Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Inclusion of the docker dependency bring in pywin32 which has an outstanding vulnerability #261

Closed
matroscoe opened this issue Aug 16, 2023 · 1 comment · Fixed by #279
Closed

[BUG] Inclusion of the docker dependency bring in pywin32 which has an outstanding vulnerability #261

matroscoe opened this issue Aug 16, 2023 · 1 comment · Fixed by #279
Assignees
@antepusic
Labels
Importance - I2 Importance - I2 Severity - S2 Severity - S2
Milestone
v1.5.0

Comments

@matroscoe
Copy link

matroscoe commented Aug 16, 2023
edited
Loading

Memgraph version gqlalchemy = ">=1.4.1,<2.0.0"
Environment Python 3.11, memgraph running the memgraph/memgraph-mage docker image

Describe the bug
The python docker package is being required as a dependency which is dragging in the pywin32 library which currently has CVE's open against the version imported see:

To Reproduce Steps to reproduce the behavior:

  1. install the library, run any SAST, or DAST tool

Expected behavior That a system running on Linux would not be importing the pywin32 library and if required it would be pinned to versions that don't have CVE's

Logs N/A

Additional context is the python docker package really a requirement or can it be made optional?
@katarinasupe katarinasupe added Severity - S2 Severity - S2 Importance - I2 Importance - I2 labels Sep 15, 2023
@katarinasupe katarinasupe moved this to Todo in gqlalchemy Sep 15, 2023
@katarinasupe katarinasupe added this to the v1.5.0 milestone Sep 15, 2023
@katarinasupe
Copy link
Contributor

Thank you @matroscoe for opening the issue. We will work on the release at the end of the next week and update the necessary dependencies. Stay tuned :)

@antepusic antepusic mentioned this issue Sep 21, 2023
Merged
11 tasks
@antepusic antepusic moved this from Todo to Review in gqlalchemy Sep 21, 2023
@github-project-automation github-project-automation bot moved this from Review to Done in gqlalchemy Sep 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@antepusic antepusic

Labels
Importance - I2 Importance - I2 Severity - S2 Severity - S2
Projects
gqlalchemy
Status: Done
Milestone
v1.5.0
Development

Successfully merging a pull request may close this issue.

[main < T279] Turn Docker into an optional dependency memgraph/gqlalchemy
4 participants
@Josipmrden @antepusic @katarinasupe @matroscoe