safety-2.3.5 fails because of the code that safety installs when using docker/compose:1.29.2 runner in pipeline

Question

safety-2.3.5 fails because of the code that safety installs when using docker/compose:1.29.2 runner in pipeline

sunlao opened this issue 2 years ago · 2 comments

sunlao commented 2 years ago

safety version: 2.3.5
Using container: docker/compose:1.29.2

Description

Latest Safety fails because of the code that safety installs when using latest docker/compose runner

When the following runs in CICD:

pip3 uninstall -y urllib3 safety
pip3 install urllib3==1.26.14
pip3 install safety==2.3.5

The output:

Successfully installed Click-8.1.3 dparse-0.6.2 packaging-21.3 ruamel.yaml-0.17.21 ruamel.yaml.clib-0.2.7 safety-2.3.5 urllib3-1.25.11

Then CICD command

safety check

with output:

Vulnerability found in urllib3 version 1.25.11
Vulnerability ID: 43975
Affected spec: <1.26.5
ADVISORY: Urllib3 1.26.5 includes a fix for CVE-2021-33503: An issue
was discovered in urllib3 before 1.26.5. When provided with a URL...
CVE-2021-33503

Answer 1 · 2023-01-20T19:55:58.000Z

Hi @sunlao, Safety 2.3.5 doesn't pin requests, so this should be related to the dependency tree resolved by pip.

There isn't something to do from the Safety side, as I don't think it is okay to force >=1.26.5.

I will close this issue but feel free to re-open it or comment if you have more detail that suggests this is a Safety issue.

Answer 2 · 2023-01-21T16:06:16.000Z

It looks to me that safety is saying it is "unsafe" to use an unpinned requests because 1.25.11 is vulnerable. So safety can't run safely with it's own unpinned requirements.