|
|
Subscribe / Log in / New account

Adding auditing to pip

Adding auditing to pip

Posted Aug 16, 2022 10:29 UTC (Tue) by amarao (guest, #87073)
Parent article: Adding auditing to pip

I just checked pip-audit output for some random image we have, and few 'CVE' caught my attention. One of which, turned out, is just an opinion of 'how things should be in Ansible' (https://github.com/advisories/GHSA-h39q-95q5-9jfp), with extremely worrying description, which turned out to be sec-click-bait (https://github.com/ansible/ansible/issues/67792#issuecomm...). Nevertheless, the CVE is issued and there is no way back - it's FOREVER UNFIXED and SECURITY IS ENRAGED. I saw a lot of 'security officers' who just ignore the matter and have KPI of 'no CVE', which brings us to the problem: one guy screamed 'CVE' and no one else can undo this scream. And there are other guys with power to follow this scream and to break production BECAUSE OF SECURITY.

to post comments

Adding auditing to pip

Posted Aug 16, 2022 12:37 UTC (Tue) by kleptog (subscriber, #1183) [Link] (2 responses)

There's always a way to ignore particular warnings from a tool. We have safety as part of our build pipeline and when it fails we need to check. Mostly it's just a minor upgrade, but we've had cases where it requires a major package upgrade which we don't have time for, and the actual issue doesn't affect us anyway because it's in some plugin we don't use, or the way our data is structured that corner case doesn't appear. It gets added to the ignore file with a comment and that's that.

If your security team can't accept that, then that's their problem. Not every CVE is equally important or equally relevant.

Adding auditing to pip

Posted Aug 16, 2022 13:52 UTC (Tue) by amarao (guest, #87073) [Link] (1 responses)

It's not about specific warnings, it's about culture. Basically, you have 'security guy' (with background from, f.e., police or some other non-IT) who was tasked with 'IT-security'. It follows the guidelines and trainings which says 'no vulnerabilities above 6.7 should be in production systems', and there is '7.4' for vulnerability which is not a vulnerability at all. There is no procedure to make it not-a-vulnerability. You explain the reason for ignoring and guy just ignore you (like police officer ignoring explanation for speeding at ticket time). The rules says 'NO VULNERABILITIES ABOVE 6.4 AND YOU HAVE 7.4 ON MY VUN-READER, DOCUMENTS PLEASE'. And there is a way to make this guy quiet. Install package in a way which is not visible for scanner, and you are fine to go (even if you have poodle with heartbleed).

If there is CVE out there, how to make it 'not CVE'? I know no such process.

Adding auditing to pip

Posted Aug 17, 2022 0:31 UTC (Wed) by pabs (subscriber, #43278) [Link]

CVEs can be disputed, you see this all the time if you follow CVE feeds. This is mentioned in the CVE docs on at least these two pages:

https://nvd.nist.gov/general/cve-process
https://nvd.nist.gov/vuln/vulnerability-status


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds