Skip to content
This repository was archived by the owner on Mar 20, 2024. It is now read-only.
This repository was archived by the owner on Mar 20, 2024. It is now read-only.

snyk incorrectly reporting 1 vulnerability #29

Closed
#30
Closed
snyk incorrectly reporting 1 vulnerability#29
#30
Assignees
JonZeolla
@JonZeolla

Description

@JonZeolla
JonZeolla
opened on Mar 10, 2020

Summary

snyk.io is currently reporting that the version of pyyaml used by easy_sast is vulnerable to an Arbitrary Code Execution vulnerability. easy_sast was never susceptible to this vulnerability, as it has always used safe_load which is considered safe. MITRE has assigned this vulnerability CVE-2020-1747.

Potential Impact

There is no impact to the easy_sast project due to the appropriate use of safe_load to load untrusted yaml files. pyyaml is used for configuration loading (pyyaml 5.3), and the testing (pyyaml 5.3) of configuration loading.

Next Steps

  1. As a best practice, update the easy_sast requirements via make requirements when Prevents arbitrary code execution during python/object/new constructor yaml/pyyaml#386 is merged and included in a release.
  2. Cut an easy_sast release with these updated requirements.
    • Based on the breaking changes introduced since the last release, this will be version 1.0.0 (see git log 'v0.2.0'...'0eefbb341facfdd5cfe73774faebdb311579d232' --oneline).

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions