wooden-thailand-8386
11/20/2020, 9:22 PMpex
flagged as a security threat and I spent the whole day defending and explaining what it is the usage. Here at the company IT is using Nexus IQ Scanner and it found these vulnerabilities :
pex 2.1.21 (.tar.gz)
:
• https://nvd.nist.gov/vuln/detail/CVE-2018-18074 (threat level 9)
• https://nvd.nist.gov/vuln/detail/CVE-2018-20060 (lvl 9)
• https://nvd.nist.gov/vuln/detail/CVE-2018-20225 (lvl 7)
• https://nvd.nist.gov/vuln/detail/CVE-2019-20907 (lvl 7)
• https://nvd.nist.gov/vuln/detail/CVE-2019-11236 (lvl 6)
• https://nvd.nist.gov/vuln/detail/CVE-2019-9740 (lvl 6)
and for `pex (py2.py3-none-any) 2.1.21 (.whl)`:
• https://nvd.nist.gov/vuln/detail/CVE-2018-20225 (lvl 7)
• https://nvd.nist.gov/vuln/detail/CVE-2019-20907 (lvl 7)
So threats lvl 9+ are immediatly put into quarantine and we (developers) can’t use those packages.pip install
and ./pants --version
bootstrap it seem like it always tries to get the .whl
package from my internal pypi but for whatever reason they were very worried about that tar.gz
with those lvl 9..tar.gz
is.. it’s the actual pex
source code from github.jolly-midnight-72759
11/20/2020, 10:44 PMtar.gz
came from an internal repository would that remediate the vulnerability?wooden-thailand-8386
11/20/2020, 11:10 PMhappy-kitchen-89482
11/21/2020, 5:30 AMwooden-thailand-8386
11/23/2020, 3:06 PM