Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2022-42969 on py dependency of retry package #678

Open
gioccher opened this issue Jan 21, 2025 · 0 comments
Open

CVE-2022-42969 on py dependency of retry package #678

gioccher opened this issue Jan 21, 2025 · 0 comments
Labels
type: bug Issues/PRs addressing a bug.

Comments

@gioccher
Copy link

gioccher commented Jan 21, 2025
edited
Loading

The py 1.11.0 library included in this project's dependency graph is affected by CVE-2022-42969, which is a contested CVE and doesn't affect nautobot... but it still shows up in vulnerability scanners.

py is a dependency of retry, which has not received updates since 2016 https://pypi.org/project/retry/#history

pyproject.toml references retry directly

nautobot-app-ssot/pyproject.toml

Line 56 in 8ff0d18

retry = "^0.9.2"

There's a fork of retry that seems an in-place replacement https://pypi.org/project/retry2/ and removes the py dependency.
@gsnider2195 gsnider2195 added the type: bug Issues/PRs addressing a bug. label Jan 31, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: bug Issues/PRs addressing a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gioccher @gsnider2195