You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
% echo "py==1.11.0" | skjold audit -s pyup -s gemnasium -
Warning: No advisory sources configured!
py==1.11.0 (<=1.11.0) via gemnasium as CVE-2022-42969 found in <stdin>
Regular expression Denial of Service. The py library through 1.11.0 for Python
allows remote attackers to conduct a ReDoS (Regular expression Denial of
Service) attack via a Subversion repository with crafted info data, because the
InfoSvnCommand argument is mishandled.
https://nvd.nist.gov/vuln/detail/CVE-2022-42969
https://nvd.nist.gov/vuln/detail/CVE-2022-42969
https://pypi.org/project/py
https://github.com/pytest-dev/py/blob/cb87a83960523a2367d0f19226a73aed4ce4291d/py/_path/svnurl.py#L316
https://github.com/pytest-dev/py/issues/287
--
py==1.11.0 (<=1.11.0) via pyup as pyup.io-51457 found in <stdin>
Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular
expression Denial of Service) attack via a Subversion repository with crafted
info data, because the InfoSvnCommand argument is mishandled.
https://github.com/pytest-dev/py/issues/287
https://pyup.io/vulnerabilities/CVE-2022-42969/51457/
--
Found 1 vulnerable package(s)!
Both pyup and gemnasium finds this package as a vulnerability. However when using pyup as a source, it's identified as pyup.io-51457, not as CVE-2022-42969, like it is when using gemnasium. Thus, if you want to ignore this finding, you will have to run skjold ignore py CVE-2022-42969 and skjold ignore py pyup.io-51457 to ignore both of these.
I'm guessing there's just some error (or inconsistency) in how the data from pyup is parsed, as the raw data contains the CVE.
Changing this behaviour can of course break some existing ignore files, but would still be nice if it would work intuitively and following the examples on how to ignore the finding.
The text was updated successfully, but these errors were encountered:
At the time of adding ignore the cve field was not set in all or most of the pyup records AFAIR as such it didn't make sense to use it as the primary identifier, however it seems like this is no longer the case and I totally agree that this would make ignore behave more intuitively. I will add this to the next release. Thank you for reporting the issue!
Let's take a look at this example:
Both
pyup
andgemnasium
finds this package as a vulnerability. However when usingpyup
as a source, it's identified aspyup.io-51457
, not asCVE-2022-42969
, like it is when usinggemnasium
. Thus, if you want to ignore this finding, you will have to runskjold ignore py CVE-2022-42969
andskjold ignore py pyup.io-51457
to ignore both of these.I'm guessing there's just some error (or inconsistency) in how the data from
pyup
is parsed, as the raw data contains the CVE.Changing this behaviour can of course break some existing ignore files, but would still be nice if it would work intuitively and following the examples on how to ignore the finding.
The text was updated successfully, but these errors were encountered: