Preview/OSV scanner

[alexcoderabbitai]

Summary by CodeRabbit

• Chores
  • Added new runtime dependencies to the project requirements.
  • Includes a web framework, ASGI toolkit, templating engine, JWT/JOSE library, multipart form handling, and ECDSA support.
  • No user-facing functionality changes in this release.
  • After updating, ensure your environment installs the latest requirements (e.g., reinstall dependencies) to avoid runtime import errors.

[coderabbitai]

Walkthrough

Adds six new runtime dependencies in requirements.txt: ecdsa==0.19.1, fastapi==0.104.1, jinja2==3.1.2, python-jose==3.3.0, python-multipart==0.0.6, and starlette==0.27.0. No source code changes are included.

Changes

Cohort / File(s)	Summary
Dependencies requirements.txt	Declares new Python packages for FastAPI stack, templating, JWT/JOSE, multipart handling, and ECDSA.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

I nibbled on deps by the garden gate,
FastAPI and Starlette on my plate.
Jinja’s lace, JOSE’s key,
Multipart picnics under a tree.
With ECDSA’s crunchy byte,
My burrow now serves pages right! 🐇✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title Check	⚠️ Warning	The title “Preview/OSV scanner” does not reflect the actual changes, which only add FastAPI, templating, multipart, and authentication dependencies rather than implement or preview an OSV scanning feature. It fails to convey the main purpose of the pull request and may mislead reviewers about what the diff contains.	Please update the title to clearly summarize the added dependencies and service setup, for example “Add FastAPI, Jinja2, and JOSE dependencies for OSV scanner service,” so that it accurately reflects the changes made.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch preview/osv-scanner

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between ef04b8d and df4f83c.

📒 Files selected for processing (1)

• requirements.txt (1 hunks)

🧰 Additional context used

🪛 OSV Scanner (2.2.2)

requirements.txt

[HIGH] 1-1: ecdsa 0.19.1: Minerva timing attack on P-256 in python-ecdsa

(GHSA-wj6h-64fc-37mp)

---

[HIGH] 2-2: fastapi 0.104.1: undefined

(PYSEC-2024-38)

---

[HIGH] 3-3: jinja2 3.1.2: Jinja2 vulnerable to sandbox breakout through attr filter selecting format method

(GHSA-cpwx-vrp4-4pq7)

---

[HIGH] 3-3: jinja2 3.1.2: Jinja has a sandbox breakout through malicious filenames

(GHSA-gmj6-6f8f-6699)

---

[HIGH] 3-3: jinja2 3.1.2: Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter

(GHSA-h5c8-rqwp-cp95)

---

[HIGH] 3-3: jinja2 3.1.2: Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter

(GHSA-h75v-3vvj-5mfj)

---

[HIGH] 3-3: jinja2 3.1.2: Jinja has a sandbox breakout through indirect reference to format method

(GHSA-q2x7-8rv6-6q7h)

---

[CRITICAL] 4-4: python-jose 3.3.0: undefined

(PYSEC-2024-232)

---

[CRITICAL] 4-4: python-jose 3.3.0: undefined

(PYSEC-2024-233)

---

[CRITICAL] 4-4: python-jose 3.3.0: python-jose algorithm confusion with OpenSSH ECDSA keys

(GHSA-6c5p-j8vq-pqhj)

---

[CRITICAL] 4-4: python-jose 3.3.0: python-jose denial of service via compressed JWE content

(GHSA-cjwg-qfpm-7377)

---

[HIGH] 5-5: python-multipart 0.0.6: python-multipart vulnerable to Content-Type Header ReDoS

(GHSA-2jv5-9r88-3w3p)

---

[HIGH] 5-5: python-multipart 0.0.6: Denial of service (DoS) via deformation multipart/form-data boundary

(GHSA-59g5-xgcq-4qw3)

---

[HIGH] 6-6: starlette 0.27.0: Starlette has possible denial-of-service vector when parsing large files in multipart forms

(GHSA-2c2j-9gv5-cj73)

---

[HIGH] 6-6: starlette 0.27.0: Starlette Denial of service (DoS) via multipart/form-data

(GHSA-f96h-pmfr-66vw)

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Blocker: Newly added pins introduce known high/critical CVEs

Every dependency added in this hunk is flagged by OSV/GHSA with active HIGH or CRITICAL vulnerabilities:

• ecdsa==0.19.1 → GHSA-wj6h-64fc-37mp (Minerva timing attack).
• fastapi==0.104.1 → PYSEC-2024-38 (security advisory published for this release).
• jinja2==3.1.2 → multiple sandbox breakout/XSS advisories (GHSA-cpwx-vrp4-4pq7, GHSA-gmj6-6f8f-6699, GHSA-h5c8-rqwp-cp95, GHSA-h75v-3vvj-5mfj, GHSA-q2x7-8rv6-6q7h).
• python-jose==3.3.0 → critical algorithm-confusion and decompression DoS issues (GHSA-6c5p-j8vq-pqhj, GHSA-cjwg-qfpm-7377, PYSEC-2024-232/233).
• python-multipart==0.0.6 → multiple multipart parsing DoS advisories (GHSA-2jv5-9r88-3w3p, GHSA-59g5-xgcq-4qw3).
• starlette==0.27.0 → multipart DoS advisories (GHSA-2c2j-9gv5-cj73, GHSA-f96h-pmfr-66vw).

Please update each pin to a version that is listed as patched in the corresponding advisory (or apply an alternative mitigation/library if no fixed release exists yet) before merging. Right now this PR would ship known-vulnerable packages into production.

🧰 Tools

🪛 OSV Scanner (2.2.2)

[HIGH] 1-1: ecdsa 0.19.1: Minerva timing attack on P-256 in python-ecdsa

(GHSA-wj6h-64fc-37mp)

---

[HIGH] 2-2: fastapi 0.104.1: undefined

(PYSEC-2024-38)

---

[HIGH] 3-3: jinja2 3.1.2: Jinja2 vulnerable to sandbox breakout through attr filter selecting format method

(GHSA-cpwx-vrp4-4pq7)

---

[HIGH] 3-3: jinja2 3.1.2: Jinja has a sandbox breakout through malicious filenames

(GHSA-gmj6-6f8f-6699)

---

[HIGH] 3-3: jinja2 3.1.2: Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter

(GHSA-h5c8-rqwp-cp95)

---

[HIGH] 3-3: jinja2 3.1.2: Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter

(GHSA-h75v-3vvj-5mfj)

---

[HIGH] 3-3: jinja2 3.1.2: Jinja has a sandbox breakout through indirect reference to format method

(GHSA-q2x7-8rv6-6q7h)

---

[CRITICAL] 4-4: python-jose 3.3.0: undefined

(PYSEC-2024-232)

---

[CRITICAL] 4-4: python-jose 3.3.0: undefined

(PYSEC-2024-233)

---

[CRITICAL] 4-4: python-jose 3.3.0: python-jose algorithm confusion with OpenSSH ECDSA keys

(GHSA-6c5p-j8vq-pqhj)

---

[CRITICAL] 4-4: python-jose 3.3.0: python-jose denial of service via compressed JWE content

(GHSA-cjwg-qfpm-7377)

---

[HIGH] 5-5: python-multipart 0.0.6: python-multipart vulnerable to Content-Type Header ReDoS

(GHSA-2jv5-9r88-3w3p)

---

[HIGH] 5-5: python-multipart 0.0.6: Denial of service (DoS) via deformation multipart/form-data boundary

(GHSA-59g5-xgcq-4qw3)

---

[HIGH] 6-6: starlette 0.27.0: Starlette has possible denial-of-service vector when parsing large files in multipart forms

(GHSA-2c2j-9gv5-cj73)

---

[HIGH] 6-6: starlette 0.27.0: Starlette Denial of service (DoS) via multipart/form-data

(GHSA-f96h-pmfr-66vw)

🤖 Prompt for AI Agents

In requirements.txt lines 1-6 the newly added exact pins include versions with
known HIGH/CRITICAL CVEs (ecdsa 0.19.1, fastapi 0.104.1, jinja2 3.1.2,
python-jose 3.3.0, python-multipart 0.0.6, starlette 0.27.0); update each pinned
version to the minimum fixed/patched release cited in the corresponding
advisories (or replace with an alternative maintained library if no patched
release exists), verify the chosen versions against OSV/GHSA advisories, run
dependency checks (e.g., pip-audit/safety or GitHub Dependabot reports) to
confirm vulnerabilities are resolved, and update the requirements file with the
new safe pins before merging.