Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix issue with parsing details in PYSEC-2022-42969 #107

Merged
merged 1 commit into from Nov 7, 2022
Merged

Fix issue with parsing details in PYSEC-2022-42969 #107

merged 1 commit into from Nov 7, 2022

Conversation

twu
Copy link
Contributor

@twu twu commented Nov 7, 2022

Fixes #106

Proposed Changes

  • Remove offending link/colon from details for PYSEC-2022-42969.

Since it is using the official description from https://nvd.nist.gov/vuln/detail/CVE-2022-42969 and Github is linked as a reference already I removed the Taken from ... from details as it contains the offending colon.

@twu twu mentioned this pull request Nov 7, 2022
Closed
@twu
Copy link
Contributor Author

twu commented Nov 7, 2022

@oliverchang It also looks like this is might be a contested advisory/CVE spam? See #104

@oliverchang
Copy link
Contributor

@oliverchang It also looks like this is might be a contested advisory/CVE spam? See #104

Unclear if this is definitely spam. My read of the upstream issue sounds like: this is a legitimate issue, but it's a ReDoS so the impact for most people is pretty low and unlikely to be fixed in what is now a maintenance mode project.

We don't really have a precedence for excluding ReDoS in general. Do you see these issues as significantly impacting the usefulness of vuln scanners?

@oliverchang
Copy link
Contributor

Merging for now, we can continue discussion here or in the issue you linked!

@oliverchang oliverchang merged commit 0ea4826 into pypa:main Nov 7, 2022
@twu
Copy link
Contributor Author

twu commented Nov 7, 2022

We don't really have a precedence for excluding ReDoS in general. Do you see these issues as significantly impacting the usefulness of vuln scanners?

IMHO, no.

Merging for now, we can continue discussion here or in the issue you linked!

Thank you :)

@sebastian-philipp sebastian-philipp mentioned this pull request Apr 13, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oliverchang oliverchang oliverchang approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

PYSEC-2022-42969.yaml has colon in the details, need to wrap with quotes
2 participants
@twu @oliverchang