Skip to content

fix: add urllib3 explicitly to avoid CVEs #1628

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 24, 2022
Merged

fix: add urllib3 explicitly to avoid CVEs #1628

merged 2 commits into from
May 24, 2022

Conversation

terriko
Copy link
Contributor

@terriko terriko commented Mar 31, 2022
edited
Loading

urllib3 is used by requests. It had some CVEs last year (and before). Pip tends to be very conservative about upgrading packages and requests doesn't require a non-vulnerable version of the library, so I'm adding it to our requirements.txt file in order to force an upgrade for users of cve-bin-tool.

Probably not necessary, as these fixes have been out quite some time, but I happened upon a machine I was using for testing that had the older version, and figured I might as well set this up as a courtesy in case anyone else encounters a similar issue. This way, when you run pip install --upgrade -r requirements.txt urllib3 will be explicitly named and upgraded. (Without this line, upgrading the other packages would not upgrade urllib3.)

@codecov-commenter
Copy link

Codecov Report

Merging #1628 (4d14556) into main (af159c8) will decrease coverage by 0.15%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             main    #1628      +/-   ##
==========================================
- Coverage   78.57%   78.42%   -0.16%     
==========================================
  Files         291      291              
  Lines        5975     5975              
  Branches      980      980              
==========================================
- Hits         4695     4686       -9     
- Misses       1067     1076       +9     
  Partials      213      213
Flag Coverage Δ
longtests 78.42% <ø> (-0.16%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
cve_bin_tool/nvd_api.py 75.00% <0.00%> (-9.49%) ⬇️
cve_bin_tool/cli.py 70.43% <0.00%> (+0.43%) ⬆️
cve_bin_tool/checkers/glibc.py 100.00% <0.00%> (+4.16%) ⬆️

📣 Codecov can now indicate which changes are the most critical in Pull Requests. Learn more

@terriko terriko requested a review from nedsouza April 4, 2022 19:03
@terriko
Copy link
Contributor Author

terriko commented May 24, 2022

Since no one's complained about this I'm going to go ahead and merge it. It's not a functional necessity for us but it seems like encouraging non-vulnerable dependencies is the right thing to do here.

@terriko terriko merged commit 42426c1 into intel:main May 24, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nedsouza nedsouza Awaiting requested review from nedsouza

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@terriko @codecov-commenter