Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pip-audit imports a vulnerable version of the requests package #616

Closed
behnazh-w opened this issue May 22, 2023 · 12 comments
Closed

pip-audit imports a vulnerable version of the requests package #616

behnazh-w opened this issue May 22, 2023 · 12 comments
Labels
bug-candidate Might be a bug. dependencies Pull requests that update a dependency file

Comments

@behnazh-w
Copy link

Bug description

pip-audit is using a vulnerable version of the requests package ("requests<2.30"). requests package has released version v2.31.0 which is a fix for the reported security vulnerability CVE-2023-32681 (see also Github Security Advisory). Updating the requests package fails pip-audit runs.

@woodruffw
Copy link
Member

Thanks for the report!

This is going to be a little annoying to fix: we're pinned under 2.30 because our caching middleware isn't compatible with a transitive dep change in that version.

This is also affecting pip: pypa/pip#12026

xref #613

CC @tetsuo-cpp for thoughts -- maybe we can get away with temporarily disabling the caching middleware for a few release or (ugh) testing the version of requests and patching around the break?

@woodruffw woodruffw added the dependencies Pull requests that update a dependency file label May 22, 2023
@woodruffw
Copy link
Member

I think I have a workable solution for this: we can constrain urllib3 to the 1.26.x release series for now, since requests is still compatible with it.

(A million thanks for @sethmlarson for pointing this out!)

@andreportela
Copy link

My project broke because of this too. Do you think it's something quick to fix? If not, how can I work around it somehow while the fix is on the way?

@woodruffw
Copy link
Member

@andreportela I'm working on a fix in #617. If you're able to test that fix and confirm that it works for you, I'll be able to have a patched release out very soon.

@andreportela
Copy link

Ok, tell me how I test it and I will be glad to do it

@woodruffw
Copy link
Member

You can install it directly via pip install from GitHub:

pip install 'pip-audit @ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork'

Then, reproduce whatever command failed for you.

@andreportela
Copy link

I'm using poetry. I'll try using that, just give me a few minutes

@sethmlarson
Copy link

Apologies for the fire-drill @woodruffw, I haven't experienced this specific scenario where the vuln audit tool pulls in the dependency with a vuln, we'll keep this project in mind in the future for alerting.

@andreportela
Copy link

I ditched poetry for a sec here and used the pip install. Seems to work fine:

$ pip install 'pip-audit @ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork'
Collecting pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork
  Cloning https://github.com/pypa/pip-audit (to revision ww/cachecontrol-fork) to /private/var/folders/n_/ss342c1539j33lw68t43gylm0000gn/T/pip-install-808q1la_/pip-audit_cef7365ee81d41cc8292211ca1998781
  Running command git clone --filter=blob:none --quiet https://github.com/pypa/pip-audit /private/var/folders/n_/ss342c1539j33lw68t43gylm0000gn/T/pip-install-808q1la_/pip-audit_cef7365ee81d41cc8292211ca1998781
  Running command git checkout -b ww/cachecontrol-fork --track origin/ww/cachecontrol-fork
  Switched to a new branch 'ww/cachecontrol-fork'
  branch 'ww/cachecontrol-fork' set up to track 'origin/ww/cachecontrol-fork'.
  Resolved https://github.com/pypa/pip-audit to commit 0bdbc788d87896bd81ffd8cacece4078afae4497
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done
Requirement already satisfied: CacheControl[filecache]>=0.12.0 in ./.venv/lib/python3.11/site-packages (from pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (0.12.11)
Requirement already satisfied: cyclonedx-python-lib!=2.5.0,~=2.0 in ./.venv/lib/python3.11/site-packages (from pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (2.7.1)
Requirement already satisfied: html5lib>=1.1 in ./.venv/lib/python3.11/site-packages (from pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (1.1)
Requirement already satisfied: packaging>=23.0.0 in ./.venv/lib/python3.11/site-packages (from pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (23.1)
Requirement already satisfied: pip-api>=0.0.28 in ./.venv/lib/python3.11/site-packages (from pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (0.0.30)
Requirement already satisfied: pip-requirements-parser>=32.0.0 in ./.venv/lib/python3.11/site-packages (from pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (32.0.1)
Requirement already satisfied: requests>=2.31.0 in ./.venv/lib/python3.11/site-packages (from pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (2.31.0)
Requirement already satisfied: urllib3~=1.26 in ./.venv/lib/python3.11/site-packages (from pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (1.26.15)
Requirement already satisfied: rich>=12.4 in ./.venv/lib/python3.11/site-packages (from pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (13.3.5)
Requirement already satisfied: toml>=0.10 in ./.venv/lib/python3.11/site-packages (from pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (0.10.2)
Requirement already satisfied: msgpack>=0.5.2 in ./.venv/lib/python3.11/site-packages (from CacheControl[filecache]>=0.12.0->pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (1.0.5)
Requirement already satisfied: lockfile>=0.9 in ./.venv/lib/python3.11/site-packages (from CacheControl[filecache]>=0.12.0->pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (0.12.2)
Requirement already satisfied: packageurl-python>=0.9 in ./.venv/lib/python3.11/site-packages (from cyclonedx-python-lib!=2.5.0,~=2.0->pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (0.11.1)
Requirement already satisfied: setuptools>=47.0.0 in ./.venv/lib/python3.11/site-packages (from cyclonedx-python-lib!=2.5.0,~=2.0->pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (67.8.0)
Requirement already satisfied: sortedcontainers<3.0.0,>=2.4.0 in ./.venv/lib/python3.11/site-packages (from cyclonedx-python-lib!=2.5.0,~=2.0->pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (2.4.0)
Requirement already satisfied: six>=1.9 in ./.venv/lib/python3.11/site-packages (from html5lib>=1.1->pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (1.16.0)
Requirement already satisfied: webencodings in ./.venv/lib/python3.11/site-packages (from html5lib>=1.1->pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (0.5.1)
Requirement already satisfied: pip in ./.venv/lib/python3.11/site-packages (from pip-api>=0.0.28->pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (23.1.2)
Requirement already satisfied: pyparsing in ./.venv/lib/python3.11/site-packages (from pip-requirements-parser>=32.0.0->pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (3.0.9)
Requirement already satisfied: charset-normalizer<4,>=2 in ./.venv/lib/python3.11/site-packages (from requests>=2.31.0->pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (2.1.1)
Requirement already satisfied: idna<4,>=2.5 in ./.venv/lib/python3.11/site-packages (from requests>=2.31.0->pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (3.4)
Requirement already satisfied: certifi>=2017.4.17 in ./.venv/lib/python3.11/site-packages (from requests>=2.31.0->pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (2023.5.7)
Requirement already satisfied: markdown-it-py<3.0.0,>=2.2.0 in ./.venv/lib/python3.11/site-packages (from rich>=12.4->pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (2.2.0)
Requirement already satisfied: pygments<3.0.0,>=2.13.0 in ./.venv/lib/python3.11/site-packages (from rich>=12.4->pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (2.15.1)
Requirement already satisfied: mdurl~=0.1 in ./.venv/lib/python3.11/site-packages (from markdown-it-py<3.0.0,>=2.2.0->rich>=12.4->pip-audit@ git+https://github.com/pypa/pip-audit@ww/cachecontrol-fork) (0.1.2)
$ pip-audit
No known vulnerabilities found
Name         Skip Reason
------------ ---------------------------------------------------------------------------

@woodruffw
Copy link
Member

@sethmlarson not your problem at all! This was my daily reminder that the "supply chain" is more like the "supply ouroboros" 🙂

@andreportela Thanks for confirming! I need one of the other maintainers to approve the PR, but we should have this fix merged and released shortly.

@andreportela
Copy link

Many thanks @woodruffw! I'm counting on this PR ❤️ 😅

@woodruffw
Copy link
Member

Resolved with #617 and cut with #618. Thanks all!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug-candidate Might be a bug. dependencies Pull requests that update a dependency file
Projects
None yet
Development

No branches or pull requests

4 participants