Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Snyk Finding for python "future" package #4145

Closed
1 task done
nickumia-reisys opened this issue Jan 3, 2023 · 6 comments
Closed
1 task done

Snyk Finding for python "future" package #4145

nickumia-reisys opened this issue Jan 3, 2023 · 6 comments
Assignees
Labels
bug Software defect or bug compliance Relating to security compliance or documentation

Comments

@nickumia-reisys
Copy link
Contributor

nickumia-reisys commented Jan 3, 2023

Please keep any sensitive details in Google Drive.

Date of report: 01/03/2023
Severity: High
Due date: 02/03/2023

Due date is based on severity and described in RA-5. 15-days for Critical, 30-days for High, and 90-days for Moderate and lower.

  • Analysis has been performed and an issue has been linked to address other occurrences for this class of vulnerability* (link)

* When a finding is identified, we create two issues. One to address the specific instance identified in the report. The other is to identify and address all other occurrences of this vulnerability within the application.

Brief description

@nickumia-reisys nickumia-reisys added compliance Relating to security compliance or documentation bug Software defect or bug labels Jan 3, 2023
@nickumia-reisys nickumia-reisys changed the title Snyk Finding for future Snyk Finding for python "future" package Jan 3, 2023
@hkdctol hkdctol moved this to 📟 Sprint Backlog [7] in data.gov team board Jan 5, 2023
@nickumia-reisys
Copy link
Contributor Author

For whoever picks this up, my speculative judgement on this makes me believe we are not vulnerable since future is a py2-compatibility library. As we are fully on py3, the future aspects of the CKAN codebase are not being activated and, thus not vulnerable. It might be very hard to validate this in all cases since future has 100s of references throughout the code. Although after writing this, we might be able to get rid of future as it isn't included in our inventory build. It might just be included because of some upstream extension on catalog that isn't on inventory.

It just good due diligence to fix this, but I can't say I'm up for the job right now.

@FuhuXia
Copy link
Member

FuhuXia commented Jan 6, 2023

Without removing the 100s references, The minimum thing we can do is adding a condition for the all the import future statement we can find and make sure they only happen in python 2.7 environment, therefore we can claim we are not affected.

@nickumia-reisys
Copy link
Contributor Author

I think adding the condition is counter-intuitive for what future is supposed to do. future itself is assessing python version and running the appropriate code. If we wrap future in a conditional, it would just be a redundant check, no?

@FuhuXia
Copy link
Member

FuhuXia commented Jan 9, 2023

Adding the condition will make sure future not imported in our app so we can remove it from the pip requirements, therefore silence the synk report.

@FuhuXia FuhuXia self-assigned this Jan 10, 2023
@FuhuXia FuhuXia moved this from 📟 Sprint Backlog [7] to 🏗 In Progress [8] in data.gov team board Jan 10, 2023
@FuhuXia FuhuXia moved this from 🏗 In Progress [8] to 📟 Sprint Backlog [7] in data.gov team board Jan 10, 2023
@FuhuXia FuhuXia moved this from 📟 Sprint Backlog [7] to 🏗 In Progress [8] in data.gov team board Jan 10, 2023
@FuhuXia FuhuXia moved this from 🏗 In Progress [8] to 👀 Needs Review [2] in data.gov team board Jan 10, 2023
@FuhuXia FuhuXia moved this from 👀 Needs Review [2] to 🏗 In Progress [8] in data.gov team board Jan 11, 2023
@FuhuXia
Copy link
Member

FuhuXia commented Jan 18, 2023

RP submitted to remove future dependency in ckanext-archiver. ckan/ckanext-archiver#88

But then, future is patched, https://pypi.org/project/future/0.18.3/

@FuhuXia FuhuXia moved this from 🏗 In Progress [8] to 👀 Needs Review [2] in data.gov team board Jan 18, 2023
@FuhuXia
Copy link
Member

FuhuXia commented Jan 18, 2023

Patched and deployed to catalog.

@FuhuXia FuhuXia closed this as completed Jan 18, 2023
@github-project-automation github-project-automation bot moved this from 👀 Needs Review [2] to ✔ Done in data.gov team board Jan 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Software defect or bug compliance Relating to security compliance or documentation
Projects
Archived in project
Development

No branches or pull requests

2 participants