Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛 [BUG] - Safety reports a CVE in Black <24.3.0 #456

Closed
1 task done
lvaylet opened this issue May 13, 2024 · 0 comments · Fixed by #457
Closed
1 task done

🐛 [BUG] - Safety reports a CVE in Black <24.3.0 #456

lvaylet opened this issue May 13, 2024 · 0 comments · Fixed by #457
Assignees
@lvaylet
Labels
bug Something isn't working triage

Comments

@lvaylet
Copy link
Collaborator

lvaylet commented May 13, 2024

SLO Generator Version

v2.6.0

Python Version

3.9+

What happened?

Safety found a CVE: https://github.com/google/slo-generator/actions/runs/9028421565/job/24808869743

What did you expect?

Safety finds no CVE.

Screenshots

No response

Relevant log output

safety check
+==============================================================================+

                               /$$$$$$            /$$
                              /$$__  $$          | $$
           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$
          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$
         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$
          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$
          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$
         |_______/  \_______/|__/     \_______/   \___/   \____  $$
                                                          /$$  | $$
                                                         |  $$$$$$/
  by pyup.io                                              \______/

+==============================================================================+

 REPORT 

  Safety is using PyUp's free open-source vulnerability database. This
data is 30 days old and limited. 
  For real-time enhanced vulnerability data, fix recommendations, severity
reporting, cybersecurity support, team and project policy management and more
sign up at https://pyup.io or email [email protected]

  Safety v2.3.5 is scanning for Vulnerabilities...
  Scanning dependencies in your environment:

  -> /opt/hostedtoolcache/Python/3.8.18/x64/lib/python3.8/site-packages

  Using non-commercial database
  Found and scanned 121 packages
  Timestamp 2024-05-10 06:48:56
  1 vulnerability found
  0 vulnerabilities ignored

+==============================================================================+
 VULNERABILITIES FOUND 
+==============================================================================+

-> Vulnerability found in black version 22.12.0
   Vulnerability ID: 66742
   Affected spec: <24.3.0
   ADVISORY: Black before 24.3.0 have a security vulnerability where
   specific code formatting patterns could lead to arbitrary code execution....
   CVE-2024-21503
   For more information, please visit
   https://data.safetycli.com/v/66742/f17

 Scan was completed. 1 vulnerability was found. 

+==============================================================================+

Code of Conduct

  • I agree to follow this project's Code of Conduct
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lvaylet lvaylet

Labels
bug Something isn't working triage
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore: set minimum version of Black package to avoid CVE-2024-21503 google/slo-generator
1 participant
@lvaylet