Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerabilities in 17.0.0-rc1 #64417

Closed
vogelsgesang opened this issue Aug 4, 2023 · 9 comments
Closed

Security vulnerabilities in 17.0.0-rc1 #64417

vogelsgesang opened this issue Aug 4, 2023 · 9 comments
Labels
code-quality obsolete Issues with old (unsupported) versions of LLVM
Milestone
LLVM 17.0.X Release

Comments

@vogelsgesang
Copy link
Member

An automated security scan of 17.0.0-rc1 complained about the following dependencies

Screenshot 2023-08-04 at 13 45 08 Screenshot 2023-08-04 at 13 46 06

The relevant requirement files are:

(Previously reported in #57907 (comment) ; splitting this off as a separate issue as requested on Discourse)
@vogelsgesang vogelsgesang added this to the LLVM 17.0.X Release milestone Aug 4, 2023
@vogelsgesang
Copy link
Member Author

vogelsgesang commented Aug 4, 2023
edited

Tagging potential owners of the requirements files based on git log

Would be great if you could take a quick look at the dependencies, and upgrade them if possible

@mtrofin
Copy link
Member

mtrofin commented Aug 4, 2023

For third-party/benchmark/requirements.txt - https://reviews.llvm.org/D157101

(It's just a refresh from the upstream google/benchmark repo)

@tru
Copy link
Collaborator

tru commented Aug 7, 2023

https://reviews.llvm.org/D157254 for llvm/utils/git

@tru
Copy link
Collaborator

tru commented Aug 7, 2023

@vogelsgesang maybe this is a bit unrelated to this - but it would be nice to have the actions run this check somehow.

@vogelsgesang
Copy link
Member Author

vogelsgesang commented Aug 7, 2023
edited

it would be nice to have the actions run this check somehow

Agree. I am not sure how to do this, though. The tool we are internally using is proprietary, and we are only scanning LLVM's source code when I am about to upgrade to a new version. I will reach out to the security team internally to figure out if they have an idea how to automate this

@pogo59
Copy link
Collaborator

pogo59 commented Aug 7, 2023

Does github allow a project to enable dependabot? The GHE instance that Sony runs internally does that.

@tru
Copy link
Collaborator

tru commented Aug 7, 2023

@tstellar could we enable dependabot for python on llvm-project? or is there something blocking that?

@Sezoir
Copy link
Contributor

Sezoir commented Aug 7, 2023

https://reviews.llvm.org/D157284 for flang/examples/FlangOmpReport

Sezoir added a commit that referenced this issue Aug 7, 2023
@Sezoir
[flang] Bump python dependencies in flang/examples/FlangOmpReport
165f7f0 
ruamel.yaml had a potential security issues (may also be a false
positive in scanner).

Related to #64417 #64417

Reviewed By: avogelsgesang

Differential Revision: https://reviews.llvm.org/D157284
@vogelsgesang vogelsgesang mentioned this issue Feb 15, 2024
Open
@vogelsgesang
Copy link
Member Author

closing, since llvm 17 is done and there is a newer release already

@EugeneZelenko EugeneZelenko added the obsolete Issues with old (unsupported) versions of LLVM label Jun 4, 2024
@EugeneZelenko EugeneZelenko closed this as not planned Won't fix, can't repro, duplicate, stale Jun 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
code-quality obsolete Issues with old (unsupported) versions of LLVM
Projects
LLVM Release Status
Status: Done
Milestone
LLVM 17.0.X Release
Development

No branches or pull requests
6 participants
@tru @mtrofin @vogelsgesang @EugeneZelenko @pogo59 @Sezoir