Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump asteval from 1.0.0 to 1.0.1 #10561

Open
wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

Bump asteval from 1.0.0 to 1.0.1 #10561

wants to merge 1 commit into from
+1 −1

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jul 12, 2024

Bumps asteval from 1.0.0 to 1.0.1.

Release notes

Sourced from asteval's releases.

1.0.1

security fixes, based on audit by Andrew Effenhauser, Ayman Hammad, and Daniel Crowley, IBM X-Force Security Research division

  • remove numpy modules polynomial, fft, linalg by default for security concerns
  • disallow string.format(), improve security of f-string evaluation
Commits
  • c673c8b update doc to describe audit by IBM security research group
  • d85e7cb remove numpy modules polynomial, fft, linalg by default for security concerns
  • 1b453ec disallow string.format(), improve security of f-string evaluation
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump asteval from 1.0.0 to 1.0.1
846c27d 
Bumps [asteval](https://github.com/lmfit/asteval) from 1.0.0 to 1.0.1.
- [Release notes](https://github.com/lmfit/asteval/releases)
- [Commits](lmfit/asteval@1.0.0...1.0.1)

---
updated-dependencies:
- dependency-name: asteval
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Jul 12, 2024
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Jul 12, 2024
edited
Loading

DryRun Security Summary

The provided code change updates the requirements.txt file for the DefectDojo application, including updating the asteval library version and adding several new libraries to provide additional functionality or integrations, demonstrating the project's commitment to maintaining a secure and up-to-date codebase.

Expand for full summary

Summary:

The provided code change is an update to the requirements.txt file for the DefectDojo application, a popular open-source web application for managing software vulnerabilities. The changes include updating the version of the asteval library, as well as adding several new libraries that provide additional functionality or integrations for the application.

From an application security perspective, the changes demonstrate the project's commitment to maintaining a secure and up-to-date codebase. The inclusion of security-related libraries, such as cryptography, djangosaml2, PyJWT, and django-ratelimit, suggests that the application has complex authentication, authorization, and security mechanisms that should be reviewed carefully for potential vulnerabilities. The addition of the blackduck library also indicates that the project may be using the Black Duck software composition analysis tool to scan for known vulnerabilities in the project's dependencies.

Files Changed:

  • requirements.txt: The code change updates the version of the asteval library from 1.0.0 to 1.0.1, and adds several new libraries, including drf-spectacular, drf-spectacular-sidecar, django-ratelimit, argon2-cffi, blackduck, pycurl, boto3, netaddr, vulners, and fontawesomefree. These changes likely provide additional functionality or integrations for the DefectDojo application.

Code Analysis

We ran 7 analyzers against 1 file and 1 analyzer had findings. 6 analyzers had no findings.

Analyzer Findings
Sensitive Files Analyzer 1 finding

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Jul 12, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

mtesauro
mtesauro approved these changes Jul 12, 2024
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cneill cneill cneill approved these changes

@mtesauro mtesauro mtesauro approved these changes

At least 4 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file python Pull requests that update Python code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@cneill @mtesauro