-
Notifications
You must be signed in to change notification settings - Fork 141
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Safety reports its own dependecy (jinja2) as vulnerable without fix available #527
Comments
This CVE was reported back in 2019 and popped up again in 2022, highly disputed and ignored (reasonable IMO) that time: GHSA-f6pv-j8mr-w6rr I do not see a single other reference, that this has somehow worsened with latest jinja2 or that it has been newly found to be more problematic than rated (by the majority) that time. To me it looks like Safety just hit an update button, triggering this CVE to be recognised again, while nothing has changed: https://data.safetycli.com/v/70612/97c/ The very same applies to Triggering such old, disputed and (reasonably IMO) ignored CVEs to make every EDIT: Okay, the update was probably triggered from other databases: https://nvd.nist.gov/vuln/detail/CVE-2019-8341#VulnChangeHistorySection, https://nvd.nist.gov/vuln/detail/CVE-2018-20225#VulnChangeHistorySection The exact same happened there on exactly the same dates:
A EDIT2: Probably these are better reported here as false positives? https://github.com/pyupio/safety-db/issues |
The very same applies as for CVE-2018-20225: disputed, ignored since years, and whichever database update triggered safety to suddenly fail on it, while there is no solution, and never will be one: pyupio/safety#527 Signed-off-by: MichaIng <micha@dietpi.com>
Description
Safety includes a dependency to
jinja2
(which we otherwise don't need in our project) and because SafetyDB includes also disputed vulnerabilities, we are getting this error:It think it would be good if security scanner did not report its own dependencies as vulnerable without fix available. In general, I think you should not include the disputed vulnerabilities by default, because all of them I investigated are useless and it just forces me to add evergrowing list of excludes.
The text was updated successfully, but these errors were encountered: