Skip to content
This repository has been archived by the owner on Mar 20, 2024. It is now read-only.

snyk incorrectly reporting 1 vulnerability #29

Closed
JonZeolla opened this issue Mar 10, 2020 · 0 comments · Fixed by #30
Closed

snyk incorrectly reporting 1 vulnerability #29

JonZeolla opened this issue Mar 10, 2020 · 0 comments · Fixed by #30
Assignees
@JonZeolla

Comments

@JonZeolla
Copy link
Member

Summary

snyk.io is currently reporting that the version of pyyaml used by easy_sast is vulnerable to an Arbitrary Code Execution vulnerability. easy_sast was never susceptible to this vulnerability, as it has always used safe_load which is considered safe. MITRE has assigned this vulnerability CVE-2020-1747.

Potential Impact

There is no impact to the easy_sast project due to the appropriate use of safe_load to load untrusted yaml files. pyyaml is used for configuration loading (pyyaml 5.3), and the testing (pyyaml 5.3) of configuration loading.

Next Steps

  1. As a best practice, update the easy_sast requirements via make requirements when Prevents arbitrary code execution during python/object/new constructor yaml/pyyaml#386 is merged and included in a release.
  2. Cut an easy_sast release with these updated requirements.
    • Based on the breaking changes introduced since the last release, this will be version 1.0.0 (see git log 'v0.2.0'...'0eefbb341facfdd5cfe73774faebdb311579d232' --oneline).
@JonZeolla JonZeolla added the blocked On hold, waiting until something else happens label Mar 10, 2020
@JonZeolla JonZeolla self-assigned this Mar 10, 2020
@JonZeolla JonZeolla removed the blocked On hold, waiting until something else happens label Mar 22, 2020
JonZeolla added a commit that referenced this issue Mar 22, 2020
@JonZeolla
chore: update requirements (fixes #29)
d9d1d89
JonZeolla added a commit that referenced this issue Mar 22, 2020
@JonZeolla
chore: update requirements (fixes #29)
e076ccb 
Update all requirements.txt files to use the latest released versions of
dependencies and fixes #29
@JonZeolla JonZeolla mentioned this issue Mar 22, 2020
Merged
4 tasks
@ghost ghost closed this as completed in #30 Mar 23, 2020
ghost pushed a commit that referenced this issue Mar 23, 2020
@JonZeolla
chore: update requirements (fixes #29) (#30)
9cc3e2e 
Update all requirements.txt files to use the latest released versions of
dependencies and fixes #29
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@JonZeolla JonZeolla

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore: update requirements (fixes #29) SeisoLLC/easy_sast
1 participant
@JonZeolla