Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛 [BUG] - safety check reports 4 vulnerabilities #352

Closed
1 task done
lvaylet opened this issue Oct 6, 2023 · 1 comment · Fixed by #353
Closed
1 task done

🐛 [BUG] - safety check reports 4 vulnerabilities #352

lvaylet opened this issue Oct 6, 2023 · 1 comment · Fixed by #353
Assignees
@lvaylet
Labels
bug Something isn't working

Comments

@lvaylet
Copy link
Collaborator

lvaylet commented Oct 6, 2023

SLO Generator Version

v2.4.0

Python Version

3.9

What happened?

safety check reports 4 vulnerabilities at the last stage of make lint.

-> Vulnerability found in gitpython version 3.1.31
   Vulnerability ID: 60841
   Affected spec: <=3.1.34
   ADVISORY: Gitpython 3.1.35 includes a fix for CVE-2023-41040: Blind local file inclusion vulnerability.https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-cwvm-v4w8-q58c
   CVE-2023-41040
   For more information, please visit https://pyup.io/v/60841/f17


-> Vulnerability found in gitpython version 3.1.31
   Vulnerability ID: 60350
   Affected spec: <3.1.32
   ADVISORY: GitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439.
   CVE-2023-40267
   For more information, please visit https://pyup.io/v/60350/f17


-> Vulnerability found in gitpython version 3.1.31
   Vulnerability ID: 60789
   Affected spec: <=3.1.32
   ADVISORY: Gitpython 3.1.33 includes a fix for CVE-2023-40590: Untrusted search path on Windows systems leading to arbitrary code execution.https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-wfm5-v35h-vwf4
   CVE-2023-40590
   For more information, please visit https://pyup.io/v/60789/f17


-> Vulnerability found in certifi version 2023.5.7
   Vulnerability ID: 59956
   Affected spec: >=2015.04.28,<2023.07.22
   ADVISORY: Certifi 2023.07.22 includes a fix for CVE-2023-37920: Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root
   certificates from "e-Tugra" from the root store.https://github.com/certifi/python-certifi/security/advisories/GHSA-xqr8-7jwr-rhp7
   CVE-2023-37920
   For more information, please visit https://pyup.io/v/59956/f17

What did you expect?

No vulnerabilities found.

Screenshots

![DESCRIPTION](LINK.png)

Relevant log output

$ safety check
+===================================================================================================================================================================================================================================================================================================================+

                               /$$$$$$            /$$
                              /$$__  $$          | $$
           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$
          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$
         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$
          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$
          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$
         |_______/  \_______/|__/     \_______/   \___/   \____  $$
                                                          /$$  | $$
                                                         |  $$$$$$/
  by pyup.io                                              \______/

+===================================================================================================================================================================================================================================================================================================================+

 REPORT 

  Safety is using PyUp's free open-source vulnerability database. This data is 30 days old and limited. 
  For real-time enhanced vulnerability data, fix recommendations, severity reporting, cybersecurity support, team and project policy management and more sign up at https://pyup.io or email sales@pyup.io

  Safety v2.3.5 is scanning for Vulnerabilities...
  Scanning dependencies in your environment:

  -> /home/user/workspace/github/google/slo-generator/venv3.9/lib/python3.9/site-packages

  Using non-commercial database
  Found and scanned 124 packages
  Timestamp 2023-10-06 11:56:44
  4 vulnerabilities found
  0 vulnerabilities ignored

+===================================================================================================================================================================================================================================================================================================================+
 VULNERABILITIES FOUND 
+===================================================================================================================================================================================================================================================================================================================+

-> Vulnerability found in gitpython version 3.1.31
   Vulnerability ID: 60841
   Affected spec: <=3.1.34
   ADVISORY: Gitpython 3.1.35 includes a fix for CVE-2023-41040: Blind local file inclusion vulnerability.https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-cwvm-v4w8-q58c
   CVE-2023-41040
   For more information, please visit https://pyup.io/v/60841/f17


-> Vulnerability found in gitpython version 3.1.31
   Vulnerability ID: 60350
   Affected spec: <3.1.32
   ADVISORY: GitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439.
   CVE-2023-40267
   For more information, please visit https://pyup.io/v/60350/f17


-> Vulnerability found in gitpython version 3.1.31
   Vulnerability ID: 60789
   Affected spec: <=3.1.32
   ADVISORY: Gitpython 3.1.33 includes a fix for CVE-2023-40590: Untrusted search path on Windows systems leading to arbitrary code execution.https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-wfm5-v35h-vwf4
   CVE-2023-40590
   For more information, please visit https://pyup.io/v/60789/f17


-> Vulnerability found in certifi version 2023.5.7
   Vulnerability ID: 59956
   Affected spec: >=2015.04.28,<2023.07.22
   ADVISORY: Certifi 2023.07.22 includes a fix for CVE-2023-37920: Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root
   certificates from "e-Tugra" from the root store.https://github.com/certifi/python-certifi/security/advisories/GHSA-xqr8-7jwr-rhp7
   CVE-2023-37920
   For more information, please visit https://pyup.io/v/59956/f17

 Scan was completed. 4 vulnerabilities were found. 

+===================================================================================================================================================================================================================================================================================================================+
   REMEDIATIONS

  4 vulnerabilities were found in 2 packages. For detailed remediation & fix recommendations, upgrade to a commercial license. 

+===================================================================================================================================================================================================================================================================================================================+

  Safety is using PyUp's free open-source vulnerability database. This data is 30 days old and limited. 
  For real-time enhanced vulnerability data, fix recommendations, severity reporting, cybersecurity support, team and project policy management and more sign up at https://pyup.io or email sales@pyup.io

+===================================================================================================================================================================================================================================================================================================================+

Code of Conduct

  • I agree to follow this project's Code of Conduct
@lvaylet lvaylet added bug Something isn't working triage labels Oct 6, 2023
@lvaylet lvaylet self-assigned this Oct 6, 2023
@lvaylet lvaylet removed the triage label Oct 6, 2023
@lvaylet lvaylet mentioned this issue Oct 6, 2023
Merged
@lvaylet
Copy link
Collaborator Author

lvaylet commented Oct 6, 2023
edited
Loading

pipdeptree can help identify the packages that rely on gitpython and certifi:

$ pip install pipdeptree
$ pipdeptree | grep -i gitpython -B 3
bandit==1.7.5
├── GitPython [required: >=1.0.1, installed: 3.1.31]

So GitPython is only used by bandit.

certifi is used by a lot more packages:

└── typing-extensions [required: >=3.10.0.0, installed: 4.6.3]
datadog==0.45.0
└── requests [required: >=2.6.0, installed: 2.31.0]
    ├── certifi [required: >=2017.4.17, installed: 2023.5.7]
--
    └── urllib3 [required: >=1.21.1,<3, installed: 1.26.16]
elasticsearch==8.8.0
└── elastic-transport [required: >=8,<9, installed: 8.4.0]
    ├── certifi [required: Any, installed: 2023.5.7]
--
│   │   └── protobuf [required: >=3.19.5,<5.0.0dev,!=4.21.5,!=4.21.4,!=4.21.3,!=4.21.2,!=4.21.1,!=3.20.1,!=3.20.0, installed: 3.20.3]
│   ├── protobuf [required: >=3.19.5,<5.0.0dev,!=4.21.5,!=4.21.4,!=4.21.3,!=4.21.2,!=4.21.1,!=4.21.0,!=3.20.1,!=3.20.0, installed: 3.20.3]
│   └── requests [required: >=2.18.0,<3.0.0dev, installed: 2.31.0]
│       ├── certifi [required: >=2017.4.17, installed: 2023.5.7]
--
│   │   └── protobuf [required: >=3.19.5,<5.0.0dev,!=4.21.5,!=4.21.4,!=4.21.3,!=4.21.2,!=4.21.1,!=3.20.1,!=3.20.0, installed: 3.20.3]
│   ├── protobuf [required: >=3.19.5,<5.0.0dev,!=4.21.5,!=4.21.4,!=4.21.3,!=4.21.2,!=4.21.1,!=4.21.0,!=3.20.1,!=3.20.0, installed: 3.20.3]
│   └── requests [required: >=2.18.0,<3.0.0dev, installed: 2.31.0]
│       ├── certifi [required: >=2017.4.17, installed: 2023.5.7]
--
│   │   │   └── protobuf [required: >=3.19.5,<5.0.0dev,!=4.21.5,!=4.21.4,!=4.21.3,!=4.21.2,!=4.21.1,!=3.20.1,!=3.20.0, installed: 3.20.3]
│   │   ├── protobuf [required: >=3.19.5,<5.0.0dev,!=4.21.5,!=4.21.4,!=4.21.3,!=4.21.2,!=4.21.1,!=4.21.0,!=3.20.1,!=3.20.0, installed: 3.20.3]
│   │   └── requests [required: >=2.18.0,<3.0.0dev, installed: 2.31.0]
│   │       ├── certifi [required: >=2017.4.17, installed: 2023.5.7]
--
├── python-dateutil [required: >=2.7.2,<3.0dev, installed: 2.8.2]
│   └── six [required: >=1.5, installed: 1.16.0]
└── requests [required: >=2.18.0,<3.0.0dev, installed: 2.31.0]
    ├── certifi [required: >=2017.4.17, installed: 2023.5.7]
--
│   │   └── protobuf [required: >=3.19.5,<5.0.0dev,!=4.21.5,!=4.21.4,!=4.21.3,!=4.21.2,!=4.21.1,!=3.20.1,!=3.20.0, installed: 3.20.3]
│   ├── protobuf [required: >=3.19.5,<5.0.0dev,!=4.21.5,!=4.21.4,!=4.21.3,!=4.21.2,!=4.21.1,!=4.21.0,!=3.20.1,!=3.20.0, installed: 3.20.3]
│   └── requests [required: >=2.18.0,<3.0.0dev, installed: 2.31.0]
│       ├── certifi [required: >=2017.4.17, installed: 2023.5.7]
--
│   │   └── protobuf [required: >=3.19.5,<5.0.0dev,!=4.21.5,!=4.21.4,!=4.21.3,!=4.21.2,!=4.21.1,!=3.20.1,!=3.20.0, installed: 3.20.3]
│   ├── protobuf [required: >=3.19.5,<5.0.0dev,!=4.21.5,!=4.21.4,!=4.21.3,!=4.21.2,!=4.21.1,!=4.21.0,!=3.20.1,!=3.20.0, installed: 3.20.3]
│   └── requests [required: >=2.18.0,<3.0.0dev, installed: 2.31.0]
│       ├── certifi [required: >=2017.4.17, installed: 2023.5.7]
--
├── tomli [required: >=1.1.0, installed: 2.0.1]
└── typing-extensions [required: >=3.10, installed: 4.6.3]
opensearch-py==2.3.1
├── certifi [required: >=2022.12.07, installed: 2023.5.7]
├── python-dateutil [required: Any, installed: 2.8.2]
│   └── six [required: >=1.5, installed: 1.16.0]
├── requests [required: >=2.4.0,<3.0.0, installed: 2.31.0]
│   ├── certifi [required: >=2017.4.17, installed: 2023.5.7]
--
prometheus-client==0.17.0
prometheus-http-client==1.0.0
└── requests [required: Any, installed: 2.31.0]
    ├── certifi [required: >=2017.4.17, installed: 2023.5.7]
--
├── packaging [required: >=21.0,<22.0, installed: 21.3]
│   └── pyparsing [required: >=2.0.2,!=3.0.5, installed: 3.0.9]
├── requests [required: Any, installed: 2.31.0]
│   ├── certifi [required: >=2017.4.17, installed: 2023.5.7]

Mostly by backends like Cloud Monitoring, Datadog, ElasticSearch, and also by bandit again. Almost always as a depdency of requests.

bandit 1.7.5 is already the latest version at the time of writing, according to https://pypi.org/project/bandit/. So let's specify a minimum version to install for gitpython in setup.cfg instead, and 3.1.35 fixes all three CVEs:

dev =
[...]
    bandit
    GitPython >=3.1.35

Run make install again and confirm safety check no longer returns any violation for GitPython:

$ make install
[...]
Downloading GitPython-3.1.37-py3-none-any.whl (190 kB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 190.0/190.0 kB 9.8 MB/s eta 0:00:00
Building wheels for collected packages: slo-generator
  Building editable for slo-generator (pyproject.toml) ... done
  Created wheel for slo-generator: filename=slo_generator-2.4.0-0.editable-py2.py3-none-any.whl size=11498 sha256=71a4d4b61fe4fcfde73123f988aea7bf1776a89456781ce7489436e1556985f0
  Stored in directory: /tmp/pip-ephem-wheel-cache-ublt7juf/wheels/cb/fa/70/8459fdf9ec77e5fc583a34349d29f2124c29ebe1389648c385
Successfully built slo-generator
Installing collected packages: slo-generator, GitPython
  Attempting uninstall: slo-generator
    Found existing installation: slo-generator 2.4.0
    Uninstalling slo-generator-2.4.0:
      Successfully uninstalled slo-generator-2.4.0
  Attempting uninstall: GitPython
    Found existing installation: GitPython 3.1.31
    Uninstalling GitPython-3.1.31:
      Successfully uninstalled GitPython-3.1.31
Successfully installed GitPython-3.1.37 slo-generator-2.4.0
$ safety check
+====================================================================================================================================+

                               /$$$$$$            /$$
                              /$$__  $$          | $$
           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$
          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$
         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$
          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$
          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$
         |_______/  \_______/|__/     \_______/   \___/   \____  $$
                                                          /$$  | $$
                                                         |  $$$$$$/
  by pyup.io                                              \______/

+====================================================================================================================================+

 REPORT 

  Safety is using PyUp's free open-source vulnerability database. This data is 30 days old and limited. 
  For real-time enhanced vulnerability data, fix recommendations, severity reporting, cybersecurity support, team and project
policy management and more sign up at https://pyup.io or email sales@pyup.io

  Safety v2.3.5 is scanning for Vulnerabilities...
  Scanning dependencies in your environment:

  -> /home/user/workspace/github/google/slo-generator/venv3.9/lib/python3.9/site-packages

  Using non-commercial database
  Found and scanned 125 packages
  Timestamp 2023-10-06 12:20:01
  1 vulnerability found
  0 vulnerabilities ignored

+====================================================================================================================================+
 VULNERABILITIES FOUND 
+====================================================================================================================================+

-> Vulnerability found in certifi version 2023.5.7
   Vulnerability ID: 59956
   Affected spec: >=2015.04.28,<2023.07.22
   ADVISORY: Certifi 2023.07.22 includes a fix for CVE-2023-37920: Certifi prior to version 2023.07.22 recognizes "e-Tugra"
   root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in...
   CVE-2023-37920
   For more information, please visit https://pyup.io/v/59956/f17

 Scan was completed. 1 vulnerability was found. 

+====================================================================================================================================+
   REMEDIATIONS

  1 vulnerability was found in 1 package. For detailed remediation & fix recommendations, upgrade to a commercial license. 

+====================================================================================================================================+

  Safety is using PyUp's free open-source vulnerability database. This data is 30 days old and limited. 
  For real-time enhanced vulnerability data, fix recommendations, severity reporting, cybersecurity support, team and project
policy management and more sign up at https://pyup.io or email sales@pyup.io

+====================================================================================================================================+

Let's fix certifi the same way:

[options]
[...]
install_requires =
[...]
    setuptools >=65.5.1   # https://pyup.io/v/52495/f17 (reported by `safety check`)
    certifi >=2023.07.22  # avoid CVE-2023-37920 (reported by `safety check`)

Then make install and safety check confirm there are no CVEs left:

$ make install
Downloading certifi-2023.7.22-py3-none-any.whl (158 kB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 158.3/158.3 kB 9.1 MB/s eta 0:00:00
Building wheels for collected packages: slo-generator
  Building editable for slo-generator (pyproject.toml) ... done
  Created wheel for slo-generator: filename=slo_generator-2.4.0-0.editable-py2.py3-none-any.whl size=11513 sha256=b8248333e3597e7ef6faf74b4d0b79b354db724135ae8072077d69e0aa4b3381
  Stored in directory: /tmp/pip-ephem-wheel-cache-16wvmu18/wheels/cb/fa/70/8459fdf9ec77e5fc583a34349d29f2124c29ebe1389648c385
Successfully built slo-generator
Installing collected packages: certifi, slo-generator
  Attempting uninstall: certifi
    Found existing installation: certifi 2023.5.7
    Uninstalling certifi-2023.5.7:
      Successfully uninstalled certifi-2023.5.7
  Attempting uninstall: slo-generator
    Found existing installation: slo-generator 2.4.0
    Uninstalling slo-generator-2.4.0:
      Successfully uninstalled slo-generator-2.4.0
Successfully installed certifi-2023.7.22 slo-generator-2.4.0
$ safety check
+====================================================================================================================================+

                               /$$$$$$            /$$
                              /$$__  $$          | $$
           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$
          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$
         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$
          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$
          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$
         |_______/  \_______/|__/     \_______/   \___/   \____  $$
                                                          /$$  | $$
                                                         |  $$$$$$/
  by pyup.io                                              \______/

+====================================================================================================================================+

 REPORT 

  Safety is using PyUp's free open-source vulnerability database. This data is 30 days old and limited. 
  For real-time enhanced vulnerability data, fix recommendations, severity reporting, cybersecurity support, team and project
policy management and more sign up at https://pyup.io or email sales@pyup.io

  Safety v2.3.5 is scanning for Vulnerabilities...
  Scanning dependencies in your environment:

  -> /home/user/workspace/github/google/slo-generator/venv3.9/lib/python3.9/site-packages

  Using non-commercial database
  Found and scanned 125 packages
  Timestamp 2023-10-06 12:30:04
  0 vulnerabilities found
  0 vulnerabilities ignored
+====================================================================================================================================+

 No known security vulnerabilities found. 

+====================================================================================================================================+

  Safety is using PyUp's free open-source vulnerability database. This data is 30 days old and limited. 
  For real-time enhanced vulnerability data, fix recommendations, severity reporting, cybersecurity support, team and project
policy management and more sign up at https://pyup.io or email sales@pyup.io

+====================================================================================================================================+

@lvaylet lvaylet linked a pull request Oct 6, 2023 that will close this issue
fix: update packages to avoid CVEs reported by safety check #353
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lvaylet lvaylet

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: update packages to avoid CVEs reported by safety check google/slo-generator
1 participant
@lvaylet