Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ADAP-1045] [CT-3413] Vulnerability in cryptography package used in DBT #845

Closed
2 tasks done
DanielMawdsley96 opened this issue Nov 21, 2023 · 4 comments · Fixed by #852, #853, #854, #855 or #856
Closed
2 tasks done

[ADAP-1045] [CT-3413] Vulnerability in cryptography package used in DBT #845

DanielMawdsley96 opened this issue Nov 21, 2023 · 4 comments · Fixed by #852, #853, #854, #855 or #856
Assignees
@VersusFacit
Labels
High Severity bug with significant impact that should be resolved in a reasonable timeframe support

Comments

@DanielMawdsley96
Copy link

DanielMawdsley96 commented Nov 21, 2023
edited by mikealfare
Loading

Is this a new bug in dbt-core?

  • I believe this is a new bug in dbt-core
  • I have searched the existing issues, and I could not find an existing issue for this bug

Current Behavior

Snyk vulnerability found

✗ Denial of Service (DoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-6050294] in [email protected]

introduced by [email protected] > [email protected] > [email protected] and 1 other path(s)

Expected Behavior

No vulnerability

Steps To Reproduce

Run snyk on GitHub repo containing DBT project

Relevant log output

No response

Environment

- OS: windows 
- Python: 3.11
- dbt: 1.7

Which database adapter are you using with dbt?

snowflake

Additional Context

@mikealfare: We need to pin this in setup.py with a lower bound as it's a transient dependency. It appears bumping snowflake-connector-python may also resolve this, but we need to regression test that change given our surface area on that package, so pinning cryptography directly would be faster for now.
@DanielMawdsley96 DanielMawdsley96 added bug Something isn't working triage labels Nov 21, 2023
@github-actions github-actions bot changed the title Vulnerability in cryptography package used in DBT [CT-3413] Vulnerability in cryptography package used in DBT Nov 21, 2023
@dbeatty10 dbeatty10 transferred this issue from dbt-labs/dbt-core Nov 27, 2023
@github-actions github-actions bot changed the title [CT-3413] Vulnerability in cryptography package used in DBT [ADAP-1045] [CT-3413] Vulnerability in cryptography package used in DBT Nov 27, 2023
@VersusFacit VersusFacit mentioned this issue Nov 28, 2023
Merged
4 tasks
@jtcohen6 jtcohen6 removed the triage label Nov 29, 2023
This was linked to pull requests Nov 30, 2023
Backport 852 to 1.5.latest #853
Merged
Backport 852 to 1.6.latest #854
Merged
Backport 852 to 1.7.latest #855
Merged
Backport 852 to 1.4.latest #856
Merged
@mikealfare
Copy link
Contributor

This has been backported and merged, but not yet released. I'm reopening to make sure we confirm this is released.

@mikealfare mikealfare reopened this Nov 30, 2023
@DanMawdsleyBA
Copy link

I'm still getting the issue I think there may be an additional update to the snowflake connector which also use the cryptography package. Currently it picks up snowflake-connector-python 3.4 but in 3.6 this issue has been fixed.

Issue seems to be in setup.py:

    install_requires=[
        "dbt-core~={}".format(dbt_core_version),
        "snowflake-connector-python[secure-local-storage]~=3.0",
        # installed via dbt-core but referenced directly; don't pin to avoid version conflicts with dbt-core
        "agate",
    ],

@mikealfare
Copy link
Contributor

I'm still getting the issue I think there may be an additional update to the snowflake connector which also use the cryptography package. Currently it picks up snowflake-connector-python 3.4 but in 3.6 this issue has been fixed.

Issue seems to be in setup.py:

    install_requires=[
        "dbt-core~={}".format(dbt_core_version),
        "snowflake-connector-python[secure-local-storage]~=3.0",
        # installed via dbt-core but referenced directly; don't pin to avoid version conflicts with dbt-core
        "agate",
    ],

Ah, yes, it looks like only the dev requirements were fixed. I didn't realize it was a transient dependency as well. Thanks for the catch!

@VersusFacit
Copy link
Contributor

Well today I learned we have multiple install channels to manage for the repo 😬

@martynydbt martynydbt added the High Severity bug with significant impact that should be resolved in a reasonable timeframe label Feb 3, 2024
@martynydbt martynydbt removed the bug Something isn't working label Feb 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@VersusFacit VersusFacit

Labels
High Severity bug with significant impact that should be resolved in a reasonable timeframe support
Projects
None yet
Milestone
No milestone
6 participants
@jtcohen6 @mikealfare @DanielMawdsley96 @VersusFacit @DanMawdsleyBA @martynydbt