Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix CI: ignore CVE-2023-5752 #102

Merged
merged 1 commit into from
Jan 20, 2024
Merged

Conversation

hugovk
Copy link
Member

@hugovk hugovk commented Jan 1, 2024

Not sure what's up with this safety check, we upgrade pip at the very start (it's already on latest 23.3.2) and then it complains about a vulnerability in an older version (23.2.1):

Run pip install --upgrade pip wheel
Requirement already satisfied: pip in /opt/hostedtoolcache/Python/3.12.1/x64/lib/python3.12/site-packages (23.3.2)
...
-> Vulnerability found in pip version 23.2.1
   Vulnerability ID: 62044
   Affected spec: <23.3
   ADVISORY: Pip 23.3 includes a fix for CVE-2023-5752: When installing
   a package from a Mercurial VCS URL (ie "pip install hg+...") with pip...
   CVE-2023-5752
   For more information, please visit
   https://data.safetycli.com/v/62044/f17

https://github.com/python/cherry-picker/actions/runs/7371215995

Anyway, we're not pip installing anything from a Mercurial repo or using this pip version, so let's ignore this warning to fix the CI.

@ezio-melotti
Copy link
Member

FWIW I looked into this issue and filed the bug linked above. The TLDR is that there seems to be a .dist-info dir that is left over during the pip update, and this gets detected by safety and reported. This happens in the base image used by the GitHub runners, before anything from our workflows is run.

@AA-Turner AA-Turner merged commit b1f0991 into python:main Jan 20, 2024
22 checks passed
@hugovk hugovk deleted the ignore-CVE-2023-5752 branch January 20, 2024 11:58
ezio-melotti added a commit that referenced this pull request May 14, 2024
ezio-melotti added a commit that referenced this pull request Jun 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants