https://pantsbuild.org/ logo
Join Slack
Powered by
Hey y’all, just sharing some pretty crazy stuff I ...
# pex
w
Hey y’all, just sharing some pretty crazy stuff I had to deal with today here at work. They* got 
pex
flagged as a security threat and I spent the whole day defending and explaining what it is the usage. Here at the company IT is using Nexus IQ Scanner and it found these vulnerabilities : 
pex 2.1.21 (.tar.gz)
: • https://nvd.nist.gov/vuln/detail/CVE-2018-18074 (threat level 9) • https://nvd.nist.gov/vuln/detail/CVE-2018-20060 (lvl 9) • https://nvd.nist.gov/vuln/detail/CVE-2018-20225 (lvl 7) • https://nvd.nist.gov/vuln/detail/CVE-2019-20907 (lvl 7) • https://nvd.nist.gov/vuln/detail/CVE-2019-11236 (lvl 6) • https://nvd.nist.gov/vuln/detail/CVE-2019-9740 (lvl 6) and for `pex (py2.py3-none-any) 2.1.21 (.whl)`: • https://nvd.nist.gov/vuln/detail/CVE-2018-20225 (lvl 7) • https://nvd.nist.gov/vuln/detail/CVE-2019-20907 (lvl 7) So threats lvl 9+ are immediatly put into quarantine and we (developers) can’t use those packages.
😬 1
Afaik from my 
pip install
and 
./pants --version
bootstrap it seem like it always tries to get the 
.whl
package from my internal pypi but for whatever reason they were very worried about that 
tar.gz
with those lvl 9.
👍 1
So I discovered what that 
.tar.gz
is.. it’s the actual 
pex
source code from github.
j
If that 
tar.gz
came from an internal repository would that remediate the vulnerability?
w
That tar.gz was the pex repository from pypi
h
Do I understand correctly that this is actually a problem with pip?
Are your IT people suggesting that you cannot use standalone pip either?
w
@happy-kitchen-89482 you’re correct. It was one of the most insane discussions I’ve had in my professional life lol
😓 1
Open in Slack
PreviousNext
Powered by