mend-toolkit / sca-cleanup-tool Goto Github PK
View Code? Open in Web Editor NEWLicense: Apache License 2.0
sca-cleanup-tool's Issues
Action Required: Fix Mend Configuration File - .whitesource
There is an error with this repository's Mend configuration file that needs to be fixed. As a precaution, scans will stop until it is resolved.
Errors:
- "settingsInheritedFrom" attribute provided in mend-toolkit/sca-cleanup-tool/.whitesource points to a non-existent repository or branch: 'whitesource-ps/whitesource-config@main'
certifi-2024.6.2-py3-none-any.whl: 1 vulnerabilities (highest severity is: 7.5)
Vulnerable Library - certifi-2024.6.2-py3-none-any.whl
Python package for providing Mozilla's CA Bundle.
Library home page: https://files.pythonhosted.org/packages/5b/11/1e78951465b4a225519b8c3ad29769c49e0d8d157a070f681d5b6d64737f/certifi-2024.6.2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/tmp/ws-scm/sca-cleanup-tool
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (certifi version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2024-39689 |  High |
7.5 | certifi-2024.6.2-py3-none-any.whl | Direct | certifi - 2024.07.04 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-39689
Vulnerable Library - certifi-2024.6.2-py3-none-any.whl
Python package for providing Mozilla's CA Bundle.
Library home page: https://files.pythonhosted.org/packages/5b/11/1e78951465b4a225519b8c3ad29769c49e0d8d157a070f681d5b6d64737f/certifi-2024.6.2-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/tmp/ws-scm/sca-cleanup-tool
Dependency Hierarchy:
- ❌ certifi-2024.6.2-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates from GLOBALTRUST. Certifi 2024.07.04 removes root certificates from GLOBALTRUST from the root store. These are in the process of being removed from Mozilla's trust store. GLOBALTRUST's root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues."
Publish Date: 2024-07-05
URL: CVE-2024-39689
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-248v-346w-9cwc
Release Date: 2024-07-05
Fix Resolution: certifi - 2024.07.04
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
setuptools-68.2.2-py3-none-any.whl: 1 vulnerabilities (highest severity is: 7.0)
Vulnerable Library - setuptools-68.2.2-py3-none-any.whl
Easily download, build, install, upgrade, and uninstall Python packages
Library home page: https://files.pythonhosted.org/packages/bb/26/7945080113158354380a12ce26873dd6c1ebd88d47f5bc24e2c5bb38c16a/setuptools-68.2.2-py3-none-any.whl
Path to dependency file: /tmp/ws-scm/sca-cleanup-tool
Path to vulnerable library: /tmp/ws-scm/sca-cleanup-tool,/requirements.txt
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (setuptools version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2024-6345 | High |
7.0 | setuptools-68.2.2-py3-none-any.whl | Direct | 70.0.0 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-6345
Vulnerable Library - setuptools-68.2.2-py3-none-any.whl
Easily download, build, install, upgrade, and uninstall Python packages
Library home page: https://files.pythonhosted.org/packages/bb/26/7945080113158354380a12ce26873dd6c1ebd88d47f5bc24e2c5bb38c16a/setuptools-68.2.2-py3-none-any.whl
Path to dependency file: /tmp/ws-scm/sca-cleanup-tool
Path to vulnerable library: /tmp/ws-scm/sca-cleanup-tool,/requirements.txt
Dependency Hierarchy:
- ❌ setuptools-68.2.2-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.
Publish Date: 2024-07-15
URL: CVE-2024-6345
CVSS 3 Score Details (7.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-6345
Release Date: 2024-07-15
Fix Resolution: 70.0.0
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
Dependency Dashboard
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
Pending Approval
These branches will be created by Renovate only once you click their checkbox below.
- [NEUTRAL] Update dependency configparser to v7
- [NEUTRAL] Update dependency setuptools to v74
- 🔐 Create all pending approval PRs at once 🔐
Open
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
- chore(deps): update dependency requests to ~=2.32.3
- chore(deps): update actions/cache action to v4
- chore(deps): update actions/checkout action to v4
- chore(deps): update actions/setup-python action to v5
- chore(deps): update dependency datetime to v5
- Click on this checkbox to rebase all open PRs at once
Detected dependencies
github-actions
.github/workflows/Test and Deploy Mend.yml
actions/checkout v2actions/setup-python v2actions/cache v3actions/cache v3actions/cache v3actions/cache v3actions/checkout v2ncipollo/release-action v1
pip_requirements
requirements.txt
configparser ==5.3.0DateTime ~=4.3setuptools ==68.2.2requests ~=2.31.0
requests-2.31.0-py3-none-any.whl: 1 vulnerabilities (highest severity is: 5.6)
Vulnerable Library - requests-2.31.0-py3-none-any.whl
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl
Path to dependency file: /tmp/ws-scm/sca-cleanup-tool
Path to vulnerable library: /tmp/ws-scm/sca-cleanup-tool,/requirements.txt
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (requests version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2024-35195 |  Medium |
5.6 | requests-2.31.0-py3-none-any.whl | Direct | requests - 2.32.2 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-35195
Vulnerable Library - requests-2.31.0-py3-none-any.whl
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl
Path to dependency file: /tmp/ws-scm/sca-cleanup-tool
Path to vulnerable library: /tmp/ws-scm/sca-cleanup-tool,/requirements.txt
Dependency Hierarchy:
- ❌ requests-2.31.0-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Requests is a HTTP library. Prior to 2.32.2, when making requests through a Requests Session, if the first request is made with verify=False to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of verify. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.2.
Publish Date: 2024-05-20
URL: CVE-2024-35195
CVSS 3 Score Details (5.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: High
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-9wx4-h78v-vm56
Release Date: 2024-05-20
Fix Resolution: requests - 2.32.2
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
FILTER_PROJECTS_BY_LAST_CREATED_COPIES removes projects even when there is nothing to filter.
Bug Description
When the number of projects to filter is less than or equal to the DAYS_TO_KEEP parameter, all the projects are deleted.
Steps to Reproduce
mend_sca_cleanup_tool -r 2 -m FilterProjectsByLastCreatedCopies -u <User_ID> -k <Org_ID> -y true -i <Product_Token> -g <Tag_Key>:<Tag_Value>
Expected Behavior
The command should keep the latest 2 projects that match the tag <Tag_Key>:<Tag_Value> in the given product and delete the older ones. It works when there are more than 2 projects that match this condition. However, if the number of projects are 1 or 2, it deletes those projects.
Screenshots
- Bug (-daysToKeep=2)
Getting tags for project <project_1>
<project_1> has matching tag
Getting tags for project <project_2>
<project_2> has matching tag
Filtering projects besides most recent: 2
Total: 2. Nothing to filter
2 project(s) to remove after filtering
Dry Run found 2 project(s) to delete: [‘<project_1>’, ‘<project_2>’]
- Working condition when projects>day_to_keep (-daysToKeep=1)
Getting tags for project <project_1>
<project_1> has matching tag
Getting tags for project <project_2>
<project_2> has matching tag
Filtering projects besides most recent: 1
Total: 2. Removing oldest 1
1 project(s) to remove after filtering
Dry Run found 1 project(s) to delete: [‘<project_1>’]
Possible Solution
Line 159 in sca_cleanup_tool.py can set projects_to_return=[ ] so that an empty array is returned when projects<days_to_keep
urllib3-2.1.0-py3-none-any.whl: 1 vulnerabilities (highest severity is: 4.4) - autoclosed
Vulnerable Library - urllib3-2.1.0-py3-none-any.whl
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/96/94/c31f58c7a7f470d5665935262ebd7455c7e4c7782eb525658d3dbf4b9403/urllib3-2.1.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/tmp/ws-scm/sca-cleanup-tool
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (urllib3 version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2024-37891 | Medium |
4.4 | urllib3-2.1.0-py3-none-any.whl | Direct | 2.2.2 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-37891
Vulnerable Library - urllib3-2.1.0-py3-none-any.whl
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/96/94/c31f58c7a7f470d5665935262ebd7455c7e4c7782eb525658d3dbf4b9403/urllib3-2.1.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/tmp/ws-scm/sca-cleanup-tool
Dependency Hierarchy:
- ❌ urllib3-2.1.0-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with ProxyManager, the Proxy-Authorization header is only sent to the configured proxy, as expected. However, when sending HTTP requests without using urllib3's proxy support, it's possible to accidentally configure the Proxy-Authorization header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the Proxy-Authorization HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the Proxy-Authorization header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the Proxy-Authorization header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the Proxy-Authorization header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the Proxy-Authorization header with urllib3's ProxyManager, disable HTTP redirects using redirects=False when sending requests, or not user the Proxy-Authorization header as mitigations.
Publish Date: 2024-06-17
URL: CVE-2024-37891
CVSS 3 Score Details (4.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-34jh-p97f-mpxf
Release Date: 2024-06-17
Fix Resolution: 2.2.2
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.