vulnerabilities in future 0.18.2

[davis-anthony]

• Nipyapi version: 0.19.1
• NiFi version: N/A
• NiFi-Registry version: N/A
• Python version: N/A
• Operating System: N/A

Description

Vulnerability outlined in CVE-2022-40899. Unfortunately it looks like that project is dead and will likely not be updated. This will need to be dropped as a dependency and use of future refactored to some other component.

What I Did

Including the dependency for nipyapi 0.19.1 in my local project and running it through OWASP results in a failure due to the dependency on future 0.18.2. If I exclude this dependency, I get a build failure with a reference to this CVE:

https://nvd.nist.gov/vuln/detail/CVE-2022-40899

Urgency

This blocks our build pipelines and poses a security risk in our production environment.

[ottobackwards]

It doesn't look to me that future is maintained anymore. Here is the PR to fix it: PythonCharmers/python-future#610.

One option that comes to mind for me would be:

• move future internal to nipyapi, ie move the code into nipyapi as a private package
• patch that
• plan for python3 only with nifi 2.0 release

[Chaffelson]

I see that the patched version of future was created as 0.18.3
We have been testing with it for several releases, but I will explicitly set it as a requirement in the next release.