safety-db icon indicating copy to clipboard operation
safety-db copied to clipboard

Published 20 hours ago verified publisher icon pyupio

Adjust vulnerable versions of Inquirer for CVE-2022-24439

Open gmetzker opened this issue 1 year ago • 0 comments

In a recently safety release you flagged CVE-2022-24439 for the inquier package.

Apparently there was some transitive vulnerability with GitPython. The noted vulnerable versions are <3.1.2.

After evaluating their code base it appears this dependency was only added to version 3.0.0. So the vulnerable versions should only be >=3.0.0 < 3.1.2

If you view their git history for version 3.0.0 you can see where GitPython was introduced. Dependency graph was as follows:

  • inquirer 3.0.0
    • bandit 1.7.4
      • GitPython 3.1.29

Prior to v3.0.0 inquier was not using bandit and hence no import of GitPython.

See the addition in the poetry.lock v.3.0.0 branch compare to v2.10.1, where bandit --> gitpython was added.

Can reduce the scope of vulnerable versions so it does not flag < 3.0.0 ?

Thanks

gmetzker avatar Dec 15 '23 19:12 gmetzker