Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Python Dependency version is been ignored (requirements.txt file) #1483

Open
eyaliyahu opened this issue Jan 9, 2025 · 5 comments
Open

Python Dependency version is been ignored (requirements.txt file) #1483

eyaliyahu opened this issue Jan 9, 2025 · 5 comments
Labels
bug Something isn't working

Comments

@eyaliyahu
Copy link

Hey osv team, we recently ran into an issue with the latest version of osv-scanner (1.9.2).

When we run the tool on a requirements.txt file with loguru library in it, the tool returns a vulnerability outside the semver constrains
Here's how my requirements.txt looks like:

loguru>=0.6.0,<1

I ran the following command:

osv-scanner scan .

And got this response:

{
  "results": [
    {
      "source": {
        "path": "requirements.txt",
        "type": "lockfile"
      },
      "packages": [
        {
          "package": {
            "name": "loguru",
            "version": "0.6.0,\u003c1",
            "ecosystem": "PyPI"
          },
          "dependency_groups": [
            "requirements"
          ],
          "vulnerabilities": [
            {
              "modified": "2024-09-30T20:37:26Z",
              "published": "2022-01-26T00:01:50Z",
              "schema_version": "1.6.0",
              "id": "GHSA-39ph-wr67-j4xq",
              "aliases": [
                "CVE-2022-0338",
                "PYSEC-2022-14"
              ],
              "summary": "loguru vulnerable to improper privilege management ",
              "details": "Improper Privilege Management in Conda loguru prior to 0.5.3.",
              "affected": [
                {
                  "package": {
                    "ecosystem": "PyPI",
                    "name": "loguru",
                    "purl": "pkg:pypi/loguru"
                  },
                  "ranges": [
                    {
                      "type": "ECOSYSTEM",
                      "events": [
                        {
                          "introduced": "0"
                        },
                        {
                          "fixed": "0.5.3"
                        }
                      ]
                    }
                  ],
                  "versions": [
                    "0.1.0",
                    "0.2.0",
                    "0.2.1",
                    "0.2.2",
                    "0.2.3",
                    "0.2.4",
                    "0.2.5",
                    "0.3.0",
                    "0.3.1",
                    "0.3.2",
                    "0.4.0",
                    "0.4.1",
                    "0.5.0",
                    "0.5.1",
                    "0.5.2"
                  ],
                  "database_specific": {
                    "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-39ph-wr67-j4xq/GHSA-39ph-wr67-j4xq.json"
                  }
                }
              ],
              "severity": [
                {
                  "type": "CVSS_V3",
                  "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
                },
                {
                  "type": "CVSS_V4",
                  "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"
                }
              ],
              "references": [
                {
                  "type": "ADVISORY",
                  "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0338"
                },
                {
                  "type": "WEB",
                  "url": "https://github.com/delgan/loguru/commit/ea39375e62f9b8f18e2ca798a5c0fb8c972b7eaa"
                },
                {
                  "type": "PACKAGE",
                  "url": "https://github.com/Delgan/loguru"
                },
                {
                  "type": "WEB",
                  "url": "https://github.com/pypa/advisory-database/tree/main/vulns/loguru/PYSEC-2022-14.yaml"
                },
                {
                  "type": "WEB",
                  "url": "https://huntr.dev/bounties/359bea50-2bc6-426a-b2f9-175d401b1ed0"
                }
              ],
              "database_specific": {
                "cwe_ids": [
                  "CWE-269",
                  "CWE-532"
                ],
                "github_reviewed": true,
                "github_reviewed_at": "2023-08-03T16:37:17Z",
                "nvd_published_at": "2022-01-25T09:15:00Z",
                "severity": "MODERATE"
              }
            },
            {
              "modified": "2023-11-08T04:07:32Z",
              "published": "2022-01-25T09:15:00Z",
              "schema_version": "1.6.0",
              "id": "PYSEC-2022-14",
              "aliases": [
                "CVE-2022-0338",
                "GHSA-39ph-wr67-j4xq"
              ],
              "details": "Improper Privilege Management in Conda loguru prior to 0.5.3.",
              "affected": [
                {
                  "package": {
                    "ecosystem": "PyPI",
                    "name": "loguru",
                    "purl": "pkg:pypi/loguru"
                  },
                  "ranges": [
                    {
                      "type": "GIT",
                      "events": [
                        {
                          "introduced": "0"
                        },
                        {
                          "fixed": "ea39375e62f9b8f18e2ca798a5c0fb8c972b7eaa"
                        }
                      ],
                      "repo": "https://github.com/delgan/loguru"
                    },
                    {
                      "type": "ECOSYSTEM",
                      "events": [
                        {
                          "introduced": "0"
                        },
                        {
                          "fixed": "0.5.3"
                        }
                      ]
                    }
                  ],
                  "versions": [
                    "0.1.0",
                    "0.2.0",
                    "0.2.1",
                    "0.2.2",
                    "0.2.3",
                    "0.2.4",
                    "0.2.5",
                    "0.3.0",
                    "0.3.1",
                    "0.3.2",
                    "0.4.0",
                    "0.4.1",
                    "0.5.0",
                    "0.5.1",
                    "0.5.2"
                  ],
                  "database_specific": {
                    "source": "https://github.com/pypa/advisory-database/blob/main/vulns/loguru/PYSEC-2022-14.yaml"
                  }
                }
              ],
              "references": [
                {
                  "type": "WEB",
                  "url": "https://huntr.dev/bounties/359bea50-2bc6-426a-b2f9-175d401b1ed0"
                },
                {
                  "type": "FIX",
                  "url": "https://github.com/delgan/loguru/commit/ea39375e62f9b8f18e2ca798a5c0fb8c972b7eaa"
                }
              ]
            }
          ],
          "groups": [
            {
              "ids": [
                "PYSEC-2022-14",
                "GHSA-39ph-wr67-j4xq"
              ],
              "aliases": [
                "CVE-2022-0338",
                "GHSA-39ph-wr67-j4xq",
                "PYSEC-2022-14"
              ],
              "max_severity": "5.3"
            }
          ]
        }
      ]
    }
  ],
  "experimental_config": {
    "licenses": {
      "summary": false,
      "allowlist": null
    }
  }
}

As you can see, the tool identified that the dependency version is 0.6.0,\u003c1, but the vulnerability was found (CVE-2022-0338 (GHSA-39ph-wr67-j4xq, PYSEC-2022-14) this issue applies to versions below 0.5.3 (it even recommends updating the dependency to 0.5.3).

I was able to reproduce this issue in other versions of the osv client (1.7.3 for example) as well so I suspect that this is an issue at the API level.

I would appreciate your opinion on this one - Thanks!
@oliverchang oliverchang added the bug Something isn't working label Jan 10, 2025
@oliverchang
Copy link
Collaborator

oliverchang commented Jan 10, 2025
edited
Loading

"version": "0.6.0,\u003c1", to me looks like we're just not properly parsing the constraints here from the requirements.txt, which is leading us to not having the right version to scan. @hogo6002 @G-Rath can you confirm this? Are there any changes we can make in the meantime to make this situation better?

We have plans in the coming months to better support requirements.txt generally (#34, including transitive resolution and parsing constraints such as these). CC @cuixq

@G-Rath
Copy link
Collaborator

G-Rath commented Jan 10, 2025

hmm it seems that this might be a new feature of pip? it's in the example file reference but not in the one that was up when I originally implemented the parser.

It also looks like the osv-scailbr extractor supports this, so I'm not sure if it's worth me trying to add support to our current parser/extractor?

@eyaliyahu
Copy link
Author

eyaliyahu commented Jan 10, 2025
edited
Loading

Thanks @oliverchang and @G-Rath for your quick response!

Maybe just for context - I've been using osv-scanner for over a year, and it started happening out of nowhere.
Is there any chance this is due to a change that happened lately in the Backend API?
I started experiencing this on Jan 7th, while I kept using the same client version.

@another-rex
Copy link
Collaborator

another-rex commented Jan 13, 2025
edited
Loading

Yes, this is likely caused by a recent API change we made, where we are doing range matching instead of directly matching against a list of versions we enumerated. Both actually return incorrectly for this query, the previous API just will always return no results, while the current version will always return every vulnerability for this package.

The issue here is we don't support range requirements that well, and mostly expect static single versions (this is why osv-scanner works best with lockfiles generated by tools like poetry, pip-compile...etc, where there is a concrete version).

In osv-scanner v2 (releasing soon!), the default behaviour here would be to choose the lowest version that satisfies the requirement (i.e. 0.6.0 in this case), which should solve this specific problem.

Longer term as Oliver mentioned we are working on better support for requirements.txt files through resolving it into a single version by calculating the dependency graph.

As for a short term workaround right now, I would suggest adding an ignore entry for PYSEC-2022-14 to the osv-scanner.toml file, this way any new vulnerabilities will show up, but this one which we know does not apply will not keep appearing.

@eyaliyahu
Copy link
Author

Got it, Thanks for the detailed investigation!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@oliverchang @G-Rath @eyaliyahu @another-rex