-
Notifications
You must be signed in to change notification settings - Fork 63
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pip-audit imports a vulnerable version of the requests package #616
Comments
Thanks for the report! This is going to be a little annoying to fix: we're pinned under This is also affecting xref #613 CC @tetsuo-cpp for thoughts -- maybe we can get away with temporarily disabling the caching middleware for a few release or (ugh) testing the version of |
I think I have a workable solution for this: we can constrain (A million thanks for @sethmlarson for pointing this out!) |
My project broke because of this too. Do you think it's something quick to fix? If not, how can I work around it somehow while the fix is on the way? |
@andreportela I'm working on a fix in #617. If you're able to test that fix and confirm that it works for you, I'll be able to have a patched release out very soon. |
Ok, tell me how I test it and I will be glad to do it |
You can install it directly via
Then, reproduce whatever command failed for you. |
I'm using poetry. I'll try using that, just give me a few minutes |
Apologies for the fire-drill @woodruffw, I haven't experienced this specific scenario where the vuln audit tool pulls in the dependency with a vuln, we'll keep this project in mind in the future for alerting. |
I ditched poetry for a sec here and used the pip install. Seems to work fine: $ pip install 'pip-audit @ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork'
Collecting pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork
Cloning https://github.com/pypa/pip-audit (to revision ww/cachecontrol-fork) to /private/var/folders/n_/ss342c1539j33lw68t43gylm0000gn/T/pip-install-808q1la_/pip-audit_cef7365ee81d41cc8292211ca1998781
Running command git clone --filter=blob:none --quiet https://github.com/pypa/pip-audit /private/var/folders/n_/ss342c1539j33lw68t43gylm0000gn/T/pip-install-808q1la_/pip-audit_cef7365ee81d41cc8292211ca1998781
Running command git checkout -b ww/cachecontrol-fork --track origin/ww/cachecontrol-fork
Switched to a new branch 'ww/cachecontrol-fork'
branch 'ww/cachecontrol-fork' set up to track 'origin/ww/cachecontrol-fork'.
Resolved https://github.com/pypa/pip-audit to commit 0bdbc788d87896bd81ffd8cacece4078afae4497
Installing build dependencies ... done
Getting requirements to build wheel ... done
Preparing metadata (pyproject.toml) ... done
Requirement already satisfied: CacheControl[filecache]>=0.12.0 in ./.venv/lib/python3.11/site-packages (from pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (0.12.11)
Requirement already satisfied: cyclonedx-python-lib!=2.5.0,~=2.0 in ./.venv/lib/python3.11/site-packages (from pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (2.7.1)
Requirement already satisfied: html5lib>=1.1 in ./.venv/lib/python3.11/site-packages (from pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (1.1)
Requirement already satisfied: packaging>=23.0.0 in ./.venv/lib/python3.11/site-packages (from pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (23.1)
Requirement already satisfied: pip-api>=0.0.28 in ./.venv/lib/python3.11/site-packages (from pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (0.0.30)
Requirement already satisfied: pip-requirements-parser>=32.0.0 in ./.venv/lib/python3.11/site-packages (from pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (32.0.1)
Requirement already satisfied: requests>=2.31.0 in ./.venv/lib/python3.11/site-packages (from pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (2.31.0)
Requirement already satisfied: urllib3~=1.26 in ./.venv/lib/python3.11/site-packages (from pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (1.26.15)
Requirement already satisfied: rich>=12.4 in ./.venv/lib/python3.11/site-packages (from pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (13.3.5)
Requirement already satisfied: toml>=0.10 in ./.venv/lib/python3.11/site-packages (from pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (0.10.2)
Requirement already satisfied: msgpack>=0.5.2 in ./.venv/lib/python3.11/site-packages (from CacheControl[filecache]>=0.12.0->pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (1.0.5)
Requirement already satisfied: lockfile>=0.9 in ./.venv/lib/python3.11/site-packages (from CacheControl[filecache]>=0.12.0->pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (0.12.2)
Requirement already satisfied: packageurl-python>=0.9 in ./.venv/lib/python3.11/site-packages (from cyclonedx-python-lib!=2.5.0,~=2.0->pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (0.11.1)
Requirement already satisfied: setuptools>=47.0.0 in ./.venv/lib/python3.11/site-packages (from cyclonedx-python-lib!=2.5.0,~=2.0->pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (67.8.0)
Requirement already satisfied: sortedcontainers<3.0.0,>=2.4.0 in ./.venv/lib/python3.11/site-packages (from cyclonedx-python-lib!=2.5.0,~=2.0->pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (2.4.0)
Requirement already satisfied: six>=1.9 in ./.venv/lib/python3.11/site-packages (from html5lib>=1.1->pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (1.16.0)
Requirement already satisfied: webencodings in ./.venv/lib/python3.11/site-packages (from html5lib>=1.1->pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (0.5.1)
Requirement already satisfied: pip in ./.venv/lib/python3.11/site-packages (from pip-api>=0.0.28->pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (23.1.2)
Requirement already satisfied: pyparsing in ./.venv/lib/python3.11/site-packages (from pip-requirements-parser>=32.0.0->pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (3.0.9)
Requirement already satisfied: charset-normalizer<4,>=2 in ./.venv/lib/python3.11/site-packages (from requests>=2.31.0->pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (2.1.1)
Requirement already satisfied: idna<4,>=2.5 in ./.venv/lib/python3.11/site-packages (from requests>=2.31.0->pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (3.4)
Requirement already satisfied: certifi>=2017.4.17 in ./.venv/lib/python3.11/site-packages (from requests>=2.31.0->pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (2023.5.7)
Requirement already satisfied: markdown-it-py<3.0.0,>=2.2.0 in ./.venv/lib/python3.11/site-packages (from rich>=12.4->pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (2.2.0)
Requirement already satisfied: pygments<3.0.0,>=2.13.0 in ./.venv/lib/python3.11/site-packages (from rich>=12.4->pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (2.15.1)
Requirement already satisfied: mdurl~=0.1 in ./.venv/lib/python3.11/site-packages (from markdown-it-py<3.0.0,>=2.2.0->rich>=12.4->pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (0.1.2)
$ pip-audit
No known vulnerabilities found
Name Skip Reason
------------ --------------------------------------------------------------------------- |
@sethmlarson not your problem at all! This was my daily reminder that the "supply chain" is more like the "supply ouroboros" 🙂 @andreportela Thanks for confirming! I need one of the other maintainers to approve the PR, but we should have this fix merged and released shortly. |
Many thanks @woodruffw! I'm counting on this PR ❤️ 😅 |
Bug description
pip-audit
is using a vulnerable version of therequests
package ("requests<2.30").requests
package has released version v2.31.0 which is a fix for the reported security vulnerability CVE-2023-32681 (see also Github Security Advisory). Updating therequests
package failspip-audit
runs.The text was updated successfully, but these errors were encountered: