mend-toolkit / sca-cleanup-tool Goto Github PK
View Code? Open in Web Editor NEWLicense: Apache License 2.0
License: Apache License 2.0
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/96/94/c31f58c7a7f470d5665935262ebd7455c7e4c7782eb525658d3dbf4b9403/urllib3-2.1.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/tmp/ws-scm/sca-cleanup-tool
CVE | Severity | CVSS | Dependency | Type | Fixed in (urllib3 version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2024-37891 | Medium | 4.4 | urllib3-2.1.0-py3-none-any.whl | Direct | 2.2.2 | โ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/96/94/c31f58c7a7f470d5665935262ebd7455c7e4c7782eb525658d3dbf4b9403/urllib3-2.1.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/tmp/ws-scm/sca-cleanup-tool
Dependency Hierarchy:
Found in base branch: main
urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with ProxyManager
, the Proxy-Authorization
header is only sent to the configured proxy, as expected. However, when sending HTTP requests without using urllib3's proxy support, it's possible to accidentally configure the Proxy-Authorization
header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the Proxy-Authorization
HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the Proxy-Authorization
header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the Proxy-Authorization
header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the Proxy-Authorization
header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the Proxy-Authorization
header with urllib3's ProxyManager
, disable HTTP redirects using redirects=False
when sending requests, or not user the Proxy-Authorization
header as mitigations.
Publish Date: 2024-06-17
URL: CVE-2024-37891
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-34jh-p97f-mpxf
Release Date: 2024-06-17
Fix Resolution: 2.2.2
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
There is an error with this repository's Mend configuration file that needs to be fixed. As a precaution, scans will stop until it is resolved.
Errors:
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These branches will be created by Renovate only once you click their checkbox below.
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
.github/workflows/Test and Deploy Mend.yml
actions/checkout v2
actions/setup-python v2
actions/cache v3
actions/cache v3
actions/cache v3
actions/cache v3
actions/checkout v2
ncipollo/release-action v1
requirements.txt
configparser ==5.3.0
DateTime ~=4.3
setuptools ==68.2.2
requests ~=2.31.0
Bug Description
When the number of projects to filter is less than or equal to the DAYS_TO_KEEP parameter, all the projects are deleted.
Steps to Reproduce
mend_sca_cleanup_tool -r 2 -m FilterProjectsByLastCreatedCopies -u <User_ID> -k <Org_ID> -y true -i <Product_Token> -g <Tag_Key>:<Tag_Value>
Expected Behavior
The command should keep the latest 2 projects that match the tag <Tag_Key>:<Tag_Value> in the given product and delete the older ones. It works when there are more than 2 projects that match this condition. However, if the number of projects are 1 or 2, it deletes those projects.
Screenshots
Getting tags for project <project_1>
<project_1> has matching tag
Getting tags for project <project_2>
<project_2> has matching tag
Filtering projects besides most recent: 2
Total: 2. Nothing to filter
2 project(s) to remove after filtering
Dry Run found 2 project(s) to delete: [โ<project_1>โ, โ<project_2>โ]
Getting tags for project <project_1>
<project_1> has matching tag
Getting tags for project <project_2>
<project_2> has matching tag
Filtering projects besides most recent: 1
Total: 2. Removing oldest 1
1 project(s) to remove after filtering
Dry Run found 1 project(s) to delete: [โ<project_1>โ]
Possible Solution
Line 159 in sca_cleanup_tool.py can set projects_to_return=[ ] so that an empty array is returned when projects<days_to_keep
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl
Path to dependency file: /tmp/ws-scm/sca-cleanup-tool
Path to vulnerable library: /tmp/ws-scm/sca-cleanup-tool,/requirements.txt
CVE | Severity | CVSS | Dependency | Type | Fixed in (requests version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2024-35195 | Medium | 5.6 | requests-2.31.0-py3-none-any.whl | Direct | requests - 2.32.2 | โ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl
Path to dependency file: /tmp/ws-scm/sca-cleanup-tool
Path to vulnerable library: /tmp/ws-scm/sca-cleanup-tool,/requirements.txt
Dependency Hierarchy:
Found in base branch: main
Requests is a HTTP library. Prior to 2.32.2, when making requests through a Requests Session
, if the first request is made with verify=False
to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of verify
. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.2.
Publish Date: 2024-05-20
URL: CVE-2024-35195
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-9wx4-h78v-vm56
Release Date: 2024-05-20
Fix Resolution: requests - 2.32.2
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.