Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inconsequent ignoring #148

Closed
joakimnordling opened this issue Nov 2, 2022 · 1 comment · Fixed by #149
Closed

Inconsequent ignoring #148

joakimnordling opened this issue Nov 2, 2022 · 1 comment · Fixed by #149
Assignees
@twu
Labels
bug Something isn't working source:pyup

Comments

@joakimnordling
Copy link

Let's take a look at this example:

% echo "py==1.11.0" | skjold audit -s pyup -s gemnasium -
Warning: No advisory sources configured!

py==1.11.0 (<=1.11.0) via gemnasium as CVE-2022-42969 found in <stdin>

Regular expression Denial of Service. The py library through 1.11.0 for Python
allows remote attackers to conduct a ReDoS (Regular expression Denial of
Service) attack via a Subversion repository with crafted info data, because the
InfoSvnCommand argument is mishandled.
https://nvd.nist.gov/vuln/detail/CVE-2022-42969

https://nvd.nist.gov/vuln/detail/CVE-2022-42969
https://pypi.org/project/py
https://github.com/pytest-dev/py/blob/cb87a83960523a2367d0f19226a73aed4ce4291d/py/_path/svnurl.py#L316
https://github.com/pytest-dev/py/issues/287
--

py==1.11.0 (<=1.11.0) via pyup as pyup.io-51457 found in <stdin>

Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular
expression Denial of Service) attack via a Subversion repository with crafted
info data, because the InfoSvnCommand argument is mishandled.
https://github.com/pytest-dev/py/issues/287
https://pyup.io/vulnerabilities/CVE-2022-42969/51457/

--
Found 1 vulnerable package(s)!

Both pyup and gemnasium finds this package as a vulnerability. However when using pyup as a source, it's identified as pyup.io-51457, not as CVE-2022-42969, like it is when using gemnasium. Thus, if you want to ignore this finding, you will have to run skjold ignore py CVE-2022-42969 and skjold ignore py pyup.io-51457 to ignore both of these.

I'm guessing there's just some error (or inconsistency) in how the data from pyup is parsed, as the raw data contains the CVE.

Changing this behaviour can of course break some existing ignore files, but would still be nice if it would work intuitively and following the examples on how to ignore the finding.
@twu
Copy link
Owner

twu commented Nov 5, 2022

At the time of adding ignore the cve field was not set in all or most of the pyup records AFAIR as such it didn't make sense to use it as the primary identifier, however it seems like this is no longer the case and I totally agree that this would make ignore behave more intuitively. I will add this to the next release. Thank you for reporting the issue!

@twu twu self-assigned this Nov 5, 2022
@twu twu added bug Something isn't working source:pyup labels Nov 5, 2022
@twu twu mentioned this issue Nov 5, 2022
Merged
@twu twu closed this as completed in #149 Nov 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@twu twu

Labels
bug Something isn't working source:pyup
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use 'cve' field as 'pyup' identifier. twu/skjold
2 participants
@twu @joakimnordling