Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[BUG] CVEs in conda release

See original GitHub issue

What happened:

Running Grype on DaskSQL.jar from the latest conda release (dask-sql=2022.1) returned 6 fixable CVEs

grype graphistry/graphistry-nvidia:v2.39.7-11.4 \
    --only-fixed \
    -o template \
    -t grype.friendly.tmpl

with template grype.friendly.tmpl

"Package","Version Installed","Vulnerability ID","Severity","Location",
{{- range .Matches}}
"{{.Artifact.Name}}","{{.Artifact.Version}}","{{.Vulnerability.ID}}","{{.Vulnerability.Severity}}","{{.Artifact.Locations}}"
{{- end}}

=>

...
jackson-databind","2.10.0","GHSA-57j2-w4cx-62h2","High","[Location<RealPath="/opt/conda/envs/rapids/lib/python3.8/site-packages/dask_sql/jar/DaskSQL.jar" Layer="sha256:5c80fa32eb12dd95d387ae9121c3a8ba9713207626bbc7b849613b4bb0eb3586">]"
"httpclient","4.5.9","GHSA-7r82-7xv7-xcpj","Medium","[Location<RealPath="/opt/conda/envs/rapids/lib/python3.8/site-packages/dask_sql/jar/DaskSQL.jar" Layer="sha256:5c80fa32eb12dd95d387ae9121c3a8ba9713207626bbc7b849613b4bb0eb3586">]"
"json-smart","2.3","GHSA-fg2v-w576-w4v3","High","[Location<RealPath="/opt/conda/envs/rapids/lib/python3.8/site-packages/dask_sql/jar/DaskSQL.jar" Layer="sha256:5c80fa32eb12dd95d387ae9121c3a8ba9713207626bbc7b849613b4bb0eb3586">]"
"commons-io","2.4","GHSA-gwrp-pvrq-jmwv","Medium","[Location<RealPath="/opt/conda/envs/rapids/lib/python3.8/site-packages/dask_sql/jar/DaskSQL.jar" Layer="sha256:5c80fa32eb12dd95d387ae9121c3a8ba9713207626bbc7b849613b4bb0eb3586">]"
"snakeyaml","1.24","GHSA-rvwf-54qp-4r6v","High","[Location<RealPath="/opt/conda/envs/rapids/lib/python3.8/site-packages/dask_sql/jar/DaskSQL.jar" Layer="sha256:5c80fa32eb12dd95d387ae9121c3a8ba9713207626bbc7b849613b4bb0eb3586">]"
"json-smart","2.3","GHSA-v528-7hrm-frqp","Critical","[Location<RealPath="/opt/conda/envs/rapids/lib/python3.8/site-packages/dask_sql/jar/DaskSQL.jar" Layer="sha256:5c80fa32eb12dd95d387ae9121c3a8ba9713207626bbc7b849613b4bb0eb3586">]

What you expected to happen:

The latest stable release should ideally have no fixable CVEs

Minimal Complete Verifiable Example:

See above

Anything else we need to know?:

Environment:

  • dask-sql version: 2022.01
  • Python version: Any
  • Operating System: Any (Ubuntu container)
  • Install method (conda, pip, source): Conda

Issue Analytics

  • State:closed
  • Created a year ago
  • Comments:10 (1 by maintainers)

github_iconTop GitHub Comments

1reaction
charlesblucacommented, Apr 11, 2022

Turns out the httpclient CVE was easier to resolve than once thought 🙂 merged in https://github.com/dask-contrib/dask-sql/pull/453 and did patch release 2022.4.1 with the fix - on my end there are no longer any fixable CVEs detected by grype - @lmeyerov if you get a chance can you confirm?

1reaction
charlesblucacommented, Apr 7, 2022

To give a general update on the ongoing work to resolve these CVEs:

  • #445 has resolved the CVEs in json-smart, commons-io, and snakeyaml
  • #449 should resolve the jackson-databind CVE
  • still waiting on a new Calcite Avatica release to resolve the httpclient CVE, in the meantime we will disable our SQL server in #448 until that CVE can be resolved
Read more comments on GitHub >

github_iconTop Results From Across the Web

Release notes — Anaconda 6.3.1 documentation
Fixed a bug that returned CVEs when searching for packages using the search bar. Mirrors can now be successfully generated in a subchannel....
Read more >
How to Easily Identify Conda Vulnerabilities Using Sonatype ...
Jake, a free tool, identifies vulnerabilities in a Conda environment. ... The CVE (Common Vulnerabilities and Exposures) is a free and open ...
Read more >
Please update Flask dependency to at least 1.0 #11831 - GitHub
Would it be possible to update to a newer Flask version? The lowest without known vulnerabilities is (I believe) 1.0, but the newer...
Read more >
Python Python : List of security vulnerabilities - CVE Details
# CVE ID CWE ID Vulnerability Type(s) Publish Date Update Date Score Gaine... 1 CVE‑2022‑45061 400 DoS 2022‑11‑09 2022‑12‑18 0.0 None 2 CVE‑2022‑42919 Exec Code...
Read more >
anaconda - CVE.report
Anaconda /NetworkIssues - Fedora Project Wiki The text of the wiki page has been sent to the Anaconda List for additional review on...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

[DF] select * limit 5 seems does a full scan

Next page

[BUG] Segfaults on "select count(*) from test" with tables on top of cuDF DataFrames