-
Notifications
You must be signed in to change notification settings - Fork 371
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Python Dependency version is been ignored (requirements.txt file) #1483
Comments
We have plans in the coming months to better support requirements.txt generally (#34, including transitive resolution and parsing constraints such as these). CC @cuixq |
hmm it seems that this might be a new feature of pip? it's in the example file reference but not in the one that was up when I originally implemented the parser. It also looks like the |
Thanks @oliverchang and @G-Rath for your quick response! Maybe just for context - I've been using osv-scanner for over a year, and it started happening out of nowhere. |
Yes, this is likely caused by a recent API change we made, where we are doing range matching instead of directly matching against a list of versions we enumerated. Both actually return incorrectly for this query, the previous API just will always return no results, while the current version will always return every vulnerability for this package. The issue here is we don't support range requirements that well, and mostly expect static single versions (this is why osv-scanner works best with lockfiles generated by tools like In osv-scanner v2 (releasing soon!), the default behaviour here would be to choose the lowest version that satisfies the requirement (i.e. 0.6.0 in this case), which should solve this specific problem. Longer term as Oliver mentioned we are working on better support for requirements.txt files through resolving it into a single version by calculating the dependency graph. As for a short term workaround right now, I would suggest adding an ignore entry for |
Got it, Thanks for the detailed investigation! |
Hey osv team, we recently ran into an issue with the latest version of osv-scanner (1.9.2).
When we run the tool on a requirements.txt file with
loguru
library in it, the tool returns a vulnerability outside the semver constrainsHere's how my
requirements.txt
looks like:I ran the following command:
And got this response:
As you can see, the tool identified that the dependency version is
0.6.0,\u003c1
, but the vulnerability was found (CVE-2022-0338 (GHSA-39ph-wr67-j4xq, PYSEC-2022-14)
this issue applies to versions below0.5.3
(it even recommends updating the dependency to0.5.3
).I was able to reproduce this issue in other versions of the osv client (1.7.3 for example) as well so I suspect that this is an issue at the API level.
I would appreciate your opinion on this one - Thanks!
The text was updated successfully, but these errors were encountered: