https://pantsbuild.org/ logo
#pex
Title
# pex
w

wooden-thailand-8386

11/20/2020, 9:22 PM
Hey y’all, just sharing some pretty crazy stuff I had to deal with today here at work. They* got
pex
flagged as a security threat and I spent the whole day defending and explaining what it is the usage. Here at the company IT is using Nexus IQ Scanner and it found these vulnerabilities :
pex 2.1.21 (.tar.gz)
: • https://nvd.nist.gov/vuln/detail/CVE-2018-18074 (threat level 9) • https://nvd.nist.gov/vuln/detail/CVE-2018-20060 (lvl 9) • https://nvd.nist.gov/vuln/detail/CVE-2018-20225 (lvl 7) • https://nvd.nist.gov/vuln/detail/CVE-2019-20907 (lvl 7) • https://nvd.nist.gov/vuln/detail/CVE-2019-11236 (lvl 6) • https://nvd.nist.gov/vuln/detail/CVE-2019-9740 (lvl 6) and for `pex (py2.py3-none-any) 2.1.21 (.whl)`: • https://nvd.nist.gov/vuln/detail/CVE-2018-20225 (lvl 7) • https://nvd.nist.gov/vuln/detail/CVE-2019-20907 (lvl 7) So threats lvl 9+ are immediatly put into quarantine and we (developers) can’t use those packages.
😬 1
Afaik from my
pip install
and
./pants --version
bootstrap it seem like it always tries to get the
.whl
package from my internal pypi but for whatever reason they were very worried about that
tar.gz
with those lvl 9.
👍 1
So I discovered what that
.tar.gz
is.. it’s the actual
pex
source code from github.
j

jolly-midnight-72759

11/20/2020, 10:44 PM
If that
tar.gz
came from an internal repository would that remediate the vulnerability?
w

wooden-thailand-8386

11/20/2020, 11:10 PM
That tar.gz was the pex repository from pypi
h

happy-kitchen-89482

11/21/2020, 5:30 AM
Do I understand correctly that this is actually a problem with pip?
Are your IT people suggesting that you cannot use standalone pip either?
w

wooden-thailand-8386

11/23/2020, 3:06 PM
@happy-kitchen-89482 you’re correct. It was one of the most insane discussions I’ve had in my professional life lol
😓 1