Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Report contains lots of duplicated vulnerabilities with tensorflow==2.4.0 and the commercial database #353

Closed
millenc opened this issue Aug 19, 2021 · 3 comments
Closed

Report contains lots of duplicated vulnerabilities with tensorflow==2.4.0 and the commercial database #353

millenc opened this issue Aug 19, 2021 · 3 comments
Assignees
@yeisonvargasf
Labels
bug Indicates a problem that needs to be resolved.

Comments

@millenc
Copy link

millenc commented Aug 19, 2021

  • safety version: 1.10.3
  • Python version: 3.7.10
  • Operating System: Ubuntu 20.04

Description

The safety report (either --full-report or --short-report) is huge and contains lots of duplicated lines when tensorflow 2.4.0 is installed and an API key is used.

What I Did

  1. Create a fresh virtual environment: virtualenv -p /usr/bin/python3.7 ~/.envs/tensorflow
  2. Activate the environment
  3. Install tensorflow (2.4.0) and the latest version of safety: pip3 install tensorflow==2.4.0 safety
  4. Run the analysis: safety check
  5. Export the API key environment variable: export SAFETY_API_KEY="<MY API KEY HERE>"
  6. Run the analysis again

Running safety with no API key (step 4.) the report looks like this:

+==============================================================================+
|                                                                              |
|                               /$$$$$$            /$$                         |
|                              /$$__  $$          | $$                         |
|           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
|          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
|         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
|          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
|          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
|         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
|                                                          /$$  | $$           |
|                                                         |  $$$$$$/           |
|  by pyup.io                                              \______/            |
|                                                                              |
+==============================================================================+
| REPORT                                                                       |
| checked 47 packages, using free DB (updated once a month)                    |
+============================+===========+==========================+==========+
| package                    | installed | affected                 | ID       |
+============================+===========+==========================+==========+
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40469    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40472    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40682    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40684    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40678    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40681    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40683    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40680    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40679    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40691    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40467    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40694    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40692    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40695    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40465    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40688    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40689    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40690    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40468    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40697    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40767    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40706    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40710    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40677    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40693    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40700    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40696    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40699    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40702    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40701    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40698    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40772    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40675    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40676    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40673    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40747    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40748    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40715    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40708    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40703    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40744    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40464    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40734    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40770    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40728    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40766    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40714    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40685    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40746    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40686    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40718    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40738    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40741    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40466    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40742    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40765    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40712    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40713    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40716    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40724    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40721    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40768    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40705    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40764    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40740    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40723    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40722    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40720    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40717    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40707    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40731    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40732    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40733    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40735    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40736    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40737    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40739    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40743    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40745    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40687    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40749    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40750    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40751    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40752    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40753    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40754    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40755    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40756    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40757    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40758    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40759    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40760    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40761    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40762    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40763    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40704    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40769    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40709    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40771    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40711    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40773    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40774    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40775    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40777    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40778    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40725    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40719    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40726    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40727    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40729    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40730    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40470    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40471    |
+==============================================================================+

If I export the API key (step 5.) and run the analysis again (step 6.) the result is the log included on the attached file:

safety-check-tensorflow-2.4.0-with-apikey.log

As you can see, there are more than 16k lines in there. Such a report is not useful at all and causes issues on CI/CD pipelines that impose limits on the size of logs. Using the --full-report option is even worse since the log turns out to have more than 160k lines (~14MB). The same thing happens with the JSON report.
@yeisonvargasf yeisonvargasf self-assigned this Aug 19, 2021
@yeisonvargasf
Copy link
Member

Hi @millenc , thanks for report this, looks like a bug in the Safety report only with Tensorflow, we are going to verify and inspect the possible cause and we will apply a fix as soon as possible.

@yeisonvargasf yeisonvargasf added the bug Indicates a problem that needs to be resolved. label Sep 14, 2021
@yeisonvargasf
Copy link
Member

@millenc I closed this issue because it was fixed in our backend side, no update is needed, so you should be able to see the fix with no action from your side. Let me know if it's ok for you, don't hesitate to reach us if there is another issue.

@millenc
Copy link
Author

millenc commented Sep 15, 2021

@millenc I closed this issue because it was fixed in our backend side, no update is needed, so you should be able to see the fix with no action from your side. Let me know if it's ok for you, don't hesitate to reach us if there is another issue.

@yeisonvargasf I can confirm that the issue appears to be fixed. I've tried using safety on a fresh project with tensorflow==2.5.0 (one of the affected versions) and the report looks good now.

Thank you very much for your support!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yeisonvargasf yeisonvargasf

Labels
bug Indicates a problem that needs to be resolved.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@millenc @yeisonvargasf