Hey y’all, just sharing some pretty crazy stuff I ...
# pex
Hey y’all, just sharing some pretty crazy stuff I had to deal with today here at work. They* got
flagged as a security threat and I spent the whole day defending and explaining what it is the usage. Here at the company IT is using Nexus IQ Scanner and it found these vulnerabilities :
pex 2.1.21 (.tar.gz)
: • https://nvd.nist.gov/vuln/detail/CVE-2018-18074 (threat level 9) • https://nvd.nist.gov/vuln/detail/CVE-2018-20060 (lvl 9) • https://nvd.nist.gov/vuln/detail/CVE-2018-20225 (lvl 7) • https://nvd.nist.gov/vuln/detail/CVE-2019-20907 (lvl 7) • https://nvd.nist.gov/vuln/detail/CVE-2019-11236 (lvl 6) • https://nvd.nist.gov/vuln/detail/CVE-2019-9740 (lvl 6) and for `pex (py2.py3-none-any) 2.1.21 (.whl)`: • https://nvd.nist.gov/vuln/detail/CVE-2018-20225 (lvl 7) • https://nvd.nist.gov/vuln/detail/CVE-2019-20907 (lvl 7) So threats lvl 9+ are immediatly put into quarantine and we (developers) can’t use those packages.
😬 1
Afaik from my
pip install
./pants --version
bootstrap it seem like it always tries to get the
package from my internal pypi but for whatever reason they were very worried about that
with those lvl 9.
👍 1
So I discovered what that
is.. it’s the actual
source code from github.
If that
came from an internal repository would that remediate the vulnerability?
That tar.gz was the pex repository from pypi
Do I understand correctly that this is actually a problem with pip?
Are your IT people suggesting that you cannot use standalone pip either?
@happy-kitchen-89482 you’re correct. It was one of the most insane discussions I’ve had in my professional life lol
😓 1