You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by "lewijw (via GitHub)" <gi...@apache.org> on 2023/02/08 15:12:18 UTC

[GitHub] [airflow] lewijw opened a new issue, #29428: Require newer version of pypi/setuptools to remove security scan issue (CVE-2022-40897)

lewijw opened a new issue, #29428:
URL: https://github.com/apache/airflow/issues/29428

   ### Description
   
   Hi. My team is evaluating airflow, so I ran a security scan on it. It is flagging a Medium security issue with pypi/setuptools. See https://nvd.nist.gov/vuln/detail/CVE-2022-40897 for details. Is it possible to require a more recent version? Or perhaps airflow users are not vulnerable to this?
   
   ### Use case/motivation
   
   _No response_
   
   ### Related issues
   
   _No response_
   
   ### Are you willing to submit a PR?
   
   - [ ] Yes I am willing to submit a PR!
   
   ### Code of Conduct
   
   - [X] I agree to follow this project's [Code of Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] arjunanan6 commented on issue #29428: Require newer version of pypi/setuptools to remove security scan issue (CVE-2022-40897)

Posted by "arjunanan6 (via GitHub)" <gi...@apache.org>.
arjunanan6 commented on issue #29428:
URL: https://github.com/apache/airflow/issues/29428#issuecomment-1425803753

   Then I will take it, @potiuk :) 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] boring-cyborg[bot] commented on issue #29428: Require newer version of pypi/setuptools to remove security scan issue (CVE-2022-40897)

Posted by "boring-cyborg[bot] (via GitHub)" <gi...@apache.org>.
boring-cyborg[bot] commented on issue #29428:
URL: https://github.com/apache/airflow/issues/29428#issuecomment-1422751361

   Thanks for opening your first issue here! Be sure to follow the issue template!
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] potiuk commented on issue #29428: Require newer version of pypi/setuptools to remove security scan issue (CVE-2022-40897)

Posted by "potiuk (via GitHub)" <gi...@apache.org>.
potiuk commented on issue #29428:
URL: https://github.com/apache/airflow/issues/29428#issuecomment-1422827072

   We do not trust blindly security scans - following the ASF security tram recommendation. There are far too many false positives to accept a report which says 'those are all CVEs that our scanner found'. By default we simply drop such repoers
   
   Generally If you think there is an exploitable scenario for a CVE- you should report the issue responsibly (see our security policy -  via email and in private, rather than public issue, with reproducible scenario).
   
   But we treat security seriously. Generally almost never airflow releases old versions with implemented security fixes - we release any fixes in latest minor branch (so next wave of security fixes might be in 2.5.2 or 2.6.0 whichever comes first. And with few exceptions where our dependencies are fixed or upper-bound, our build / CI mechanism automatically upgrades dependencies to latest released compatible version - which handles a lot of vulnerabilities automatically.
   
   But setuptools is different - believe we fix setuptools in pyproject.toml to avoid surprises so likely it is worth to upgrade it. Then it will be used with next release.
   
   Feel free to open PR and updateitto the version that is good. Our CI will automatically run complete test harness if you open such PR so if it will be green - i am happy to approve it and add to the next release.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] potiuk closed issue #29428: Require newer version of pypi/setuptools to remove security scan issue (CVE-2022-40897)

Posted by "potiuk (via GitHub)" <gi...@apache.org>.
potiuk closed issue #29428: Require newer version of pypi/setuptools to remove security scan issue (CVE-2022-40897)
URL: https://github.com/apache/airflow/issues/29428


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] arjunanan6 commented on issue #29428: Require newer version of pypi/setuptools to remove security scan issue (CVE-2022-40897)

Posted by "arjunanan6 (via GitHub)" <gi...@apache.org>.
arjunanan6 commented on issue #29428:
URL: https://github.com/apache/airflow/issues/29428#issuecomment-1425457802

   @potiuk I would like to give this a try if @lewijw isn't opening a PR.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] lewijw commented on issue #29428: Require newer version of pypi/setuptools to remove security scan issue (CVE-2022-40897)

Posted by "lewijw (via GitHub)" <gi...@apache.org>.
lewijw commented on issue #29428:
URL: https://github.com/apache/airflow/issues/29428#issuecomment-1425802582

   I am new to Python, so it might be a while before I can do it.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org