Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerable PyOpenSSL dependency in example code causes Snyk to flag pysaml2 #952

Open
APCBoston opened this issue Feb 29, 2024 · 1 comment
Open

Vulnerable PyOpenSSL dependency in example code causes Snyk to flag pysaml2 #952

APCBoston opened this issue Feb 29, 2024 · 1 comment
Labels
dependency examples

Comments

@APCBoston
Copy link

Summary

pysaml2 does not depend on PyOpenSSL, but some of the examples import PyOpenSSL, and it is likewise mentioned as a dependency in pyproject.toml and poetry.lock. This is a problem because PyOpenSSL is vulnerable to CVE-2023-6129 and CVE-2023-6237. Additionally, the Python Cryptographic Authority strongly recommends against using PyOpenSSL, despite the fact that it is their package.

All of this caused Snyk to wrongfly flag pysaml2 as vulnerable to these two CVE's via its use of pyopenssl.

Possible Solution

Suggest migrating the example code to eliminate reliance on pyopenssl. Alternatively, removing this package from the pyproject.toml and poetry.lock may help with security scanners (Snyk at least relies on these manifests) and may be appropriate in light of the fact that pyopenssl is not a true dependency of pysaml2.
@c00kiemon5ter
Copy link
Member

Thank you for the report. I will try to fix this asap.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dependency examples
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@c00kiemon5ter @APCBoston