Critical and High vulnerabilities detected in cpt-dashboard #128
Comments
|
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In developing the Crucible/InstructLab support, I pushed container images to the internal Quay, and was mildly surprised to see warnings about Critical and High severity vulnerabilities from the Quay security scanner.
Many of the Python modules used by the cpt-dashboard are extremely old, and among other things ties us to the current aging Python 3.9 generation -- but Critical and High CVEs are a different matter entirely.
Specifically,
(critical) httpx -- update from 0.18.1 to at least 0.23.0
(high) cryptography -- update from 3.4.8 to at least 42.0.2
(high) fastapi -- update from 0.104.1 to at least 0.109.1
(medium) pydantic -- update from 2.3.0 to at least 2.4.0
(Each of httpx and cryptography show multiple CVEs, which will all be resolved by the upgrade versions shown here.)
There's an additional "negligible" vulnerability shown in starlette, which will likely be resolved by upgrading fastapi as the dashboard has no direct dependency.
The text was updated successfully, but these errors were encountered: