Hi, @jsmariegaard , @ecomodeller , I'd like to report a vulnerability issue in mikecore_0.2.0.
Dependency Graph between Python and Shared Libraries
Issue Description
As shown in the above dependency graph, mikecore_0.2.0 directly or transitively depends on 3 C libraries (.so). However, I noticed that one C library is vulnerable, containing the following CVEs:
libxerces-c-3.1.so from C project xerces-c(version:3.1.1) exposed 2 vulnerabilities:
CVE-2018-1311, CVE-2015-0252
Suggested Vulnerability Patch Versions
xerces-c has fixed the vulnerabilities in versions >=3.2.3
Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects.
As a popular python package (mikecore has 2,265 downloads per month), could you please upgrade the above shared libraries to their patch versions?
Thanks for your help~
Best regards,
Andy
Hi, @jsmariegaard , @ecomodeller , I'd like to report a vulnerability issue in mikecore_0.2.0.
Dependency Graph between Python and Shared Libraries
Issue Description
As shown in the above dependency graph, mikecore_0.2.0 directly or transitively depends on 3 C libraries (.so). However, I noticed that one C library is vulnerable, containing the following CVEs:
libxerces-c-3.1.sofrom C project xerces-c(version:3.1.1) exposed 2 vulnerabilities:CVE-2018-1311, CVE-2015-0252
Suggested Vulnerability Patch Versions
xerces-c has fixed the vulnerabilities in versions >=3.2.3
Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects.
As a popular python package (mikecore has 2,265 downloads per month), could you please upgrade the above shared libraries to their patch versions?
Thanks for your help~
Best regards,
Andy