checkov icon indicating copy to clipboard operation
checkov copied to clipboard
verified publisher icon bridgecrewio

fix(general): asteval to version 1.0.6

Open lirshindalman opened this issue 8 months ago • 11 comments

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Description

Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change.

Fixes # (issue)

New/Edited policies (Delete if not relevant)

Description

Include a description of what makes it a violation and any relevant external links.

Fix

How does someone fix the issue in code and/or in runtime?

Checklist:

  • [ ] I have performed a self-review of my own code
  • [ ] I have commented my code, particularly in hard-to-understand areas
  • [ ] I have made corresponding changes to the documentation
  • [ ] I have added tests that prove my feature, policy, or fix is effective and works
  • [ ] New and existing tests pass locally with my changes

lirshindalman avatar May 06 '25 12:05 lirshindalman

This change is particularly important as it addresses CVE-2025-24359.

candrews avatar May 06 '25 14:05 candrews

@gruebel can you please take a look at this security update?

candrews avatar May 07 '25 13:05 candrews

@bo156 can you please take a look at this change?

candrews avatar May 13 '25 13:05 candrews

Can anyone take this seriously?

ricardbejarano avatar May 14 '25 06:05 ricardbejarano

Bump!

As it was mentioned on this PR before, updating "asteval" to "1.0.6" addresses an important security concern. This will positively impact all the checkov users that work in highly regulated environments. Thank you for all your hard work, we need this update to manage our supply chain vulnerabilities.

radurobotin avatar May 14 '25 14:05 radurobotin

It seems that there are some conflicts to resolve, it I can’t see for which files in the web UI

echoix avatar May 14 '25 20:05 echoix

@echoix If it's anything other than the Pipfile.lock causing the issue, I'd be surprised, given the difference in changes and overall nature of a lock file:

2025-05-16_18-17-46

The source branch likely needs to be rebased by a maintainer and a fresh lock file generated before this can be merged in.

scrthq avatar May 16 '25 23:05 scrthq

And so?

ricardbejarano avatar May 25 '25 10:05 ricardbejarano

I emailed [email protected] again.

I'm incredibly disappointed that checkov, which is itself security software, is completely ignoring this security finding.

candrews avatar Jun 24 '25 13:06 candrews

Hi @candrews, Could you please fix the conflicts with the main branch, so we can merge it?

AdamDev avatar Aug 05 '25 12:08 AdamDev

Any updates on this?

annelaird avatar Oct 03 '25 17:10 annelaird