Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Making it possible to use cve-bin-tool without Reportlab #1464

Closed
terriko opened this issue Dec 16, 2021 · 2 comments
Closed

Making it possible to use cve-bin-tool without Reportlab #1464

terriko opened this issue Dec 16, 2021 · 2 comments
Labels
security public security-related issues.
Milestone
3.1

Comments

@terriko
Copy link
Contributor

terriko commented Dec 16, 2021
edited
Loading

Reportlab has an open CVE. It's a case where an intentional feature could be used to basically put a "web bug" into a pdf -- we avoid this with validation since embedding external resources isn't really a thing cve-bin-tool users are likely to want to do. (And I'm always open to suggestions on improving said validation!)

But since PDF reports are probably not a go-to feature for all users, I'd like to make it easier for people to install reportlab only if they actually want them, especially since not everyone has time to read through the CVE and consider the impacts. Right now, our requirements.txt lists it so it's installed by default.

Things I think we'd need to do to make this work:

  1. Put checks around where the reportlab import statements are, and print a useful warning before they fail
    • e.g. "if you want to use pdf import you will need to install reportlab using pip install reportlab
  2. Put checks into the test suite so pdf tests fail gracefully if reportlab is not installed
    • e.g. We want them to fail with a message like "reportlab not installed, test cannot be run" instead of a stack trace
  3. Update documentation to explain how to enable pdf export / mention the known CVE and explain the concerns.
  4. Remove reportlab from requirements.txt
  5. Add tests of the reportlab-not-installed functionality
  6. Now is also a great time to revisit our existing validation and make sure the recommended settings are enabled everywhere that we use reportlab.
@terriko terriko added this to the 3.1 milestone Dec 16, 2021
@terriko terriko added the security public security-related issues. label Dec 16, 2021
@Molkree
Copy link
Contributor

Molkree commented Dec 23, 2021

This sounds like extras/optional dependencies (same thing, just being called differently). Python.org/setuptools even have exactly this case as an example, PDF functionality that requires reportlab 😄
If we go this route then installation will look like this pip install cve-bin-tool[PDF].

@terriko
Copy link
Contributor Author

terriko commented Dec 27, 2021

Yes, exactly that. I hadn't even looked up the optional dependency stuff yet because I was busy thinking about the code changes we needed first!

anthonyharrison added a commit to anthonyharrison/cve-bin-tool that referenced this issue Dec 28, 2021
@anthonyharrison
feat use cve-bin-tool without Reportlab (intel#1464)
a38ce18
anthonyharrison added a commit to anthonyharrison/cve-bin-tool that referenced this issue Dec 29, 2021
@anthonyharrison
feat: use cve-bin-tool without Reportlab (Fixes intel#1464)
0892637
anthonyharrison added a commit to anthonyharrison/cve-bin-tool that referenced this issue Dec 29, 2021
@anthonyharrison
feat: use cve-bin-tool without Reportlab (Fixes intel#1464)
819d328
XDRAGON2002 pushed a commit to XDRAGON2002/cve-bin-tool that referenced this issue Jan 3, 2022
@anthonyharrison @XDRAGON2002
feat: use cve-bin-tool without Reportlab (Fixes intel#1464) (intel#1485)
7d65044 
* fixes intel#1464
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security public security-related issues.
Projects
None yet
Milestone
3.1
Development

No branches or pull requests
2 participants
@terriko @Molkree