Renovate reports security issue that pip-audit doesn't #29055
Replies: 2 comments 4 replies
-
@Churro I debugged this to here: renovate/lib/workers/repository/process/vulnerabilities.ts Lines 324 to 341 in 04f4edb It seems to return vulnerable=true without checking the fixed version? |
Beta Was this translation helpful? Give feedback.
-
As promised, I did some in-depth research on this now:
It would be simple now to argue that the advisory is flawed, as the range definition is obsolete and also not accurate. What makes this case interesting is that running So summarizing, the OSV evaluation logic in renovate seems to be correct and compliant with the OSV schema. Potential options I can think of how to proceed here:
|
Beta Was this translation helpful? Give feedback.
-
What would you like help with?
I think I found a bug
How are you running Renovate?
Mend Renovate hosted app on github.com
If you're self-hosting Renovate, tell us which platform (GitHub, GitLab, etc) and which version of Renovate.
No response
Please tell us more about your question or problem
Renovate reports two security issues for Python package
ansible
: mueller-ma/renovate-reproduce#2I'm using
ansible==9.5.1
, which shouldn't be affected: https://osv.dev/vulnerability/PYSEC-2021-125pip-audit
doesn't find this issue:Logs (if relevant)
No response
Beta Was this translation helpful? Give feedback.
All reactions