Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SNOW-1234376: Cryptography library requirement is out of date #480

Closed
joshua-pgatour opened this issue Mar 14, 2024 · 2 comments
Closed

SNOW-1234376: Cryptography library requirement is out of date #480

joshua-pgatour opened this issue Mar 14, 2024 · 2 comments
Assignees
@sfc-gh-dszmolka
Labels
question Issue is a usage/other question rather than a bug status-triage_done Initial triage done, will be further handled by the driver team

Comments

@joshua-pgatour
Copy link

The cryptography library requirement of cryptography==36.0.2 is very outdated and causes issues when installed with other modern applications. The current version of cryptography is 42.0.5. This is a security issue also.
@joshua-pgatour joshua-pgatour added bug Something isn't working needs triage labels Mar 14, 2024
@github-actions github-actions bot changed the title Cryptography library requirement is out of date SNOW-1234376: Cryptography library requirement is out of date Mar 14, 2024
@yankov-sdx
Copy link

cryptography==36.0.2 has CVE-2023-49083, CVE-2023-38325, and CVE-2023-23931 vulnerabilities reported.

@sfc-gh-dszmolka sfc-gh-dszmolka self-assigned this Mar 18, 2024
@sfc-gh-dszmolka sfc-gh-dszmolka added status-triage Issue is under initial triage security vulnerability Security vulnerability detected by WhiteSource and removed needs triage bug Something isn't working labels Mar 18, 2024
@sfc-gh-dszmolka
Copy link

hi and thank you for raising this ! looks like coming not from snowflake-sqlalchemy but one of the dependencies, the Snowflake Python Connector.

we don't use cryptography v36 since Snowflake Python Connector v2.8.1, and the most current version of the PythonConnector depends on the latest v42 of cryptography:

# pip install snowflake-sqlalchemy pipdeptree
..gets installed
# pipdeptree -r -p cryptography
cryptography==42.0.5
├── pyOpenSSL==24.1.0 [requires: cryptography>=41.0.5,<43]
│   └── snowflake-connector-python==3.7.1 [requires: pyOpenSSL>=16.2.0,<25.0.0]
│       └── snowflake-sqlalchemy==1.5.1 [requires: snowflake-connector-python<4.0.0]
└── snowflake-connector-python==3.7.1 [requires: cryptography>=3.1.0,<43.0.0]
    └── snowflake-sqlalchemy==1.5.1 [requires: snowflake-connector-python<4.0.0]

this should be resolved once you upgrade your snowflake-connector-python dependency to a later one.
closing this issue but if you need further help, do comment and can reopen if necessary.

@sfc-gh-dszmolka sfc-gh-dszmolka added question Issue is a usage/other question rather than a bug status-triage_done Initial triage done, will be further handled by the driver team and removed security vulnerability Security vulnerability detected by WhiteSource status-triage Issue is under initial triage labels Mar 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sfc-gh-dszmolka sfc-gh-dszmolka

Labels
question Issue is a usage/other question rather than a bug status-triage_done Initial triage done, will be further handled by the driver team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@joshua-pgatour @sfc-gh-dszmolka @yankov-sdx