You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Reportlab has an open CVE. It's a case where an intentional feature could be used to basically put a "web bug" into a pdf -- we avoid this with validation since embedding external resources isn't really a thing cve-bin-tool users are likely to want to do. (And I'm always open to suggestions on improving said validation!)
But since PDF reports are probably not a go-to feature for all users, I'd like to make it easier for people to install reportlab only if they actually want them, especially since not everyone has time to read through the CVE and consider the impacts. Right now, our requirements.txt lists it so it's installed by default.
Things I think we'd need to do to make this work:
Put checks around where the reportlab import statements are, and print a useful warning before they fail
e.g. "if you want to use pdf import you will need to install reportlab using pip install reportlab
Put checks into the test suite so pdf tests fail gracefully if reportlab is not installed
e.g. We want them to fail with a message like "reportlab not installed, test cannot be run" instead of a stack trace
Update documentation to explain how to enable pdf export / mention the known CVE and explain the concerns.
Remove reportlab from requirements.txt
Add tests of the reportlab-not-installed functionality
Now is also a great time to revisit our existing validation and make sure the recommended settings are enabled everywhere that we use reportlab.
The text was updated successfully, but these errors were encountered:
This sounds like extras/optional dependencies (same thing, just being called differently). Python.org/setuptools even have exactly this case as an example, PDF functionality that requires reportlab 😄
If we go this route then installation will look like this pip install cve-bin-tool[PDF].
Reportlab has an open CVE. It's a case where an intentional feature could be used to basically put a "web bug" into a pdf -- we avoid this with validation since embedding external resources isn't really a thing cve-bin-tool users are likely to want to do. (And I'm always open to suggestions on improving said validation!)
But since PDF reports are probably not a go-to feature for all users, I'd like to make it easier for people to install reportlab only if they actually want them, especially since not everyone has time to read through the CVE and consider the impacts. Right now, our requirements.txt lists it so it's installed by default.
Things I think we'd need to do to make this work:
pip install reportlab
The text was updated successfully, but these errors were encountered: