$ pyraider go
_____ _____ _ _
| __ \ | __ \ (_) | |
| |__) | _| |__) |__ _ _ __| | ___ _ __
| ___/ | | | _ // _` | |/ _` |/ _ \ '__|
| | | |_| | | \ \ (_| | | (_| | __/ |
|_| \__, |_| \_\__,_|_|\__,_|\___|_|
__/ |
|___/
by RaiderSource version 1.0.2
Started Scanning .....
+-----------------+------------------------------------------------------------+
| Package | urllib3 |
+-----------------+------------------------------------------------------------+
| Severity | HIGH |
+-----------------+------------------------------------------------------------+
| CWE | 400 |
+-----------------+------------------------------------------------------------+
| CVE | CVE-2020-7212 |
+-----------------+------------------------------------------------------------+
| Current version | 1.25.9 |
+-----------------+------------------------------------------------------------+
| Update To | Package is up to date |
+-----------------+------------------------------------------------------------+
| Description | The _encode_invalid_chars function in util/url.py in the u |
| | rllib3 library 1.25.2 through 1.25.7 for Python allows a d |
| | enial of service (CPU consumption) because of an inefficie |
| | nt algorithm. The percent_encodings array contains all mat |
| | ches of percent encodings. It is not deduplicated. For a U |
| | RL of length N, the size of percent_encodings may be up to |
| | O(N). The next step (normalize existing percent-encoded b |
| | ytes) also takes up to O(N) for each step, so the total ti |
| | me is O(N^2). If percent_encodings were deduplicated, the |
| | time to compute _encode_invalid_chars would be O(kN), wher |
| | e k is at most 484 ((10+6*2)^2). |
+-----------------+------------------------------------------------------------+
| Resolve | pip install urllib3==1.25.9 |
+-----------------+------------------------------------------------------------+
| More Info | https://nvd.nist.gov/vuln/detail/CVE-2020-7212 |
+-----------------+------------------------------------------------------------+
+-----------------+------------------------------------------------------------+
| Package | safety |
+-----------------+------------------------------------------------------------+
| Severity | LOW |
+-----------------+------------------------------------------------------------+
| CWE | NVD-CWE-noinfo |
+-----------------+------------------------------------------------------------+
| CVE | CVE-2020-5252 |
+-----------------+------------------------------------------------------------+
| Current version | 1.9.0 |
+-----------------+------------------------------------------------------------+
| Update To | Package is up to date |
+-----------------+------------------------------------------------------------+
| Description | The command-line "safety" package for Python has a potenti |
| | al security issue. There are two Python characteristics th |
| | at allow malicious code to “poison-pill” command-line Safe |
| | ty package detection routines by disguising, or obfuscatin |
| | g, other malicious or non-secure packages. This vulnerabil |
| | ity is considered to be of low severity because the attack |
| | makes use of an existing Python condition, not the Safety |
| | tool itself. This can happen if: You are running Safety i |
| | n a Python environment that you don’t trust. You are runni |
| | ng Safety from the same Python environment where you have |
| | your dependencies installed. Dependency packages are being |
| | installed arbitrarily or without proper verification. Use |
| | rs can mitigate this issue by doing any of the following: |
| | Perform a static analysis by installing Docker and running |
| | the Safety Docker image: $ docker run --rm -it pyupio/saf |
| | ety check -r requirements.txt Run Safety against a static |
| | dependencies list, such as the requirements.txt file, in a |
| | separate, clean Python environment. Run Safety from a Con |
| | tinuous Integration pipeline. Use PyUp.io, which runs Safe |
| | ty in a controlled environment and checks Python for depen |
| | dencies without any need to install them. Use PyUp's Onlin |
| | e Requirements Checker. |
+-----------------+------------------------------------------------------------+
| Resolve | pip install safety==1.9.0 |
+-----------------+------------------------------------------------------------+
| More Info | https://nvd.nist.gov/vuln/detail/CVE-2020-5252 |
+-----------------+------------------------------------------------------------+
+-----------------+------------------------------------------------------------+
| Package | pyyaml |
+-----------------+------------------------------------------------------------+
| Severity | HIGH |
+-----------------+------------------------------------------------------------+
| CWE | 20 |
+-----------------+------------------------------------------------------------+
| CVE | CVE-2020-1747 |
+-----------------+------------------------------------------------------------+
| Current version | 5.3.1 |
+-----------------+------------------------------------------------------------+
| Update To | Package is up to date |
+-----------------+------------------------------------------------------------+
| Description | A vulnerability was discovered in the PyYAML library in ve |
| | rsions before 5.3.1, where it is susceptible to arbitrary |
| | code execution when it processes untrusted YAML files thro |
| | ugh the full_load method or with the FullLoader loader. Ap |
| | plications that use the library to process untrusted input |
| | may be vulnerable to this flaw. An attacker could use thi |
| | s flaw to execute arbitrary code on the system by abusing |
| | the python/object/new constructor. |
+-----------------+------------------------------------------------------------+
| Resolve | pip install pyyaml==5.3.1 |
+-----------------+------------------------------------------------------------+
| More Info | https://nvd.nist.gov/vuln/detail/CVE-2020-1747 |
+-----------------+------------------------------------------------------------+
$ pyraider autofix
_____ _____ _ _
| __ \ | __ \ (_) | |
| |__) | _| |__) |__ _ _ __| | ___ _ __
| ___/ | | | _ // _` | |/ _` |/ _ \ '__|
| | | |_| | | \ \ (_| | | (_| | __/ |
|_| \__, |_| \_\__,_|_|\__,_|\___|_|
__/ |
|___/
by RaiderSource version 1.0.2
Are you sure want to update all the packages, It might affect other packages? [Y/n] Y
Collecting gunicorn==20.0.4
Downloading https://files.pythonhosted.org/packages/69/ca/926f7cd3a2014b16870086b2d0fdc84a9e49473c68a8dff8b57f7c156f43/gunicorn-20.0.4-py2.py3-none-any.whl (77kB)
100% |████████████████████████████████| 81kB 1.5MB/s
Requirement already satisfied: setuptools>=3.0 in ./.pyenv/versions/3.7.3/lib/python3.7/site-packages (from gunicorn==20.0.4) (40.8.0)
Installing collected packages: gunicorn
Successfully installed gunicorn-20.0.4
You are using pip version 19.0.3, however version 20.2b1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
0
without showing list of package it is trying to update. pyraider wrongly updated gunicorn
which was not in pyraider go
list.