Git Product home page Git Product logo

Comments (3)

adamchainz avatar adamchainz commented on June 3, 2024 1

Btw, my experience with safety has been only false positives. I've been using it at one client for about two years, because their security policy needed something in place. But IIRC the only alerts we've ever seen were false positives that needed muting, maybe 2-3 times.

I am considering switching to pip-audit, which has a community-driven database.

from daphne.

adamchainz avatar adamchainz commented on June 3, 2024

From the safety JSON file: https://raw.githubusercontent.com/pyupio/safety-db/master/data/insecure_full.json

"daphne": [
        {
            "advisory": "Daphne 4.0.0b1 updates its dependency 'twisted' requirement to '>=22.4' to include security fixes.",
            "cve": "CVE-2022-21712",
            "id": "pyup.io-50814",
            "more_info_path": "/vulnerabilities/CVE-2022-21712/50814/",
            "specs": [
                "<4.0.0b1"
            ],
            "v": "<4.0.0b1"
        },
        {
            "advisory": "Daphne 4.0.0b1 updates its dependency 'twisted' requirement to '>=22.4' to include security fixes.",
            "cve": "CVE-2020-10108",
            "id": "pyup.io-50815",
            "more_info_path": "/vulnerabilities/CVE-2020-10108/50815/",
            "specs": [
                "<4.0.0b1"
            ],
            "v": "<4.0.0b1"
        },
        {
            "advisory": "Daphne 4.0.0b1 updates its dependency 'twisted' requirement to '>=22.4' to include security fixes.",
            "cve": "CVE-2020-10109",
            "id": "pyup.io-50816",
            "more_info_path": "/vulnerabilities/CVE-2020-10109/50816/",
            "specs": [
                "<4.0.0b1"
            ],
            "v": "<4.0.0b1"
        },
        {
            "advisory": "Daphne 4.0.0b1 updates its dependency 'twisted' requirement to '>=22.4' to include security fixes.",
            "cve": "CVE-2019-12855",
            "id": "pyup.io-50817",
            "more_info_path": "/vulnerabilities/CVE-2019-12855/50817/",
            "specs": [
                "<4.0.0b1"
            ],
            "v": "<4.0.0b1"
        },
        {
            "advisory": "Daphne 4.0.0b1 updates its dependency 'twisted' requirement to '>=22.4' to include security fixes.",
            "cve": "CVE-2019-12387",
            "id": "pyup.io-50818",
            "more_info_path": "/vulnerabilities/CVE-2019-12387/50818/",
            "specs": [
                "<4.0.0b1"
            ],
            "v": "<4.0.0b1"
        },
        {
            "advisory": "Daphne 4.0.0b1 updates its dependency 'twisted' requirement to '>=22.4' to include security fixes.",
            "cve": "CVE-2022-24801",
            "id": "pyup.io-50768",
            "more_info_path": "/vulnerabilities/CVE-2022-24801/50768/",
            "specs": [
                "<4.0.0b1"
            ],
            "v": "<4.0.0b1"
        }
    ],

Links to pyup:

These all report on the same thing, that Daphne <4.0.0b1 doesn't require a secure version of twisted.

IMO these are "garbage" reports, you can use the new version of Twisted with Daphne 3.0.2. Daphne cannot be expected to release a new version with an updated minimum version pin, every time that Twisted releases a security fix.

I advise ignoring the checks (safety check --ignore=50814 ...), and reporting them as bad checks to PyUP.

from daphne.

carltongibson avatar carltongibson commented on June 3, 2024

Yes, thanks @adamchainz — I agree these are garbage. It makes Pyup's reviewed by experts look pretty weak TBH

The key point is the twisted dependency is a minimum if you pip install daphne you don't get an insecure version....

Successfully installed … daphne-3.0.2 … twisted-22.4.0

So @CarolynWebster You can carry on (but please do report the issue to pyup)

...cannot be expected to release a new version with an updated minimum version pin...

It's a minimum needs at least this — if I declare Django>=3.2 it's not a security issue in my package because Django 3.2.15 was a security release. You just update Django.

from daphne.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.