Vulnerable PyOpenSSL dependency in example code causes Snyk to flag pysaml2

[APCBoston]

Summary

pysaml2 does not depend on PyOpenSSL, but some of the examples import PyOpenSSL, and it is likewise mentioned as a dependency in pyproject.toml and poetry.lock. This is a problem because PyOpenSSL is vulnerable to CVE-2023-6129 and CVE-2023-6237. Additionally, the Python Cryptographic Authority strongly recommends against using PyOpenSSL, despite the fact that it is their package.

All of this caused Snyk to wrongfly flag pysaml2 as vulnerable to these two CVE's via its use of pyopenssl.

Possible Solution

Suggest migrating the example code to eliminate reliance on pyopenssl. Alternatively, removing this package from the pyproject.toml and poetry.lock may help with security scanners (Snyk at least relies on these manifests) and may be appropriate in light of the fact that pyopenssl is not a true dependency of pysaml2.

[c00kiemon5ter]

Thank you for the report. I will try to fix this asap.