pyupio/safety

Vulnerable dependecy to setuptools!?

callebokedal opened this issue · 1 comments

callebokedal commented
  • safety version: 2.3.5
  • Python version: Python 3.9.6
  • Operating System: macOS 13.6 (22G120)

Description

Just installed safety in a new virtual enviroment. Seems like it has a dependency to vulnerable setuptools 58.0.4

What I Did

cd somefolder
python3 -m venv .safety-env
source .safety-env/bin/activate
pip install --upgrade pip # -> Successfully installed pip-23.2.1
pip install safety
pip freeze 
# Result:
# certifi==2023.7.22
# charset-normalizer==3.3.0
# click==8.1.7
# dparse==0.6.3
# idna==3.4
# packaging==21.3
# pyparsing==3.1.1
# requests==2.31.0
# ruamel.yaml==0.17.35
# ruamel.yaml.clib==0.2.8
# safety==2.3.5
# tomli==2.0.1
# urllib3==2.0.6

# But then, after checking:
safety check

# I get info: 
# -> Vulnerability found in setuptools version 58.0.4

# To check more, I install 'pipdeptree' and run it
pip install pipdeptree
pipdeptree -fl
# Result:
# pip==23.2.1
# pipdeptree==2.13.0
# safety==2.3.5
#   click==8.1.7
#   dparse==0.6.3
#     packaging==21.3
#       pyparsing==3.1.1
#     tomli==2.0.1
#   packaging==21.3
#     pyparsing==3.1.1
#   requests==2.31.0
#     certifi==2023.7.22
#     charset-normalizer==3.3.0
#     idna==3.4
#     urllib3==2.0.6
#   ruamel.yaml==0.17.35
#     ruamel.yaml.clib==0.2.8
#   setuptools==58.0.4

# Suggestion - upgrade setuptools to >= 65.5.1
pip install --upgrade setuptools # -> 68.2.2
dylanpulver commented

Hi @callebokedal,

Thank you for reporting this issue and for providing detailed steps to reproduce it.

After careful consideration, we've decided to move this issue to the "wontfix" category. We wanted to provide some context for our decision:

  1. Dependency Management: While we understand the importance of keeping dependencies up-to-date to avoid vulnerabilities, it's challenging to cover every possible scenario due to the dynamic nature of vulnerabilities. We do our best to review and ship updates, but new vulnerabilities can appear later.
  2. Defining Dependency Ranges: We are actively working on improving our processes to test dependencies and define version ranges more effectively. This should help minimize the occurrence of such issues in the future, though it is an ongoing effort.
  3. User Updates: We encourage users to regularly update their dependencies to mitigate potential vulnerabilities. In your case, upgrading setuptools to the latest version is a good practice and helps maintain a secure environment.

We appreciate your understanding and thank you for your continued contributions and feedback. If you have any further suggestions or reports, we'd love to hear from you!

Best Regards,
The Safety Team