Resolve SQLAlchemy dependency vulnerabilities #553
Comments
|
If upgrading SQLAlchemy is not an option, we'll have to identify an alternative https://github.com/GSA/datagov-deploy/wiki/Dependency-scanning#triage-walkthrough |
|
I've lumped two sqlalchemy issues in here together, but we should split them out if the work is different. |
|
@FuhuXia @jbrown-xentity did you have to make change for this vulnerability in catalog classic? |
|
@avdata99 is going to reach out to the CKAN community to see if anyone has taken steps to tackle this in older versions of CKAN |
|
Following here and internally with my team |
|
FYI, any exceptions/resolutions we make are documented in the Oddly, SNYK-PYTHON-SQLALCHEMY-590109 lists a similar exception, but that doesn't make sense regarding the vulnerability description. @pjsharpe07 are you sure that one is correct? |
|
One option we discussed was to fork SQLAlchemy and apply this patch sqlalchemy/sqlalchemy@d3ba45c for https://snyk.io/vuln/SNYK-PYTHON-SQLALCHEMY-590109 |
|
Moving to TODO since we postposed this |
ghost
unassigned 
Please keep any sensitive details in Google Drive.
Date of report: 9/10/2020
Severity: high
Due date: 10/10/2020
Due date is based on severity and described in RA-5. 15-days for Critical, 30-days for High, and 90-days for Moderate and lower.
* When a finding is identified, we create two issues. One to address the specific instance identified in the report. The other is to identify and address all other occurrences of this vulnerability within the application.
Brief description
https://snyk.io/vuln/SNYK-PYTHON-SQLALCHEMY-590109
GSA/catalog.data.gov#112
https://snyk.io/vuln/SNYK-PYTHON-SQLALCHEMY-173678
GSA/catalog.data.gov#119
The text was updated successfully, but these errors were encountered: