Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Safety scan fails for PVE-2024-99889 for "requests" python package with Unhandled exception happened: Invalid specifier: '<.0.13.4' #648

Closed
1 task done
desaintmartin opened this issue Dec 12, 2024 · 3 comments
Closed
1 task done

Safety scan fails for PVE-2024-99889 for "requests" python package with Unhandled exception happened: Invalid specifier: '<.0.13.4' #648

desaintmartin opened this issue Dec 12, 2024 · 3 comments

Comments

@desaintmartin
Copy link

desaintmartin commented Dec 12, 2024
edited
Loading

Checklist

Safety version

3.2.13

Python version

3.12.7

Operating System

macos 15

Describe the problem you'd like to have solved

Since update of PVE-2024-99889 (https://data.safetycli.com/vulnerabilities/PVE-2024-99889/65531/), it seems wrong specifier makes safety crash and prevent any scan if the python package requests is defined to be scanned.

Describe the ideal solution

  • fix in PVE-2024-99889
  • fix in safety preventing future crash for future errors in PVE definitions

Alternatives and current workarounds

No response

Additional context

No response

What I Did

Have a requirements.txt with requests==2.32.3
then:

❯ SAFETY_API_KEY=the_key safety scan
Safety 3.2.13 scanning /the/directory
2024-12-12 09:54:53 UTC

Account: API key used
 Git branch: master
 Environment: Stage.development
 Scan policy: local scan policy file

Python detected. Found 1 Python requirement file, 1 Python pyproject.toml file and 1 Python environment
Unhandled exception happened: Invalid specifier: '<.0.13.4'
@github-actions GitHub Actions
Copy link

Hi @desaintmartin, thank you for opening this issue!

We appreciate your effort in reporting this. Our team will review it and get back to you soon.
If you have any additional details or updates, feel free to add them to this issue.

Note: If this is a serious security issue that could impact the security of Safety CLI users, please email [email protected] immediately.

Thank you for contributing to Safety CLI!

@LouisBroekhuijsen
Copy link

We encounter the same issue, on Linux.

@desaintmartin desaintmartin changed the title Safety scan fails for PVE-2024-99889 with Unhandled exception happened: Invalid specifier: '<.0.13.4' Safety scan fails for PVE-2024-99889 for "requests" python package with Unhandled exception happened: Invalid specifier: '<.0.13.4' Dec 12, 2024
@brawlingthebits
Copy link
Member

Thank you for reporting this issue. We identified the root cause - a syntax error in the PVE specification where we incorrectly prefixed the version number with a '.' (resulting in '<.0.13.4'). This malformed version specifier caused the parser to fail when scanning packages.

We apologize for any inconvenience this has caused. The issue has been fixed in our vulnerability database, and we'll implement additional validation checks to prevent similar semantic errors in future PVE definitions.

The fix should now be live. Please try rerunning your scan, and let us know if you encounter any further issues.

Thanks again for bringing this to our attention.

Best regards,
Costa, B.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@desaintmartin @LouisBroekhuijsen @brawlingthebits