Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SIX new version #374

Open
akrattan opened this issue May 2, 2023 · 4 comments
Open

SIX new version #374

akrattan opened this issue May 2, 2023 · 4 comments

Comments

@akrattan
Copy link

akrattan commented May 2, 2023
edited
Loading

Hello,

we are looking for a new release plan for SIX. Is there any plan for release as I can see the last version is in 2021.
@benjaminp
Copy link
Owner

Why? There haven't been many changes since 2021.

@akrattan
Copy link
Author

akrattan commented May 3, 2023

If any unforeseen issue/vulnerability comes, a fix will be available in the next version?.

@benjaminp
Copy link
Owner

Yes, it's not too hard to make a release.

@racswebdev
Copy link

Hello,
I am getting code vulnerability when I am using this library, mainly in these lines - (I am working with pyawscron and dynamodb-json module which are installing this module). I want to know where you are using the six module (six.py file) dependency and if can we remove the six module which is dependent as I am getting AWS Inspector (AWS Cloud) vulnerability in the below line.

Title = CWE-77,78,88 - OS command injection
Detector name = OS command injection
Vulnerable line = Line ( #735) - exec("""exec code in globs, locs""")
and the similar lines in different parts of the code.

Refer this file for exact line (#735) - six.py

I am not sure how exactly I can fix it, also my second requirement is as now I am mostly dealing with python3-related codes for a long time and now I don't require python2-related things, but I am also not sure if some applications under the hood are using python2, I need to verify that.
I am here to ask if there is a security fix for this or if there is any custom solution.
please let me know how can i deal with my applications as I am getting code vulnerability issues.

As I am using pyawscron and dynamodb-json modules, six module is by default getting installed. As we are using this in our organizational code & we are getting the vulnerability from AWS, and we need to fix this vulnerability. Still, I didn't have any clue about this as I cannot ignore this, what options do I have now to deal with this vulnerability? My concern is that if we touch the 3rd party module files as it can break something other in the code or a different code file where it has been used, but now the question is what options we have, I have also searched the alternative modules but I didn't find anything.
Please have WORKAROUND or something which I can try and resolve this.

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@benjaminp @racswebdev @akrattan