profile
viewpoint
If you are wondering where the data of this site comes from, please visit https://api.github.com/users/yeisonvargasf/events. GitMemory does not store any data, but only uses NGINX to cache data for a period of time. The idea behind GitMemory is simply to give users a better reading experience.
Yeison Vargas yeisonvargasf Master's student, OSS developer, Senior Software Engineer (e2e).

yeisonvargasf/python_backend_talk 1

Slides de la Charla de Python

yeisonvargasf/aescrypt 0

A simple and opinionated AES encrypt / decrypt Ruby gem that just works.

yeisonvargasf/awesome-python 0

A curated list of awesome Python frameworks, libraries, software and resources

yeisonvargasf/communties 0

This repositoriy contains the list of the python communities in Colombia

yeisonvargasf/emanate 0

A symlink finagler.

yeisonvargasf/frappe_docker 0

Docker image for frappe-bench

yeisonvargasf/http3-explained 0

A document describing the HTTP/3 and QUIC protocols

yeisonvargasf/missingno 0

Missing data visualization module for Python.

issue commentpyupio/safety

Report contains lots of duplicated vulnerabilities with tensorflow==2.4.0 and the commercial database

@millenc I closed this issue because it was fixed in our backend side, no update is needed, so you should be able to see the fix with no action from your side. Let me know if it's ok for you, don't hesitate to reach us if there is another issue.

millenc

comment created time in 2 days

issue closedpyupio/safety

Report contains lots of duplicated vulnerabilities with tensorflow==2.4.0 and the commercial database

  • safety version: 1.10.3
  • Python version: 3.7.10
  • Operating System: Ubuntu 20.04

Description

The safety report (either --full-report or --short-report) is huge and contains lots of duplicated lines when tensorflow 2.4.0 is installed and an API key is used.

What I Did

  1. Create a fresh virtual environment: virtualenv -p /usr/bin/python3.7 ~/.envs/tensorflow
  2. Activate the environment
  3. Install tensorflow (2.4.0) and the latest version of safety: pip3 install tensorflow==2.4.0 safety
  4. Run the analysis: safety check
  5. Export the API key environment variable: export SAFETY_API_KEY="<MY API KEY HERE>"
  6. Run the analysis again

Running safety with no API key (step 4.) the report looks like this:

+==============================================================================+
|                                                                              |
|                               /$$$$$$            /$$                         |
|                              /$$__  $$          | $$                         |
|           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
|          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
|         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
|          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
|          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
|         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
|                                                          /$$  | $$           |
|                                                         |  $$$$$$/           |
|  by pyup.io                                              \______/            |
|                                                                              |
+==============================================================================+
| REPORT                                                                       |
| checked 47 packages, using free DB (updated once a month)                    |
+============================+===========+==========================+==========+
| package                    | installed | affected                 | ID       |
+============================+===========+==========================+==========+
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40469    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40472    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40682    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40684    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40678    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40681    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40683    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40680    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40679    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40691    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40467    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40694    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40692    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40695    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40465    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40688    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40689    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40690    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40468    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40697    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40767    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40706    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40710    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40677    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40693    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40700    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40696    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40699    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40702    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40701    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40698    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40772    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40675    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40676    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40673    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40747    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40748    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40715    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40708    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40703    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40744    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40464    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40734    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40770    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40728    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40766    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40714    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40685    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40746    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40686    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40718    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40738    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40741    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40466    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40742    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40765    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40712    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40713    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40716    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40724    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40721    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40768    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40705    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40764    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40740    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40723    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40722    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40720    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40717    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40707    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40731    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40732    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40733    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40735    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40736    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40737    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40739    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40743    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40745    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40687    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40749    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40750    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40751    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40752    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40753    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40754    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40755    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40756    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40757    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40758    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40759    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40760    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40761    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40762    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40763    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40704    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40769    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40709    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40771    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40711    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40773    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40774    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40775    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40777    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40778    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40725    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40719    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40726    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40727    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40729    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40730    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40470    |
| tensorflow                 | 2.4.0     | >=2.4.0rc0,<2.4.2        | 40471    |
+==============================================================================+

If I export the API key (step 5.) and run the analysis again (step 6.) the result is the log included on the attached file:

safety-check-tensorflow-2.4.0-with-apikey.log

As you can see, there are more than 16k lines in there. Such a report is not useful at all and causes issues on CI/CD pipelines that impose limits on the size of logs. Using the --full-report option is even worse since the log turns out to have more than 160k lines (~14MB). The same thing happens with the JSON report.

closed time in 2 days

millenc

push eventyeisonvargasf/ShoppingCart-Backend

pyup-bot

commit sha af20cbc2bacd36e627c15808351f0239d214a72e

update pyup.io config file

view details

push time in 24 days

create barnchyeisonvargasf/ShoppingCart-Backend

branch : pyup-config

created branch time in 24 days

delete branch yeisonvargasf/ShoppingCart-Backend

delete branch : pyup-config

delete time in 24 days

issue commentpyupio/safety

Report contains lots of duplicated vulnerabilities with tensorflow==2.4.0 and the commercial database

Hi @millenc , thanks for report this, looks like a bug in the Safety report only with Tensorflow, we are going to verify and inspect the possible cause and we will apply a fix as soon as possible.

millenc

comment created time in a month

pull request commentpyupio/safety

Add XmlReport (JUnit)

Hi @0xjjoyy would you like fix/resolve in the code the comment reviews done by Rafael? I can review/test and merge the PR ASAP if those comments are resolved in the code.

hesstobi

comment created time in a month

push eventpyupio/safety-db

Yeison Vargas

commit sha 5bd1332213532648a1f61cb92fa6092416619b07

Removing false positive vulnerability for dash library

view details

Yeison Vargas

commit sha 437e90bcaf48c0918416e44b0ca03ad70ca41bba

Merge pull request #2338 from pyupio/fix/remove-dash-false-positive Removing false positive vulnerability for dash library

view details

push time in a month

PR merged pyupio/safety-db

Removing false positive vulnerability for dash library

"PVE-2021-40962" is not valid. Related to #2336

+1 -11

0 comment

2 changed files

yeisonvargasf

pr closed time in a month

PR opened pyupio/safety-db

Removing false positive vulnerability for dash library

"PVE-2021-40962" is not valid. Related to #2336

+1 -11

0 comment

2 changed files

pr created time in a month

create barnchpyupio/safety-db

branch : fix/remove-dash-false-positive

created branch time in a month

pull request commentpyupio/safety-db

Remove `coveragepy` from vulnerable, refs #2335

Thanks @sobolevn !

sobolevn

comment created time in a month

push eventpyupio/safety-db

Nikita Sobolev

commit sha 0c3c5fe360fc0a0afcabf4930ea6436f197b59a9

Remove `coveragepy` from vulnerable, refs #2335

view details

sobolevn

commit sha 17227671401a5730b7df79249c88fba22011055b

Also from insecure_full.json

view details

Yeison Vargas

commit sha d9ee0fa67f3e125f471ea41d9a513b19c0328c05

Merge pull request #2337 from sobolevn/patch-1 Remove `coveragepy` from vulnerable, refs #2335

view details

push time in a month

issue closedpyupio/safety-db

Package `coverage<6.0b1` incorrectly listed as vulnerable

As discussed in https://github.com/nedbat/coveragepy/issues/1198 with the author of the coverage package. The former usage of the md5 algorithm in coverage is not a security vulnerability. The listing in safety-db forces (or rather tries to convince) lots of people to upgrade to a newer version that is both beta and a major upgrade, for no good reason (security-wise).

Would you consider removing the entry for coverage<6.0b1 from the database?

closed time in a month

whyscream

PR merged pyupio/safety-db

Remove `coveragepy` from vulnerable, refs #2335

Closes #2335

+2 -16

0 comment

2 changed files

sobolevn

pr closed time in a month

issue commentpyupio/safety-db

Package `coverage<6.0b1` incorrectly listed as vulnerable

Hi @nedbat I know what you mean, sorry for that, I think a more detailed clarification in changelogs will help to don't produce false positives in the future and our team probably will reach you next time if a security item in the changelog isn't clear for them.

@awsbillz the correction was done after this issue was reported, it will show up for our paid users immediately and not until September 1st for our users without a paid subscription.

We can review/accept any PR in an expedited way if you want to remove the false positive before that date. You will have to remove the vulnerability from: insecure.json and insecure_full.json

whyscream

comment created time in a month

issue commentplotly/dash

[INFO] What is the status of PVE-2021-40962?

@dmaljovec our bot commit monthly updates of vulnerabilities already reviewed by our security team, sometimes there are false positives. This correction will show up for our paid users immediately and not until September 1st for our users without a paid subscription.

dmaljovec

comment created time in a month

issue commentpyupio/safety-db

Package `dash` has no version 2.2.0

Hi @alexcjohnson, it was a False positive and it was marked as not valid. Thanks for report this.

alexcjohnson

comment created time in a month

issue commentpyupio/safety-db

Package `coverage<6.0b1` incorrectly listed as vulnerable

Hi @whyscream, thanks for reporting this issue. We reviewed in detail and this was a false positive, we have marked the vulnerability as INVALID and the update will be available soon.

@nedbat we usually notify repo owners to clarify the possible vulnerability, this time MD5 was a red flag (even FIPS blocks it regardless of context) for our security team while doing the verification (about your question, there is a security team checking each possible vulnerability). We will reach you if the security team has questions about a possible vulnerability.

whyscream

comment created time in a month

issue commentpyupio/safety

Confusing "Development status" (pre alpha) on pypi.org?

sorry late answer, PRs are welcome.

dr47

comment created time in 2 months

issue commentpyupio/safety

SSL: CERTIFICATE_VERIFY_FAILED

Hi @resmit , I'm not able to replicate this issue, the error suggests 'raw.githubusercontent.com' is serving a wrong certificate, but I think this is unlikely, could you check from your side? the cause of the error could be a software blocking the communication with Github servers.

resmit

comment created time in 2 months

pull request commentpyupio/safety-db

Fix failing test, related to the introduced $meta

@pawamoy sorry for the long time in answer, the last version is published in pypi, we are working in the automation for future releases, so any monthly update will be published automatically after we finish that feature. Thanks!

SofyaTavrovskaya

comment created time in 2 months

release pyupio/safety-db

2021.7.17

released time in 2 months

created tagpyupio/safety-db

tag2021.7.17

A curated database of insecure Python packages

created time in 2 months

push eventpyupio/safety-db

Yeison Vargas

commit sha cb5844368fdd7defca4e3001992275ddea70febe

Updating to version 2021.7.17

view details

push time in 2 months

push eventpyupio/safety-db

Yeison Vargas

commit sha d3222035513257cdf9861df0f129b99f8a82b9b9

Updating to version 2020.7.17

view details

push time in 2 months

push eventpyupio/safety-db

Yeison Vargas

commit sha 6138ffcc447a2406e73d8c3bfa4af57d86bbae6e

Updating Development status

view details

push time in 2 months

pull request commentpyupio/safety-db

Fix failing test, related to the introduced $meta

Hi @pawamoy the deployment was skipped because it isn't a tagged commit, I will address this situation as soon as possible. Thanks.

SofyaTavrovskaya

comment created time in 3 months