Skip to content
This repository has been archived by the owner on Jun 9, 2022. It is now read-only.

out of date python-safety package causes error in scanner-cli docker image #163

Closed
derwent-m opened this issue Sep 8, 2020 · 7 comments · May be fixed by #164
Closed

out of date python-safety package causes error in scanner-cli docker image #163

derwent-m opened this issue Sep 8, 2020 · 7 comments · May be fixed by #164

Comments

@derwent-m
Copy link

Issue Template

Description

The :latest hawkeyesec/scanner-cli Docker image, is using an outdated version of the safety pypi package. The version specified in Dockerfile is 1.8.4, however version 1.9.0 contains a bug fix for this error.

Steps to Reproduce

git clone [email protected]:derwent-m/sample-flask-app.git
cd sample-flask-app
docker run --rm -v "$PWD/web:/target" hawkeyesec/scanner-cli:latest

Expected behavior: [What you expect to happen]

When I use my own patched docker image with the latest python-safety, python-safety runs successfully and contributes outputs in the summary table

docker run --rm -v "$PWD/web:/target" derwentx/scanner-cli:latest
python-safety  critical  flask 0.12                flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3.  Versions <0.12.3 are vulnerable. Update to a non vulnerable version.      
python-safety  critical  flask 0.12                The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. See: CVE-2019-1010083. (NOTE: this may overlap CVE-2018-1000656.)                                                                                  Versions <1.0 are vulnerable. Update to a non vulnerable version.         
python-safety  critical  sqlalchemy 1.1.4          SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter. See: CVE-2019-7164.                                                                                                                                                                                                                     Versions <=1.2.17 are vulnerable. Update to a non vulnerable version.     
python-safety  critical  werkzeug 0.11.15          The defaults of ``generate_password_hash`` in werkzeug 0.12 have been changed to more secure ones, see pull request ``#753``.                                                                                                                                                                                                                Versions <0.12 are vulnerable. Update to a non vulnerable version.        
python-safety  critical  werkzeug 0.11.15          Werkzeug 0.15.0 refactors class:`~middleware.proxy_fix.ProxyFix` to support more headers, multiple values, and a more secure configuration.                                                                                                                                                                                                  Versions <0.15.0 are vulnerable. Update to a non vulnerable version.

Actual behavior: [What actually happens]

The python-safety module returns the following error:

docker run --rm -v "$PWD/web:/target" hawkeyesec/scanner-cli:latest
[error] python-safety returned an error! Unexpected end of JSON input

Version

The latest version of the docker container, hawkeyesec/scanner-cli@sha256:e43564c74a8d4caf3e8c780cf96206966e0b603d19ef64ef31f14e6b5fbdbf98
according to docker inspect --format='{{index .RepoDigests 0}}'

Feature Template

As a Python DevOps person
I want to be notified of any python-safety issues in my pipeline
So that I can triage those issues accordingly.

Acceptance Criteria

  • python-safety does not produce an error when running the latest scanner-cli docker image when scanning the example-flask-app Python project
derwent-m pushed a commit to derwent-m/scanner-cli that referenced this issue Sep 8, 2020
⬆️ upgrade python-safety to 1.9.0
c6dbba6 
fixes hawkeyesec#163
@derwent-m derwent-m mentioned this issue Sep 8, 2020
Open
4 tasks
@ricohomewood
Copy link

@haohaolee is it possible to complete this PR Fix as we are also having this problem

@haohaolee
Copy link
Contributor

@ricohomewood I am looking into this right now~

@haohaolee
Copy link
Contributor

@ricohomewood Please take a look at the latest image in docker hub to see if it works for you now

@ricohomewood
Copy link

Thanks @haohaolee but the latest build is still showing pyton-safey as 1.8.4

image

@derwent-m
Copy link
Author

Steps attempted to reproduce:

git clone https://github.com/ThoughtWorksInc/AS101-4-workshop.git
cd AS101-4-workshop
docker run --rm -v "$PWD/web:/target" hawkeyesec/scanner-cli:latest

Image downloaded:

Digest: sha256:6b3cfc584f1e34d065817ea2f8c5bf92b7247ce4e9d52912e60e41311d0b0ec9
Status: Downloaded newer image for hawkeyesec/scanner-cli:latest

Error still shows:

[error] python-safety returned an error! Unexpected end of JSON input

Try my fix! #164

@haohaolee
Copy link
Contributor

Hi @derwent-m @ricohomewood Please try again. I am not familiar with the image deployment process, just updated the version tag.

@ricohomewood
Copy link

Hi @haohaolee. Yep the lasted Docker image has the update version now and is working.

Digest: sha256:1d66a2e6952394b5b246106df006403fc41a39e5d90223c5bb9da07c465a8b17
Status: Downloaded newer image for hawkeyesec/scanner-cli:latest

And

[info] Running module python-safety

Thanks

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update python-safety and specify Python packages in requirements.txt derwent-m/scanner-cli
3 participants
@haohaolee @ricohomewood @derwent-m