Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Package coverage<6.0b1 incorrectly listed as vulnerable #2335

Closed
whyscream opened this issue Aug 2, 2021 · 6 comments · Fixed by #2337
Closed

Package coverage<6.0b1 incorrectly listed as vulnerable #2335

whyscream opened this issue Aug 2, 2021 · 6 comments · Fixed by #2337
Assignees
@yeisonvargasf

Comments

@whyscream
Copy link

As discussed in nedbat/coveragepy#1198 with the author of the coverage package. The former usage of the md5 algorithm in coverage is not a security vulnerability. The listing in safety-db forces (or rather tries to convince) lots of people to upgrade to a newer version that is both beta and a major upgrade, for no good reason (security-wise).

Would you consider removing the entry for coverage<6.0b1 from the database?
@whyscream whyscream mentioned this issue Aug 2, 2021
Closed
@yeisonvargasf yeisonvargasf self-assigned this Aug 2, 2021
@danuker danuker mentioned this issue Aug 2, 2021
Closed
@nedbat
Copy link

nedbat commented Aug 2, 2021

I'm interested to know more about how entries get created in this database in the first place. You seem to have used words from my CHANGELOG, so there's a human making the entries. If you notify the owner of the repo, then we could short-circuit some of the churn around entries like this that are more alarming than they need to be.

nedbat added a commit to nedbat/coveragepy that referenced this issue Aug 2, 2021
@nedbat
docs: add more detail to a confusing changelog entry
6adbefa 
safety-db read this entry and reported it as a security issue. It was never a
security problem.

pyupio/safety-db#2335
nedbat added a commit to nedbat/coverage-reports that referenced this issue Aug 2, 2021
@nedbat
93.286% - docs: add more detail to a confusing changelog entry
890ffdb 
safety-db read this entry and reported it as a security issue. It was never a
security problem.

pyupio/safety-db#2335

https://nedbat.github.io/coverage-reports/reports/20210802_6adbefa71a/htmlcov
6adbefa71a: master
@yeisonvargasf
Copy link
Member

Hi @whyscream, thanks for reporting this issue. We reviewed in detail and this was a false positive, we have marked the vulnerability as INVALID and the update will be available soon.

@nedbat we usually notify repo owners to clarify the possible vulnerability, this time MD5 was a red flag (even FIPS blocks it regardless of context) for our security team while doing the verification (about your question, there is a security team checking each possible vulnerability). We will reach you if the security team has questions about a possible vulnerability.

@nedbat
Copy link

nedbat commented Aug 3, 2021

It's just a little disappointing that my change was specifically to silence a false alarm that had been reported, and my change caused you to create another false alarm. :(

@Zethson Zethson mentioned this issue Aug 3, 2021
Closed
@nedbat nedbat mentioned this issue Aug 3, 2021
Closed
@dmaljovec dmaljovec mentioned this issue Aug 4, 2021
Closed
@awsbillz
Copy link

awsbillz commented Aug 4, 2021

Hi @whyscream, thanks for reporting this issue. We reviewed in detail and this was a false positive, we have marked the vulnerability as INVALID and the update will be available soon.

@nedbat we usually notify repo owners to clarify the possible vulnerability, this time MD5 was a red flag (even FIPS blocks it regardless of context) for our security team while doing the verification (about your question, there is a security team checking each possible vulnerability). We will reach you if the security team has questions about a possible vulnerability.

Do we have an ETA on when this false alarm will be fixed by updates?

@yeisonvargasf
Copy link
Member

Hi @nedbat I know what you mean, sorry for that, I think a more detailed clarification in changelogs will help to don't produce false positives in the future and our team probably will reach you next time if a security item in the changelog isn't clear for them.

@awsbillz the correction was done after this issue was reported, it will show up for our paid users immediately and not until September 1st for our users without a paid subscription.

We can review/accept any PR in an expedited way if you want to remove the false positive before that date. You will have to remove the vulnerability from: insecure.json and insecure_full.json

sobolevn added a commit to sobolevn/safety-db that referenced this issue Aug 5, 2021
@sobolevn
Remove coveragepy from vulnerable, refs pyupio#2335
0c3c5fe
@sobolevn sobolevn mentioned this issue Aug 5, 2021
Merged
@sobolevn
Copy link
Contributor

sobolevn commented Aug 5, 2021

@yeisonvargasf done: #2337

yeisonvargasf added a commit that referenced this issue Aug 5, 2021
@yeisonvargasf
Merge pull request #2337 from sobolevn/patch-1
d9ee0fa 
Remove `coveragepy` from vulnerable, refs #2335
@BenGalewsky BenGalewsky mentioned this issue Aug 11, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yeisonvargasf yeisonvargasf

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove coveragepy from vulnerable, refs #2335 sobolevn/safety-db
5 participants
@nedbat @whyscream @sobolevn @awsbillz @yeisonvargasf