Skip to content

fix: Vulnerability fix for starkbank-ecdsa 2.2.0 dependency #1085

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
May 9, 2025
Merged

fix: Vulnerability fix for starkbank-ecdsa 2.2.0 dependency #1085

merged 4 commits into from
May 9, 2025

Conversation

ranjanprasad1996
Copy link
Contributor

Fixes

As part of the quay.io vulnerability report, it is reported that the sendgrid-python==6.11.0 package has a vulnerability (GHSA-9wx7-jrvc-28mm) reported for dependency starkbank-ecdsa==2.2.0 which is the latest version available from 2022 (The starbank repository no longer seems to be maintained).

This PR solves replaces the outdated starbank-ecdsa library (https://github.com/starkbank/ecdsa-python) with an actively mainained library ecdsa (https://github.com/tlsfuzzer/python-ecdsa).

Checklist

  • I acknowledge that all my contributions will be made under the project's license
  • I have made a material change to the repo (functionality, testing, spelling, grammar)
  • I have read the Contribution Guidelines and my PR follows them
  • I have titled the PR appropriately
  • I have updated my branch with the main branch
  • I have added tests that prove my fix is effective or that my feature works
  • I have added the necessary documentation about the functionality in the appropriate .md file
  • I have added inline documentation to the code I modified

@ranjanprasad1996 ranjanprasad1996 changed the title fix: Vulnerability fix for starkbank-ecdsa 2.2.0 depeendency fix: Vulnerability fix for starkbank-ecdsa 2.2.0 dependency Aug 22, 2024
@kurtqq
Copy link

kurtqq commented May 9, 2025

@tiwarishubham635 should this be merged?

@tiwarishubham635
Copy link
Contributor

I see some tests are failing

@ranjanprasad1996
Copy link
Contributor Author

@tiwarishubham635 Have fixed the tests. Could you please retrigger the builds?

tiwarishubham635
tiwarishubham635 approved these changes May 9, 2025
View reviewed changes
Copy link
Contributor

@tiwarishubham635 tiwarishubham635 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@tiwarishubham635 tiwarishubham635 merged commit 6eb4375 into sendgrid:main May 9, 2025
9 checks passed
@ranjanprasad1996
Copy link
Contributor Author

ranjanprasad1996 commented May 9, 2025
edited
Loading

@tiwarishubham635 When will this patch be released? Thanks

@tiwarishubham635
Copy link
Contributor

We will be releasing today. Thanks!

@tiwarishubham635 tiwarishubham635 mentioned this pull request May 13, 2025
Merged
8 tasks
wfriedl
wfriedl reviewed May 19, 2025
View reviewed changes
sendgrid/helpers/eventwebhook/__init__.py
from ellipticcurve.publicKey import PublicKey
from ellipticcurve.signature import Signature

from .eventwebhook_header import EventWebhookHeader
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removing EventWebhookHeader breaks eventwebhook_example.py

@tiwarishubham635
Copy link
Contributor

I think we can export the EventWebhookHeader from eventwebhook init.py to fix this

@tiwarishubham635 tiwarishubham635 mentioned this pull request May 22, 2025
Merged
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wfriedl wfriedl wfriedl left review comments

@tiwarishubham635 tiwarishubham635 tiwarishubham635 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ranjanprasad1996 @kurtqq @tiwarishubham635 @wfriedl