Add files via upload by jmagee70 · Pull Request #12 · JMageeOrg/badCode

jmagee70 · 2024-11-08T09:05:26Z

No description provided.

prisma-cloud-devsecops

Prisma Cloud has found errors in this PR ⬇️

prisma-cloud-devsecops · 2024-11-08T09:06:46Z

requirements.txt

+requests>=2.18
+
+# progress bars in data cleaning scripts
+tqdm>=4.19


tqdm 4.19 / requirements.txt

Total vulnerabilities: 1

Critical: 0 High: 0 Medium: 0 Low: 1

Vulnerability ID Severity CVSS Fixed in Status

CVE-2024-34062 LOW 3.9 4.66.3 Open

prisma-cloud-devsecops · 2024-11-08T09:06:46Z

requirements.txt

+matplotlib==2.2.3
+
+# Used for downloading datasets over HTTP
+requests>=2.18


requests 2.18 / requirements.txt

Total vulnerabilities: 3

Critical: 0 High: 1 Medium: 2 Low: 0

Vulnerability ID Severity CVSS Fixed in Status

CVE-2018-18074 HIGH 7.5 2.20.0 Open

CVE-2023-32681 MEDIUM 6.1 2.31.0 Open

CVE-2024-35195 MEDIUM 5.6 2.32.0 Open

prisma-cloud-devsecops · 2024-11-08T09:06:47Z

requirements.txt

+lightning==2.2.1
+tensorflow-cpu==2.10.0
+tensorflow-gpu==2.10.0
+langchain==0.0.350


langchain 0.0.350 / requirements.txt

Total vulnerabilities: 4

Critical: 0 High: 0 Medium: 2 Low: 2

Vulnerability ID Severity CVSS Fixed in Status

CVE-2024-2965 MEDIUM 4.2 0.2.5 Open

CVE-2024-3571 MEDIUM 6.5 0.0.353 Open

CVE-2024-8309 LOW 4.9 0.2.0 Open

CVE-2024-0243 LOW 3.7 0.1.0 Open

prisma-cloud-devsecops · 2024-11-08T09:06:47Z

requirements.txt

+
+lightning==2.2.1
+tensorflow-cpu==2.10.0
+tensorflow-gpu==2.10.0


tensorflow-gpu 2.10.0 / requirements.txt

Total vulnerabilities: 48

Critical: 6 High: 39 Medium: 1 Low: 2

Vulnerability ID Severity CVSS Fixed in Status

CVE-2022-41880 CRITICAL 9.1 2.10.1 Open

CVE-2022-41900 CRITICAL 9.8 2.10.1 Open

CVE-2022-41902 CRITICAL 9.1 2.10.1 Open

CVE-2022-41910 CRITICAL 9.1 2.10.1 Open

CVE-2023-25664 CRITICAL 9.8 2.12.0 Open

CVE-2023-25668 CRITICAL 9.8 2.12.0 Open

CVE-2023-33976 HIGH 7.5 2.13.0 Open

CVE-2022-41883 HIGH 7.5 2.10.1 Open

CVE-2022-41884 HIGH 7.5 2.10.1 Open

CVE-2022-41886 HIGH 7.5 2.10.1 Open

CVE-2022-41887 HIGH 7.5 2.10.1 Open

CVE-2022-41888 HIGH 7.5 2.10.1 Open

CVE-2022-41889 HIGH 7.5 2.10.1 Open

CVE-2022-41890 HIGH 7.5 2.10.1 Open

CVE-2022-41891 HIGH 7.5 2.10.1 Open

CVE-2022-41893 HIGH 7.5 2.10.1 Open

CVE-2022-41894 HIGH 8.1 2.10.1 Open

CVE-2022-41895 HIGH 7.5 2.10.1 Open

CVE-2022-41896 HIGH 7.5 2.10.1 Open

CVE-2022-41897 HIGH 7.5 2.10.1 Open

CVE-2022-41898 HIGH 7.5 2.10.1 Open

CVE-2022-41899 HIGH 7.5 2.10.1 Open

CVE-2022-41901 HIGH 7.5 2.10.1 Open

CVE-2022-41907 HIGH 7.5 2.10.1 Open

CVE-2022-41908 HIGH 7.5 2.10.1 Open

CVE-2022-41909 HIGH 7.5 2.10.1 Open

CVE-2022-41911 HIGH 7.5 2.10.1 Open

CVE-2023-25658 HIGH 7.5 2.12.0 Open

CVE-2023-25659 HIGH 7.5 2.12.0 Open

CVE-2023-25660 HIGH 7.5 2.12.0 Open

CVE-2023-25662 HIGH 7.5 2.12.0 Open

CVE-2023-25663 HIGH 7.5 2.12.0 Open

CVE-2023-25665 HIGH 7.5 2.12.0 Open

CVE-2023-25666 HIGH 7.5 2.12.0 Open

CVE-2023-25667 HIGH 7.5 2.12.0 Open

CVE-2023-25669 HIGH 7.5 2.12.0 Open

CVE-2023-25670 HIGH 7.5 2.12.0 Open

CVE-2023-25671 HIGH 7.5 2.12.0 Open

CVE-2023-25672 HIGH 7.5 2.12.0 Open

CVE-2023-25673 HIGH 7.5 2.12.0 Open

CVE-2023-25674 HIGH 7.5 2.12.0 Open

CVE-2023-25675 HIGH 7.5 2.12.0 Open

CVE-2023-25676 HIGH 7.5 2.12.0 Open

CVE-2023-25801 HIGH 7.8 2.12.0 Open

CVE-2023-27579 HIGH 7.5 2.12.0 Open

CVE-2023-25661 MEDIUM 6.5 2.11.1 Open

GHSA-cqvq-fvhr-v6hc LOW 1 2.10.1 Open

GHSA-xf83-q765-xm6m LOW 1 2.10.1 Open

prisma-cloud-devsecops · 2024-11-08T09:06:47Z

requirements.txt

+sqlparse==0.2.4
+
+lightning==2.2.1
+tensorflow-cpu==2.10.0


tensorflow-cpu 2.10.0 / requirements.txt

Total vulnerabilities: 48

Critical: 6 High: 39 Medium: 1 Low: 2

Vulnerability ID Severity CVSS Fixed in Status

CVE-2022-41880 CRITICAL 9.1 2.10.1 Open

CVE-2022-41900 CRITICAL 9.8 2.10.1 Open

CVE-2022-41902 CRITICAL 9.1 2.10.1 Open

CVE-2022-41910 CRITICAL 9.1 2.10.1 Open

CVE-2023-25664 CRITICAL 9.8 2.12.0 Open

CVE-2023-25668 CRITICAL 9.8 2.12.0 Open

CVE-2023-33976 HIGH 7.5 2.13.0 Open

CVE-2022-41883 HIGH 7.5 2.10.1 Open

CVE-2022-41884 HIGH 7.5 2.10.1 Open

CVE-2022-41886 HIGH 7.5 2.10.1 Open

CVE-2022-41887 HIGH 7.5 2.10.1 Open

CVE-2022-41888 HIGH 7.5 2.10.1 Open

CVE-2022-41889 HIGH 7.5 2.10.1 Open

CVE-2022-41890 HIGH 7.5 2.10.1 Open

CVE-2022-41891 HIGH 7.5 2.10.1 Open

CVE-2022-41893 HIGH 7.5 2.10.1 Open

CVE-2022-41894 HIGH 8.1 2.10.1 Open

CVE-2022-41895 HIGH 7.5 2.10.1 Open

CVE-2022-41896 HIGH 7.5 2.10.1 Open

CVE-2022-41897 HIGH 7.5 2.10.1 Open

CVE-2022-41898 HIGH 7.5 2.10.1 Open

CVE-2022-41899 HIGH 7.5 2.10.1 Open

CVE-2022-41901 HIGH 7.5 2.10.1 Open

CVE-2022-41907 HIGH 7.5 2.10.1 Open

CVE-2022-41908 HIGH 7.5 2.10.1 Open

CVE-2022-41909 HIGH 7.5 2.10.1 Open

CVE-2022-41911 HIGH 7.5 2.10.1 Open

CVE-2023-25658 HIGH 7.5 2.12.0 Open

CVE-2023-25659 HIGH 7.5 2.12.0 Open

CVE-2023-25660 HIGH 7.5 2.12.0 Open

CVE-2023-25662 HIGH 7.5 2.12.0 Open

CVE-2023-25663 HIGH 7.5 2.12.0 Open

CVE-2023-25665 HIGH 7.5 2.12.0 Open

CVE-2023-25666 HIGH 7.5 2.12.0 Open

CVE-2023-25667 HIGH 7.5 2.12.0 Open

CVE-2023-25669 HIGH 7.5 2.12.0 Open

CVE-2023-25670 HIGH 7.5 2.12.0 Open

CVE-2023-25671 HIGH 7.5 2.12.0 Open

CVE-2023-25672 HIGH 7.5 2.12.0 Open

CVE-2023-25673 HIGH 7.5 2.12.0 Open

CVE-2023-25674 HIGH 7.5 2.12.0 Open

CVE-2023-25675 HIGH 7.5 2.12.0 Open

CVE-2023-25676 HIGH 7.5 2.12.0 Open

CVE-2023-25801 HIGH 7.8 2.12.0 Open

CVE-2023-27579 HIGH 7.5 2.12.0 Open

CVE-2023-25661 MEDIUM 6.5 2.11.1 Open

GHSA-cqvq-fvhr-v6hc LOW 1 2.10.1 Open

GHSA-xf83-q765-xm6m LOW 1 2.10.1 Open

prisma-cloud-devsecops · 2024-11-08T09:06:47Z

requirements.txt

+
+# REST interface for models
+flask==0.12.4
+flask-cors==3.0.3


flask-cors 3.0.3 / requirements.txt

Total vulnerabilities: 3

Critical: 0 High: 2 Medium: 1 Low: 0

Vulnerability ID Severity CVSS Fixed in Status

CVE-2024-6221 HIGH 7.5 4.0.2 Open

CVE-2020-25032 HIGH 7.5 3.0.9 Open

CVE-2024-1681 MEDIUM 5.3 4.0.1 Open

prisma-cloud-devsecops · 2024-11-08T09:06:48Z

requirements.txt

+# REST interface for models
+flask==0.12.4
+flask-cors==3.0.3
+gevent==1.3.6


gevent 1.3.6 / requirements.txt

Total vulnerabilities: 1

Critical: 1 High: 0 Medium: 0 Low: 0

Vulnerability ID Severity CVSS Fixed in Status

CVE-2023-41419 CRITICAL 9.8 23.9.0 Open

prisma-cloud-devsecops · 2024-11-08T09:06:48Z

test.py

@@ -0,0 +1,3 @@
+import torch
+
+torch.hub.download_url_to_file("https://example.com", "/tmp/unsafe", hash_prefix=None)


Missing hash check in PyTorch
File: test.py | Checkov ID: CKV3_SAST_194

How To Fix

import torch

Downloading a file with hash verification

torch.hub.download_url_to_file('https://example.com/model.pth', 'model.pth', hash_prefix='1234567890abcdef')

Loading a model state dictionary with hash check

state_dict = torch.hub.load_state_dict_from_url('https://example.com/model.pth', check_hash=True)

Loading a model using model_zoo with hash check

model = torch.utils.model_zoo.load_url('https://example.com/model.pth', check_hash=True)

Description

CWE: CWE-347: Improper Verification of Cryptographic Signature
OWASP: A02:2021-Cryptographic Failures

This policy detects whether PyTorch functions are used to load remote files without hash verification. Downloading untrusted files without validating their hashes exposes applications to security risks, such as executing malicious code. Using the hash_prefix or check_hash arguments is crucial to ensure the integrity of downloaded files.

In this example, files are downloaded and loaded without any hash verification, exposing the application to potential security risks.

Python import torch # Downloading a file without hash verification torch.hub.download_url_to_file('https://example.com/model.pth', 'model.pth') # Loading a model state dictionary without hash check state_dict = torch.hub.load_state_dict_from_url('https://example.com/model.pth') # Loading a model using model_zoo without hash check model = torch.utils.model_zoo.load_url('https://example.com/model.pth')

prisma-cloud-devsecops · 2024-11-08T09:06:48Z

example2.py

@@ -0,0 +1,5 @@
+from huggingface_hub import hf_hub_download
+
+hf_hub_download("MIT/ast-finetuned-audioset-10-10-0.4593")


Download of Machine Learning Model Without Integrity Check
File: example2.py | Checkov ID: CKV3_SAST_99

How To Fix

from huggingface_hub import hf_hub_download

model = hf_hub_download("some_model", revision="specific_commit")

Description

CWE: CWE-494: Download of Code Without Integrity Check
OWASP: A08:2021-Software and Data Integrity Failures

This SAST policy identifies instances where machine learning models are downloaded without specifying a specific revision, which could lead to the use of untrusted or tampered models.

Vulnerable code example:

python from huggingface_hub import hf_hub_download model = hf_hub_download("some_model")

In the above example, the hf_hub_download function is used without specifying the revision parameter, which means the model can be updated or tampered with without verification.

prisma-cloud-devsecops · 2024-11-08T09:06:48Z

example2.py

+
+hf_hub_download("MIT/ast-finetuned-audioset-10-10-0.4593")
+
+hf_hub_download("MIT/ast-finetuned-audioset-10-10-0.4593", revision=None)


Download of Machine Learning Model Without Integrity Check
File: example2.py | Checkov ID: CKV3_SAST_99

How To Fix

from huggingface_hub import hf_hub_download

model = hf_hub_download("some_model", revision="specific_commit")

Description

CWE: CWE-494: Download of Code Without Integrity Check
OWASP: A08:2021-Software and Data Integrity Failures

This SAST policy identifies instances where machine learning models are downloaded without specifying a specific revision, which could lead to the use of untrusted or tampered models.

Vulnerable code example:

python from huggingface_hub import hf_hub_download model = hf_hub_download("some_model")

In the above example, the hf_hub_download function is used without specifying the revision parameter, which means the model can be updated or tampered with without verification.

prisma-cloud-devsecops

Prisma Cloud has found errors in this PR ⬇️

prisma-cloud-devsecops · 2024-11-08T09:07:19Z

requirements.txt

+
+lightning==2.2.1
+tensorflow-cpu==2.10.0
+tensorflow-gpu==2.10.0


tensorflow-gpu 2.10.0 / requirements.txt

Total vulnerabilities: 48

Critical: 6 High: 39 Medium: 1 Low: 2

Vulnerability ID Severity CVSS Fixed in Status

CVE-2022-41880 CRITICAL 9.1 2.10.1 Open

CVE-2022-41900 CRITICAL 9.8 2.10.1 Open

CVE-2022-41902 CRITICAL 9.1 2.10.1 Open

CVE-2022-41910 CRITICAL 9.1 2.10.1 Open

CVE-2023-25664 CRITICAL 9.8 2.12.0 Open

CVE-2023-25668 CRITICAL 9.8 2.12.0 Open

CVE-2023-33976 HIGH 7.5 2.13.0 Open

CVE-2022-41883 HIGH 7.5 2.10.1 Open

CVE-2022-41884 HIGH 7.5 2.10.1 Open

CVE-2022-41886 HIGH 7.5 2.10.1 Open

CVE-2022-41887 HIGH 7.5 2.10.1 Open

CVE-2022-41888 HIGH 7.5 2.10.1 Open

CVE-2022-41889 HIGH 7.5 2.10.1 Open

CVE-2022-41890 HIGH 7.5 2.10.1 Open

CVE-2022-41891 HIGH 7.5 2.10.1 Open

CVE-2022-41893 HIGH 7.5 2.10.1 Open

CVE-2022-41894 HIGH 8.1 2.10.1 Open

CVE-2022-41895 HIGH 7.5 2.10.1 Open

CVE-2022-41896 HIGH 7.5 2.10.1 Open

CVE-2022-41897 HIGH 7.5 2.10.1 Open

CVE-2022-41898 HIGH 7.5 2.10.1 Open

CVE-2022-41899 HIGH 7.5 2.10.1 Open

CVE-2022-41901 HIGH 7.5 2.10.1 Open

CVE-2022-41907 HIGH 7.5 2.10.1 Open

CVE-2022-41908 HIGH 7.5 2.10.1 Open

CVE-2022-41909 HIGH 7.5 2.10.1 Open

CVE-2022-41911 HIGH 7.5 2.10.1 Open

CVE-2023-25658 HIGH 7.5 2.12.0 Open

CVE-2023-25659 HIGH 7.5 2.12.0 Open

CVE-2023-25660 HIGH 7.5 2.12.0 Open

CVE-2023-25662 HIGH 7.5 2.12.0 Open

CVE-2023-25663 HIGH 7.5 2.12.0 Open

CVE-2023-25665 HIGH 7.5 2.12.0 Open

CVE-2023-25666 HIGH 7.5 2.12.0 Open

CVE-2023-25667 HIGH 7.5 2.12.0 Open

CVE-2023-25669 HIGH 7.5 2.12.0 Open

CVE-2023-25670 HIGH 7.5 2.12.0 Open

CVE-2023-25671 HIGH 7.5 2.12.0 Open

CVE-2023-25672 HIGH 7.5 2.12.0 Open

CVE-2023-25673 HIGH 7.5 2.12.0 Open

CVE-2023-25674 HIGH 7.5 2.12.0 Open

CVE-2023-25675 HIGH 7.5 2.12.0 Open

CVE-2023-25676 HIGH 7.5 2.12.0 Open

CVE-2023-25801 HIGH 7.8 2.12.0 Open

CVE-2023-27579 HIGH 7.5 2.12.0 Open

CVE-2023-25661 MEDIUM 6.5 2.11.1 Open

GHSA-cqvq-fvhr-v6hc LOW 1 2.10.1 Open

GHSA-xf83-q765-xm6m LOW 1 2.10.1 Open

prisma-cloud-devsecops · 2024-11-08T09:07:20Z

requirements.txt

+
+# REST interface for models
+flask==0.12.4
+flask-cors==3.0.3


flask-cors 3.0.3 / requirements.txt

Total vulnerabilities: 3

Critical: 0 High: 2 Medium: 1 Low: 0

Vulnerability ID Severity CVSS Fixed in Status

CVE-2024-6221 HIGH 7.5 4.0.2 Open

CVE-2020-25032 HIGH 7.5 3.0.9 Open

CVE-2024-1681 MEDIUM 5.3 4.0.1 Open

prisma-cloud-devsecops · 2024-11-08T09:07:20Z

requirements.txt

+parsimonious==0.8.0
+
+# Used by semantic parsing code to format and postprocess SQL
+sqlparse==0.2.4


sqlparse 0.2.4 / requirements.txt

Total vulnerabilities: 2

Critical: 0 High: 2 Medium: 0 Low: 0

Vulnerability ID Severity CVSS Fixed in Status

CVE-2023-30608 HIGH 7.5 0.4.4 Open

CVE-2024-4340 HIGH 7.5 0.5.0 Open

prisma-cloud-devsecops · 2024-11-08T09:07:20Z

requirements.txt

+requests>=2.18
+
+# progress bars in data cleaning scripts
+tqdm>=4.19


tqdm 4.19 / requirements.txt

Total vulnerabilities: 1

Critical: 0 High: 0 Medium: 0 Low: 1

Vulnerability ID Severity CVSS Fixed in Status

CVE-2024-34062 LOW 3.9 4.66.3 Open

prisma-cloud-devsecops · 2024-11-08T09:07:20Z

requirements.txt

+lightning==2.2.1
+tensorflow-cpu==2.10.0
+tensorflow-gpu==2.10.0
+langchain==0.0.350


langchain 0.0.350 / requirements.txt

Total vulnerabilities: 4

Critical: 0 High: 0 Medium: 2 Low: 2

Vulnerability ID Severity CVSS Fixed in Status

CVE-2024-2965 MEDIUM 4.2 0.2.5 Open

CVE-2024-3571 MEDIUM 6.5 0.0.353 Open

CVE-2024-8309 LOW 4.9 0.2.0 Open

CVE-2024-0243 LOW 3.7 0.1.0 Open

prisma-cloud-devsecops · 2024-11-08T09:07:21Z

requirements.txt

+sqlparse==0.2.4
+
+lightning==2.2.1
+tensorflow-cpu==2.10.0


tensorflow-cpu 2.10.0 / requirements.txt

Total vulnerabilities: 48

Critical: 6 High: 39 Medium: 1 Low: 2

Vulnerability ID Severity CVSS Fixed in Status

CVE-2022-41880 CRITICAL 9.1 2.10.1 Open

CVE-2022-41900 CRITICAL 9.8 2.10.1 Open

CVE-2022-41902 CRITICAL 9.1 2.10.1 Open

CVE-2022-41910 CRITICAL 9.1 2.10.1 Open

CVE-2023-25664 CRITICAL 9.8 2.12.0 Open

CVE-2023-25668 CRITICAL 9.8 2.12.0 Open

CVE-2023-33976 HIGH 7.5 2.13.0 Open

CVE-2022-41883 HIGH 7.5 2.10.1 Open

CVE-2022-41884 HIGH 7.5 2.10.1 Open

CVE-2022-41886 HIGH 7.5 2.10.1 Open

CVE-2022-41887 HIGH 7.5 2.10.1 Open

CVE-2022-41888 HIGH 7.5 2.10.1 Open

CVE-2022-41889 HIGH 7.5 2.10.1 Open

CVE-2022-41890 HIGH 7.5 2.10.1 Open

CVE-2022-41891 HIGH 7.5 2.10.1 Open

CVE-2022-41893 HIGH 7.5 2.10.1 Open

CVE-2022-41894 HIGH 8.1 2.10.1 Open

CVE-2022-41895 HIGH 7.5 2.10.1 Open

CVE-2022-41896 HIGH 7.5 2.10.1 Open

CVE-2022-41897 HIGH 7.5 2.10.1 Open

CVE-2022-41898 HIGH 7.5 2.10.1 Open

CVE-2022-41899 HIGH 7.5 2.10.1 Open

CVE-2022-41901 HIGH 7.5 2.10.1 Open

CVE-2022-41907 HIGH 7.5 2.10.1 Open

CVE-2022-41908 HIGH 7.5 2.10.1 Open

CVE-2022-41909 HIGH 7.5 2.10.1 Open

CVE-2022-41911 HIGH 7.5 2.10.1 Open

CVE-2023-25658 HIGH 7.5 2.12.0 Open

CVE-2023-25659 HIGH 7.5 2.12.0 Open

CVE-2023-25660 HIGH 7.5 2.12.0 Open

CVE-2023-25662 HIGH 7.5 2.12.0 Open

CVE-2023-25663 HIGH 7.5 2.12.0 Open

CVE-2023-25665 HIGH 7.5 2.12.0 Open

CVE-2023-25666 HIGH 7.5 2.12.0 Open

CVE-2023-25667 HIGH 7.5 2.12.0 Open

CVE-2023-25669 HIGH 7.5 2.12.0 Open

CVE-2023-25670 HIGH 7.5 2.12.0 Open

CVE-2023-25671 HIGH 7.5 2.12.0 Open

CVE-2023-25672 HIGH 7.5 2.12.0 Open

CVE-2023-25673 HIGH 7.5 2.12.0 Open

CVE-2023-25674 HIGH 7.5 2.12.0 Open

CVE-2023-25675 HIGH 7.5 2.12.0 Open

CVE-2023-25676 HIGH 7.5 2.12.0 Open

CVE-2023-25801 HIGH 7.8 2.12.0 Open

CVE-2023-27579 HIGH 7.5 2.12.0 Open

CVE-2023-25661 MEDIUM 6.5 2.11.1 Open

GHSA-cqvq-fvhr-v6hc LOW 1 2.10.1 Open

GHSA-xf83-q765-xm6m LOW 1 2.10.1 Open

prisma-cloud-devsecops · 2024-11-08T09:07:21Z

requirements.txt

@@ -0,0 +1,138 @@
+torch==0.4.1


pysummarization 1.1.9 / requirements.txt

Strong Copyleft Licenses (GPL-2.0)

Strong Copyleft Licenses

prisma-cloud-devsecops · 2024-11-08T09:07:21Z

test.py

@@ -0,0 +1,3 @@
+import torch
+
+torch.hub.download_url_to_file("https://example.com", "/tmp/unsafe", hash_prefix=None)


Missing hash check in PyTorch
File: test.py | Checkov ID: CKV3_SAST_194

How To Fix

import torch

Downloading a file with hash verification

torch.hub.download_url_to_file('https://example.com/model.pth', 'model.pth', hash_prefix='1234567890abcdef')

Loading a model state dictionary with hash check

state_dict = torch.hub.load_state_dict_from_url('https://example.com/model.pth', check_hash=True)

Loading a model using model_zoo with hash check

model = torch.utils.model_zoo.load_url('https://example.com/model.pth', check_hash=True)

Description

CWE: CWE-347: Improper Verification of Cryptographic Signature
OWASP: A02:2021-Cryptographic Failures

This policy detects whether PyTorch functions are used to load remote files without hash verification. Downloading untrusted files without validating their hashes exposes applications to security risks, such as executing malicious code. Using the hash_prefix or check_hash arguments is crucial to ensure the integrity of downloaded files.

In this example, files are downloaded and loaded without any hash verification, exposing the application to potential security risks.

Python import torch # Downloading a file without hash verification torch.hub.download_url_to_file('https://example.com/model.pth', 'model.pth') # Loading a model state dictionary without hash check state_dict = torch.hub.load_state_dict_from_url('https://example.com/model.pth') # Loading a model using model_zoo without hash check model = torch.utils.model_zoo.load_url('https://example.com/model.pth')

prisma-cloud-devsecops · 2024-11-08T09:07:21Z

example2.py

@@ -0,0 +1,5 @@
+from huggingface_hub import hf_hub_download
+
+hf_hub_download("MIT/ast-finetuned-audioset-10-10-0.4593")


Download of Machine Learning Model Without Integrity Check
File: example2.py | Checkov ID: CKV3_SAST_99

How To Fix

from huggingface_hub import hf_hub_download

model = hf_hub_download("some_model", revision="specific_commit")

Description

CWE: CWE-494: Download of Code Without Integrity Check
OWASP: A08:2021-Software and Data Integrity Failures

This SAST policy identifies instances where machine learning models are downloaded without specifying a specific revision, which could lead to the use of untrusted or tampered models.

Vulnerable code example:

python from huggingface_hub import hf_hub_download model = hf_hub_download("some_model")

In the above example, the hf_hub_download function is used without specifying the revision parameter, which means the model can be updated or tampered with without verification.

prisma-cloud-devsecops · 2024-11-08T09:07:21Z

example2.py

+
+hf_hub_download("MIT/ast-finetuned-audioset-10-10-0.4593")
+
+hf_hub_download("MIT/ast-finetuned-audioset-10-10-0.4593", revision=None)


Download of Machine Learning Model Without Integrity Check
File: example2.py | Checkov ID: CKV3_SAST_99

How To Fix

from huggingface_hub import hf_hub_download

model = hf_hub_download("some_model", revision="specific_commit")

Description

CWE: CWE-494: Download of Code Without Integrity Check
OWASP: A08:2021-Software and Data Integrity Failures

This SAST policy identifies instances where machine learning models are downloaded without specifying a specific revision, which could lead to the use of untrusted or tampered models.

Vulnerable code example:

python from huggingface_hub import hf_hub_download model = hf_hub_download("some_model")

In the above example, the hf_hub_download function is used without specifying the revision parameter, which means the model can be updated or tampered with without verification.

github-advanced-security

Checkov found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

Add files via upload

142c9c0

prisma-cloud-devsecops bot reviewed Nov 8, 2024

View reviewed changes

github-advanced-security bot found potential problems Nov 8, 2024

View reviewed changes

Vulnerability ID	Severity	CVSS	Fixed in	Status
CVE-2018-18074	HIGH	7.5	`2.20.0`	Open
CVE-2023-32681	MEDIUM	6.1	`2.31.0`	Open
CVE-2024-35195	MEDIUM	5.6	`2.32.0`	Open

Vulnerability ID	Severity	CVSS	Fixed in	Status
CVE-2024-2965	MEDIUM	4.2	`0.2.5`	Open
CVE-2024-3571	MEDIUM	6.5	`0.0.353`	Open
CVE-2024-8309	LOW	4.9	`0.2.0`	Open
CVE-2024-0243	LOW	3.7	`0.1.0`	Open

Vulnerability ID	Severity	CVSS	Fixed in	Status
CVE-2022-41880	CRITICAL	9.1	`2.10.1`	Open
CVE-2022-41900	CRITICAL	9.8	`2.10.1`	Open
CVE-2022-41902	CRITICAL	9.1	`2.10.1`	Open
CVE-2022-41910	CRITICAL	9.1	`2.10.1`	Open
CVE-2023-25664	CRITICAL	9.8	`2.12.0`	Open
CVE-2023-25668	CRITICAL	9.8	`2.12.0`	Open
CVE-2023-33976	HIGH	7.5	`2.13.0`	Open
CVE-2022-41883	HIGH	7.5	`2.10.1`	Open
CVE-2022-41884	HIGH	7.5	`2.10.1`	Open
CVE-2022-41886	HIGH	7.5	`2.10.1`	Open
CVE-2022-41887	HIGH	7.5	`2.10.1`	Open
CVE-2022-41888	HIGH	7.5	`2.10.1`	Open
CVE-2022-41889	HIGH	7.5	`2.10.1`	Open
CVE-2022-41890	HIGH	7.5	`2.10.1`	Open
CVE-2022-41891	HIGH	7.5	`2.10.1`	Open
CVE-2022-41893	HIGH	7.5	`2.10.1`	Open
CVE-2022-41894	HIGH	8.1	`2.10.1`	Open
CVE-2022-41895	HIGH	7.5	`2.10.1`	Open
CVE-2022-41896	HIGH	7.5	`2.10.1`	Open
CVE-2022-41897	HIGH	7.5	`2.10.1`	Open
CVE-2022-41898	HIGH	7.5	`2.10.1`	Open
CVE-2022-41899	HIGH	7.5	`2.10.1`	Open
CVE-2022-41901	HIGH	7.5	`2.10.1`	Open
CVE-2022-41907	HIGH	7.5	`2.10.1`	Open
CVE-2022-41908	HIGH	7.5	`2.10.1`	Open
CVE-2022-41909	HIGH	7.5	`2.10.1`	Open
CVE-2022-41911	HIGH	7.5	`2.10.1`	Open
CVE-2023-25658	HIGH	7.5	`2.12.0`	Open
CVE-2023-25659	HIGH	7.5	`2.12.0`	Open
CVE-2023-25660	HIGH	7.5	`2.12.0`	Open
CVE-2023-25662	HIGH	7.5	`2.12.0`	Open
CVE-2023-25663	HIGH	7.5	`2.12.0`	Open
CVE-2023-25665	HIGH	7.5	`2.12.0`	Open
CVE-2023-25666	HIGH	7.5	`2.12.0`	Open
CVE-2023-25667	HIGH	7.5	`2.12.0`	Open
CVE-2023-25669	HIGH	7.5	`2.12.0`	Open
CVE-2023-25670	HIGH	7.5	`2.12.0`	Open
CVE-2023-25671	HIGH	7.5	`2.12.0`	Open
CVE-2023-25672	HIGH	7.5	`2.12.0`	Open
CVE-2023-25673	HIGH	7.5	`2.12.0`	Open
CVE-2023-25674	HIGH	7.5	`2.12.0`	Open
CVE-2023-25675	HIGH	7.5	`2.12.0`	Open
CVE-2023-25676	HIGH	7.5	`2.12.0`	Open
CVE-2023-25801	HIGH	7.8	`2.12.0`	Open
CVE-2023-27579	HIGH	7.5	`2.12.0`	Open
CVE-2023-25661	MEDIUM	6.5	`2.11.1`	Open
GHSA-cqvq-fvhr-v6hc	LOW	1	`2.10.1`	Open
GHSA-xf83-q765-xm6m	LOW	1	`2.10.1`	Open

Vulnerability ID	Severity	CVSS	Fixed in	Status
CVE-2024-6221	HIGH	7.5	`4.0.2`	Open
CVE-2020-25032	HIGH	7.5	`3.0.9`	Open
CVE-2024-1681	MEDIUM	5.3	`4.0.1`	Open

		@@ -0,0 +1,3 @@
		import torch

		torch.hub.download_url_to_file("https://example.com", "/tmp/unsafe", hash_prefix=None)

		@@ -0,0 +1,5 @@
		from huggingface_hub import hf_hub_download

		hf_hub_download("MIT/ast-finetuned-audioset-10-10-0.4593")

Vulnerability ID	Severity	CVSS	Fixed in	Status
CVE-2023-30608	HIGH	7.5	`0.4.4`	Open
CVE-2024-4340	HIGH	7.5	`0.5.0`	Open

Conversation

jmagee70 commented Nov 8, 2024

Uh oh!

prisma-cloud-devsecops bot left a comment

Choose a reason for hiding this comment

Uh oh!

prisma-cloud-devsecops bot Nov 8, 2024

Choose a reason for hiding this comment

tqdm 4.19 / requirements.txt

Total vulnerabilities: 1

Uh oh!

prisma-cloud-devsecops bot Nov 8, 2024

Choose a reason for hiding this comment

requests 2.18 / requirements.txt

Total vulnerabilities: 3

Uh oh!

prisma-cloud-devsecops bot Nov 8, 2024

Choose a reason for hiding this comment

langchain 0.0.350 / requirements.txt

Total vulnerabilities: 4

Uh oh!

prisma-cloud-devsecops bot Nov 8, 2024

Choose a reason for hiding this comment

tensorflow-gpu 2.10.0 / requirements.txt

Total vulnerabilities: 48

Uh oh!

prisma-cloud-devsecops bot Nov 8, 2024

Choose a reason for hiding this comment

tensorflow-cpu 2.10.0 / requirements.txt

Total vulnerabilities: 48

Uh oh!

prisma-cloud-devsecops bot Nov 8, 2024

Choose a reason for hiding this comment

flask-cors 3.0.3 / requirements.txt

Total vulnerabilities: 3

Uh oh!

prisma-cloud-devsecops bot Nov 8, 2024

Choose a reason for hiding this comment

gevent 1.3.6 / requirements.txt

Total vulnerabilities: 1

Uh oh!

prisma-cloud-devsecops bot Nov 8, 2024

Choose a reason for hiding this comment

Downloading a file with hash verification

Loading a model state dictionary with hash check

Loading a model using model_zoo with hash check

Description

Uh oh!

prisma-cloud-devsecops bot Nov 8, 2024

Choose a reason for hiding this comment

Description

Uh oh!

prisma-cloud-devsecops bot Nov 8, 2024

Choose a reason for hiding this comment

Description

Uh oh!

prisma-cloud-devsecops bot left a comment

Choose a reason for hiding this comment

Uh oh!

prisma-cloud-devsecops bot Nov 8, 2024

Choose a reason for hiding this comment

tensorflow-gpu 2.10.0 / requirements.txt

Total vulnerabilities: 48

Uh oh!

prisma-cloud-devsecops bot Nov 8, 2024

Choose a reason for hiding this comment

flask-cors 3.0.3 / requirements.txt

Total vulnerabilities: 3

Uh oh!

prisma-cloud-devsecops bot Nov 8, 2024

Choose a reason for hiding this comment

sqlparse 0.2.4 / requirements.txt

Total vulnerabilities: 2

Uh oh!

prisma-cloud-devsecops bot Nov 8, 2024

Choose a reason for hiding this comment

tqdm 4.19 / requirements.txt

Total vulnerabilities: 1

Uh oh!

prisma-cloud-devsecops bot Nov 8, 2024