about this vulnerability, visit https://data.safetycli.com/v/65213/97c To ignore this vulnerability, use PyUp vulnerability id 65213 in safety’s ignore command-line argument or add the ignore to your safety policy file. +==============================================================================+ REMEDIATIONS 1 vulnerability was reported in 1 package. For detailed remediation & fix recommendations, upgrade to a commercial license. +==============================================================================+ Scan was completed. 1 vulnerability was reported. +==============================================================================+ ```
running the vuln scan: ``` ➜ docker run --rm -v /tmp/scan:/tmp aquasec/trivy image webscraper:1 -f json -o /tmp/output.json -q --scanners vuln --ignore-unfixed ➜ /* some pwsh stuff to display output.json neatly... */ Severity VulnerabilityID PkgName Status InstalledVersion FixedVersion PrimaryURL -------- --------------- ------- ------ ---------------- ------------ ---------- HIGH CVE-2024-6345 setuptools fixed 65.5.1 70.0.0 https://avd.aquasec.com/nvd/cve-2024-6345 ```