Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2024-47874 not detected #623

Open
1 task done
drupol opened this issue Oct 25, 2024 · 5 comments
Open
1 task done

CVE-2024-47874 not detected #623

drupol opened this issue Oct 25, 2024 · 5 comments
Assignees

Comments

@drupol
Copy link

drupol commented Oct 25, 2024

Checklist

Safety version

3.2.8

Python version

3.12.5

Operating System

Linux

Describe the problem you'd like to have solved

In our Python project using Poetry, we are using Starlette (https://pypi.org/project/starlette/, https://github.com/encode/starlette).

To check for CVE, we are using:

poetry export --without-hashes -f requirements.txt | safety check --full-report --stdin

The requirements.txt file contains the following line:

starlette==0.37.2 ; python_version >= "3.11" and python_version < "4.0"

Since the vulnerability affect all versions < 0.40.0, it should trigger CVE-2024-47874 but it is not.

Describe the ideal solution

The tool should report a security issue.

Alternatives and current workarounds

No response

Additional context

No response

What I Did

   poetry export --without-hashes -f requirements.txt | safety check --full-report --stdin
Copy link

Hi @drupol, thank you for opening this issue!

We appreciate your effort in reporting this. Our team will review it and get back to you soon.
If you have any additional details or updates, feel free to add them to this issue.

Note: If this is a serious security issue that could impact the security of Safety CLI users, please email [email protected] immediately.

Thank you for contributing to Safety CLI!

@dylanpulver
Copy link
Collaborator

Hi @drupol thank you for bringing this to our attention! The safety check command is now deprecated and we have the safety scan command available now. More details on this are available in our docs here: https://docs.safetycli.com/safety-docs/safety-cli-3/scanning-for-vulnerable-and-malicious-packages

@drupol
Copy link
Author

drupol commented Oct 29, 2024

Hello,

Thanks for your reply. I just used safety scan, but the error is now:

❯ poetry check --lock
All set!
❯ safety scan
Safety 3.2.9 scanning /home/pol/Code/<redacted>
2024-10-29 14:31:08 UTC

Account: Pol Dellaiera, <redacted>
 Git branch: 
 Environment: Stage.development
 Scan policy: None, using Safety CLI default policies

Python detected. Found 1 Python poetry lock file and 1 Python environment
Unhandled exception happened: 'Malformed poetry lock file'

@dylanpulver
Copy link
Collaborator

Thank you @drupol! Are you able to share the contents of the poetry files you are using? With these we can make sure to replicate the error you are facing to get it resolved!

@drupol
Copy link
Author

drupol commented Oct 29, 2024

Argh... sadly, I'm not allowed to share them. I would jeopardize my job position if I do so. I'm totally aware that sharing those files is not a big deal, but you know... I am not the one deciding sadly...

@SafetyQuincyF SafetyQuincyF self-assigned this Dec 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants