Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Package versions and vulnerability results truncated #15

Closed
Owen-OptiGrid opened this issue Jan 8, 2025 · 2 comments · Fixed by #16
Closed

Package versions and vulnerability results truncated #15

Owen-OptiGrid opened this issue Jan 8, 2025 · 2 comments · Fixed by #16
Assignees
@owenlamont

Comments

@Owen-OptiGrid
Copy link

Owen-OptiGrid commented Jan 8, 2025
edited
Loading

I noticed package version and vulnerability ID results getting truncated in the table results when using uv-secure 3.1:

In this case the dependency was Jinja2 version 3.1.4

Checking C:\Users\OwenLamont\Code\OptiGrid-core\uv.lock dependencies for
vulnerabilities...
+---------------------------+
| Vulnerabilities detected! |
| Checked: 136 dependencies |
| Vulnerable: 1 dependency  |
+---------------------------+
                            Vulnerable Dependencies
+-----------------------------------------------------------------------------+
| Package       | Ve� | Vulnerability ID  | Details                           |
|---------------+-----+-------------------+-----------------------------------|
| jinja2        | 3.� | GHSA-q2x7-8rv6-6� | An oversight in how the Jinja     |
|               |     |                   | sandboxed environment detects     |
|               |     |                   | calls to `str.format` allows an   |
|               |     |                   | attacker that controls the        |
|               |     |                   | content of a template to execute  |
|               |     |                   | arbitrary Python code.            |
|               |     |                   |                                   |
|               |     |                   | To exploit the vulnerability, an  |
|               |     |                   | attacker needs to control the     |
|               |     |                   | content of a template. Whether    |
|               |     |                   | that is the case depends on the   |

The IDs can't be copied if truncated and so can't be added to the ignore list without extra research to discover the full ID.
@Owen-OptiGrid
Copy link
Author

Package info and vulnerability links can be seen here:

https://pypi.org/pypi/jinja2/3.1.4/json

@owenlamont owenlamont self-assigned this Jan 8, 2025
@owenlamont
Copy link
Owner

Looks like some nerdfont issue as the question marks should render as ellipsis... but can reproduce the truncating on the narrower console widths.

@owenlamont owenlamont linked a pull request Jan 8, 2025 that will close this issue
Reduce vulnerability ID truncation #16
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@owenlamont owenlamont

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Reduce vulnerability ID truncation owenlamont/uv-secure
2 participants
@owenlamont @Owen-OptiGrid