Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pip analyzer not showing vulnerabilities #5898

Closed
stevieg27 opened this issue Aug 23, 2023 · 0 comments · Fixed by #5902
Closed

Pip analyzer not showing vulnerabilities #5898

stevieg27 opened this issue Aug 23, 2023 · 0 comments · Fixed by #5902
Labels
bug
Milestone
8.4.1

Comments

@stevieg27
Copy link

Describe the bug
I was testing a python project using the experimental analyzer which has a requirements.txt file inside it. . While testing cryptography~=1.8.2 library present inside the requirements.txt , the result doesn't show any kind of vulnerabilities but cryptography==1.8.2 shows three different vulnerabilities dating back from 2020. How can I properly test this scenario using dependency check to get those valid vulnerabilities?

Version of dependency-check used
CLI version 8.4.0

To Reproduce
Python project folder which contains requirements.txt file and has cryptography~=1.8.2 library defined. Then scan using latest cli
./dependency-check.sh -s ./ --enableExperimental

Expected behavior
Since all the version above 1.9.0 has different vulnerabilities it should have resulted in showing that. Ref: https://security.snyk.io/package/pip/cryptography/1.9

Additional context
Add any other context about the problem here.
@stevieg27 stevieg27 added the bug label Aug 23, 2023
@aikebah aikebah added nvd ossindex Label for issues that relate to the OSSIndex API and removed ossindex Label for issues that relate to the OSSIndex API nvd labels Aug 26, 2023
aikebah added a commit that referenced this issue Aug 27, 2023
@aikebah
fix: Allow for ~= in addition to == and >= version constraint in requ…
ab35d98 
…irements.txt and pipfile

Fixes #5898
@aikebah aikebah added this to the 8.4.1 milestone Aug 27, 2023
@aikebah aikebah mentioned this issue Aug 27, 2023
Merged
@aikebah aikebah linked a pull request Aug 27, 2023 that will close this issue
fix: Support ~= version specifier in requirements.txt and pipfile #5902
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
8.4.1
Development

Successfully merging a pull request may close this issue.

fix: Support ~= version specifier in requirements.txt and pipfile jeremylong/DependencyCheck
2 participants
@aikebah @stevieg27