Low severityNVD Advisory· Published Dec 16, 2022· Updated Apr 17, 2025
Arbitrary file write when scanning a specially-crafted local PyPI package
CVE-2022-23531
Description
GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to 0.1.5 are vulnerable to Relative Path Traversal when scanning a specially-crafted local PyPI package. Running GuardDog against a specially-crafted package can allow an attacker to write an arbitrary file on the machine where GuardDog is executed due to a path traversal vulnerability when extracting the .tar.gz file of the package being scanned, which exists by design in the tarfile.TarFile.extractall function. This issue is patched in version 0.1.5.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
guarddogPyPI | < 0.1.5 | 0.1.5 |
Affected products
1Patches
198af5c8c1e9cUse tarsafe instead of built-in tarfile to extract archives (#89)
4 files changed · +78 −299
guarddog/scanners/package_scanner.py+2 −2 modified@@ -2,7 +2,7 @@ import os import shutil import sys -import tarfile +import tarsafe import tempfile import requests @@ -44,7 +44,7 @@ def scan_local(self, path, rules=None) -> dict: if os.path.exists(path): if path.endswith('.tar.gz'): with tempfile.TemporaryDirectory() as tmpdirname: - tarfile.open(path).extractall(tmpdirname) + tarsafe.open(path).extractall(tmpdirname) return self.analyzer.analyze_sourcecode(tmpdirname, rules=rules) elif os.path.isdir(path): return self.analyzer.analyze_sourcecode(path, rules=rules)
poetry.lock+18 −7 modified@@ -476,7 +476,7 @@ python-versions = ">=3.5" [[package]] name = "semgrep" -version = "0.122.0" +version = "0.112.1" description = "Lightweight static analysis for many languages. Find bug variants with patterns that look like source code." category = "main" optional = false @@ -496,7 +496,6 @@ peewee = ">=3.14,<4.0" python-lsp-jsonrpc = ">=1.0.0,<1.1.0" requests = ">=2.22,<3.0" "ruamel.yaml" = ">=0.16.0,<0.18" -tomli = ">=2.0.1,<2.1.0" tqdm = ">=4.46,<5.0" typing-extensions = ">=4.2,<5.0" urllib3 = ">=1.26,<2.0" @@ -526,6 +525,14 @@ category = "main" optional = false python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*" +[[package]] +name = "tarsafe" +version = "0.0.4" +description = "A safe subclass of the TarFile class for interacting with tar files. Can be used as a direct drop-in replacement for safe usage of extractall()" +category = "main" +optional = false +python-versions = ">=3.6" + [[package]] name = "termcolor" version = "2.1.1" @@ -618,7 +625,7 @@ test = ["websockets"] [metadata] lock-version = "1.1" python-versions = ">=3.9, <4" -content-hash = "a2ee2a3bf8cdebfd91939977044d2a626e5b54500965da9d66a70c3c9b71ca2c" +content-hash = "0faf892801caefce1e994f6fdee7254ac4e2e95ad947d7459b75113af80eed74" [metadata.files] attrs = [ @@ -867,10 +874,10 @@ ruamel-yaml-clib = [ {file = "ruamel.yaml.clib-0.2.7.tar.gz", hash = "sha256:1f08fd5a2bea9c4180db71678e850b995d2a5f4537be0e94557668cf0f5f9497"}, ] semgrep = [ - {file = "semgrep-0.122.0-cp37.cp38.cp39.py37.py38.py39-none-any.whl", hash = "sha256:c7002b9aba97deb6677f4cabfa5dcc8faef2808ce6a6f28ecdd70cd8e90b01b5"}, - {file = "semgrep-0.122.0-cp37.cp38.cp39.py37.py38.py39-none-macosx_10_14_x86_64.whl", hash = "sha256:e3fb9956e2bb926cfeff52deafe4cec24d5f1e91fe6d3fc4f81e86ec452b2ad5"}, - {file = "semgrep-0.122.0-cp37.cp38.cp39.py37.py38.py39-none-macosx_11_0_arm64.whl", hash = "sha256:6116391b0c8c87581d9d72113702b6f8c2938d799cdae7d71a845ec89249566c"}, - {file = "semgrep-0.122.0.tar.gz", hash = "sha256:a4c7400eb8bec9fe8df25520d1ffcb5d78b87c73dc654f1c2aec1195789bc611"}, + {file = "semgrep-0.112.1-cp37.cp38.cp39.py37.py38.py39-none-any.whl", hash = "sha256:2a62bc6321d371dadc41df2c68678e87df807ddfa3d1faafb40bd0998abfe503"}, + {file = "semgrep-0.112.1-cp37.cp38.cp39.py37.py38.py39-none-macosx_10_14_x86_64.whl", hash = "sha256:b690a84cbaa6a4670ff6c11a674818b8ad99736e89520a3c47d1542cc45e6d05"}, + {file = "semgrep-0.112.1-cp37.cp38.cp39.py37.py38.py39-none-macosx_11_0_arm64.whl", hash = "sha256:bc2437f12e41ac5e28a303e463098565a3d948c7744f6745bdb0fea341ccdae1"}, + {file = "semgrep-0.112.1.tar.gz", hash = "sha256:2140a0fd16f3ac0a0e330980613ba65fe58faea7808a965e219c4199bab96102"}, ] setuptools = [ {file = "setuptools-65.6.3-py3-none-any.whl", hash = "sha256:57f6f22bde4e042978bcd50176fdb381d7c21a9efa4041202288d3737a0c6a54"}, @@ -880,6 +887,10 @@ six = [ {file = "six-1.16.0-py2.py3-none-any.whl", hash = "sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254"}, {file = "six-1.16.0.tar.gz", hash = "sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926"}, ] +tarsafe = [ + {file = "tarsafe-0.0.4-py3-none-any.whl", hash = "sha256:12903a81f2612c09d22117115301ea510944af5caa1e358636e0fc1d0e6134df"}, + {file = "tarsafe-0.0.4.tar.gz", hash = "sha256:a376f4138005298c11c30cb60a5081fa2c09f44384c966106fbaeee3059e9ec5"}, +] termcolor = [ {file = "termcolor-2.1.1-py3-none-any.whl", hash = "sha256:fa852e957f97252205e105dd55bbc23b419a70fec0085708fc0515e399f304fd"}, {file = "termcolor-2.1.1.tar.gz", hash = "sha256:67cee2009adc6449c650f6bcf3bdeed00c8ba53a8cda5362733c53e0a39fb70b"},
pyproject.toml+3 −1 modified@@ -12,7 +12,8 @@ guarddog = "guarddog.cli:cli" [tool.poetry.dependencies] python = ">=3.9, <4" docker = "==6.0.0b1" -semgrep = "==0.122.0" +# NOTE: Before https://github.com/returntocorp/semgrep/issues/6631 is addressed, we can't seem to upgrade past 0.112.1 +semgrep = "==0.112.1" requests = "==2.28.1" tqdm = "==4.64.0" python-dotenv = "==0.20.0" @@ -47,6 +48,7 @@ flake8 = "^5.0.4" python-whois = "^0.8.0" termcolor = "^2.1.0" setuptools = "^65.6.3" +tarsafe = "^0.0.4" [tool.poetry.dev-dependencies]
requirements.txt+55 −289 modified@@ -1,289 +1,55 @@ -atomicwrites==1.4.1 ; python_version >= "3.10" and python_version < "4" and sys_platform == "win32" \ - --hash=sha256:81b2c9071a49367a7f770170e5eec8cb66567cfbbc8c73d20ce5ca4a8d71cf11 -attrs==21.4.0 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:2d27e3784d7a565d36ab851fe94887c5eccd6a463168875832a1be79c82828b4 \ - --hash=sha256:626ba8234211db98e869df76230a137c4c40a12d72445c45d5f5b716f076e2fd -boltons==21.0.0 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:65e70a79a731a7fe6e98592ecfb5ccf2115873d01dbc576079874629e5c90f13 \ - --hash=sha256:b9bb7b58b2b420bbe11a6025fdef6d3e5edc9f76a42fb467afe7ca212ef9948b -bracex==2.3.post1 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:351b7f20d56fb9ea91f9b9e9e7664db466eb234188c175fd943f8f755c807e73 \ - --hash=sha256:e7b23fc8b2cd06d3dec0692baabecb249dda94e06a617901ff03a6c56fd71693 -certifi==2022.6.15 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:84c85a9078b11105f04f3036a9482ae10e4621616db313fe045dd24743a0820d \ - --hash=sha256:fe86415d55e84719d75f8b69414f6438ac3547d2078ab91b67e779ef69378412 -charset-normalizer==2.1.0 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:5189b6f22b01957427f35b6a08d9a0bc45b46d3788ef5a92e978433c7a35f8a5 \ - --hash=sha256:575e708016ff3a5e3681541cb9d79312c416835686d054a23accb873b254f413 -click-option-group==0.5.3 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:9653a2297357335d7325a1827e71ac1245d91c97d959346a7decabd4a52d5354 \ - --hash=sha256:a6e924f3c46b657feb5b72679f7e930f8e5b224b766ab35c91ae4019b4e0615e -click==8.1.3 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:7682dc8afb30297001674575ea00d1814d808d6a36af415a82bd481d37ba7b8e \ - --hash=sha256:bb4d8133cb15a609f44e8213d9b391b0809795062913b383c62be0ee95b1db48 -colorama==0.4.5 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:854bf444933e37f5824ae7bfc1e98d5bce2ebe4160d46b5edf346a89358e99da \ - --hash=sha256:e6c6b4334fc50988a639d9b98aa429a0b57da6e17b9a44f0451f930b6967b7a4 -defusedxml==0.7.1 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:1bb3032db185915b62d7c6209c5a8792be6a32ab2fedacc84e01b52c51aa3e69 \ - --hash=sha256:a352e7e428770286cc899e2542b6cdaedb2b4953ff269a210103ec58f6198a61 -dill==0.3.5.1 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:33501d03270bbe410c72639b350e941882a8b0fd55357580fbc873fba0c59302 \ - --hash=sha256:d75e41f3eff1eee599d738e76ba8f4ad98ea229db8b085318aa2b3333a208c86 -docker==6.0.0b1 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:61e4a5c726d76ee1e4632e9626b6e3b99dadff3ffd6b24b246b68c05d854bd11 \ - --hash=sha256:a38b57fd6ad112dade98b795dc94a790b347134b140a5d43d7634aa6ad928859 -face==20.1.1 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:3790311a7329e4b0d90baee346eecad54b337629576edf3a246683a5f0d24446 \ - --hash=sha256:7d59ca5ba341316e58cf72c6aff85cca2541cf5056c4af45cb63af9a814bed3e -flake8==5.0.4 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:6fbe320aad8d6b95cec8b8e47bc933004678dc63095be98528b7bdd2a9f510db \ - --hash=sha256:7a1cf6b73744f5806ab95e526f6f0d8c01c66d7bbe349562d22dfca20610b248 -future==0.18.2 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:b1bead90b70cf6ec3f0710ae53a525360fa360d306a86583adc6bf83a4db537d -glom==22.1.0 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:1510c6587a8f9c64a246641b70033cbc5ebde99f02ad245693678038e821aeb5 \ - --hash=sha256:5339da206bf3532e01a83a35aca202960ea885156986d190574b779598e9e772 -idna==3.3 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:84d9dd047ffa80596e0f246e2eab0b391788b0503584e8945f2368256d2735ff \ - --hash=sha256:9d643ff0a55b762d5cdb124b8eaa99c66322e2157b69160bc32796e824360e6d -iniconfig==1.1.1 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:011e24c64b7f47f6ebd835bb12a743f2fbe9a26d4cecaa7f53bc4f35ee9da8b3 \ - --hash=sha256:bc3af051d7d14b2ee5ef9969666def0cd1a000e121eaea580d4a313df4b37f32 -jsonschema==4.9.1 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:408c4c8ed0dede3b268f7a441784f74206380b04f93eb2d537c7befb3df3099f \ - --hash=sha256:8ebad55894c002585271af2d327d99339ef566fb085d9129b69e2623867c4106 -mccabe==0.7.0 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:348e0240c33b60bbdf4e523192ef919f28cb2c3d7d5c7794f74009290f236325 \ - --hash=sha256:6c2d30ab6be0e4a46919781807b4f0d834ebdd6c6e3dca0bda5a15f863427b6e -multiprocess==0.70.13 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:00ef48461d43d1e30f8f4b2e1b287ecaaffec325a37053beb5503e0d69e5a3cd \ - --hash=sha256:01c1137d2f18d0cd262d0fdb7294b1fe9fc3e8dc8b126e506085434ae8eb3677 \ - --hash=sha256:0f4faf4811019efdb2f91db09240f893ee40cbfcb06978f3b8ed8c248e73babe \ - --hash=sha256:17cb4229aa43e6973679d67c66a454cbf8b6b0d038425cba3220ea5a06d61b58 \ - --hash=sha256:2e096dd618a84d15aa369a9cf6695815e5539f853dc8fa4f4b9153b11b1d0b32 \ - --hash=sha256:34e9703bd5b9fee5455c93a74e44dbabe55481c214d03be1e65f037be9d0c520 \ - --hash=sha256:3ec1c8015e19182bfa01b5887a9c25805c48df3c71863f48fe83803147cde5d6 \ - --hash=sha256:48315eefe02c35dd7560da3fa8af66d9f4a61b9dc8f7c40801c5f972ab4604b1 \ - --hash=sha256:5436d1cd9f901f7ddc4f20b6fd0b462c87dcc00d941cc13eeb2401fc5bd00e42 \ - --hash=sha256:5974bdad390ba466cc130288d2ef1048fdafedd01cf4641fc024f6088af70bfe \ - --hash=sha256:5a6dca5f29f0224c855d0d5cad963476175cfc8de112d3eebe85914cb735f130 \ - --hash=sha256:62e556a0c31ec7176e28aa331663ac26c276ee3536b5e9bb5e850681e7a00f11 \ - --hash=sha256:6cdde49defcb933062df382ebc9b5299beebcd157a98b3a65291c1c94a2edc41 \ - --hash=sha256:7be9e320a41d2d0d0eddacfe693cfb07b4cb9c0d3d10007f4304255c15215778 \ - --hash=sha256:7e6a689da3490412caa7b3e27c3385d8aaa49135f3a353ace94ca47e4c926d37 \ - --hash=sha256:92003c247436f8699b7692e95346a238446710f078500eb364bc23bb0503dd4f \ - --hash=sha256:99bb68dd0d5b3d30fe104721bee26e4637667112d5951b51feb81479fd560876 \ - --hash=sha256:af0a48440aa8f793d8bb100f20102c12f192de5a608638819a998f2cc59e1fcd \ - --hash=sha256:b7415f61bddfffdade73396904551be8124a4a363322aa9c72d42e349c5fca39 \ - --hash=sha256:b9a3be43ecee6776a9e7223af96914a0164f306affcf4624b213885172236b77 \ - --hash=sha256:c4a97216e8319039c69a266252cc68a392b96f9e67e3ed02ad88be9e6f2d2969 -mypy-extensions==0.4.3 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:090fedd75945a69ae91ce1303b5824f428daf5a028d2f6ab8a299250a846f15d \ - --hash=sha256:2d82818f5bb3e369420cb3c4060a7970edba416647068eb4c5343488a6c604a8 -packaging==21.3 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:dd47c42927d89ab911e606518907cc2d3a1f38bbd026385970643f9c5b8ecfeb \ - --hash=sha256:ef103e05f519cdc783ae24ea4e2e0f508a9c99b2d4969652eed6a2e1ea5bd522 -pathos==0.2.9 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:1c44373d8692897d5d15a8aa3b3a442ddc0814c5e848f4ff0ded5491f34b1dac \ - --hash=sha256:6a6ddb514ce2719f63fb88d5ec4f4490e436b636b54f1102d952c9f7c52f18e2 \ - --hash=sha256:a8dbddcd3d9af32ada7c6dc088d845588c513a29a0ba19ab9f64c5cd83692934 -pathspec==0.9.0 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:7d15c4ddb0b5c802d161efc417ec1a2558ea2653c2e8ad9c19098201dc1c993a \ - --hash=sha256:e564499435a2673d586f6b2130bb5b95f04a3ba06f81b8f895b651a3c76aabb1 -peewee==3.15.1 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:6d5db3babc33819ac326f1550e5a39677f4584094c567a7b88cc6bf7bcdcb687 -platformdirs==2.5.2 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:027d8e83a2d7de06bbac4e5ef7e023c02b863d7ea5d079477e722bb41ab25788 \ - --hash=sha256:58c8abb07dcb441e6ee4b11d8df0ac856038f944ab98b7be6b27b2a3c7feef19 -pluggy==1.0.0 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:4224373bacce55f955a878bf9cfa763c1e360858e330072059e10bad68531159 \ - --hash=sha256:74134bbf457f031a36d68416e1509f34bd5ccc019f0bcc952c7b909d06b37bd3 -pox==0.3.1 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:541b5c845aacb806c1364d4142003efb809d654c9ca8db82e650ee86c81e680b \ - --hash=sha256:cbb0c0acd650c0ffb620999da611e93aae5105c46a084c4ceaf2f704ed708c1e -ppft==1.7.6.5 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:07166097d7dd45af7b98859654390d579d11dadf20780f6baca4bded3f55a580 \ - --hash=sha256:47e0dab87a516c0b9992cd5b0c908348e4c7d964304d106b227fad28ae03219e -py==1.11.0 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:51c75c4126074b472f746a24399ad32f6053d1b34b68d2fa41e558e6f4a98719 \ - --hash=sha256:607c53218732647dff4acdfcd50cb62615cedf612e72d1724fb1a0cc6405b378 -pycodestyle==2.9.1 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:2c9607871d58c76354b697b42f5d57e1ada7d261c261efac224b664affdc5785 \ - --hash=sha256:d1735fc58b418fd7c5f658d28d943854f8a849b01a5d0a1e6f3f3fdd0166804b -pyflakes==2.5.0 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:4579f67d887f804e67edb544428f264b7b24f435b263c4614f384135cea553d2 \ - --hash=sha256:491feb020dca48ccc562a8c0cbe8df07ee13078df59813b83959cbdada312ea3 -pyparsing==3.0.9 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:2b020ecf7d21b687f219b71ecad3631f644a47f01403fa1d1036b0c6416d70fb \ - --hash=sha256:5026bae9a10eeaefb61dab2f09052b9f4307d44aee4eda64b309723d8d206bbc -pyrsistent==0.18.1 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:0e3e1fcc45199df76053026a51cc59ab2ea3fc7c094c6627e93b7b44cdae2c8c \ - --hash=sha256:1b34eedd6812bf4d33814fca1b66005805d3640ce53140ab8bbb1e2651b0d9bc \ - --hash=sha256:4ed6784ceac462a7d6fcb7e9b663e93b9a6fb373b7f43594f9ff68875788e01e \ - --hash=sha256:5d45866ececf4a5fff8742c25722da6d4c9e180daa7b405dc0a2a2790d668c26 \ - --hash=sha256:636ce2dc235046ccd3d8c56a7ad54e99d5c1cd0ef07d9ae847306c91d11b5fec \ - --hash=sha256:6455fc599df93d1f60e1c5c4fe471499f08d190d57eca040c0ea182301321286 \ - --hash=sha256:6bc66318fb7ee012071b2792024564973ecc80e9522842eb4e17743604b5e045 \ - --hash=sha256:7bfe2388663fd18bd8ce7db2c91c7400bf3e1a9e8bd7d63bf7e77d39051b85ec \ - --hash=sha256:7ec335fc998faa4febe75cc5268a9eac0478b3f681602c1f27befaf2a1abe1d8 \ - --hash=sha256:914474c9f1d93080338ace89cb2acee74f4f666fb0424896fcfb8d86058bf17c \ - --hash=sha256:b568f35ad53a7b07ed9b1b2bae09eb15cdd671a5ba5d2c66caee40dbf91c68ca \ - --hash=sha256:cdfd2c361b8a8e5d9499b9082b501c452ade8bbf42aef97ea04854f4a3f43b22 \ - --hash=sha256:d1b96547410f76078eaf66d282ddca2e4baae8964364abb4f4dcdde855cd123a \ - --hash=sha256:d4d61f8b993a7255ba714df3aca52700f8125289f84f704cf80916517c46eb96 \ - --hash=sha256:d7a096646eab884bf8bed965bad63ea327e0d0c38989fc83c5ea7b8a87037bfc \ - --hash=sha256:df46c854f490f81210870e509818b729db4488e1f30f2a1ce1698b2295a878d1 \ - --hash=sha256:e24a828f57e0c337c8d8bb9f6b12f09dfdf0273da25fda9e314f0b684b415a07 \ - --hash=sha256:e4f3149fd5eb9b285d6bfb54d2e5173f6a116fe19172686797c056672689daf6 \ - --hash=sha256:e92a52c166426efbe0d1ec1332ee9119b6d32fc1f0bbfd55d5c1088070e7fc1b \ - --hash=sha256:f87cc2863ef33c709e237d4b5f4502a62a00fab450c9e020892e8e2ede5847f5 \ - --hash=sha256:fd8da6d0124efa2f67d86fa70c851022f87c98e205f0594e1fae044e7119a5a6 -pytest==7.1.2 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:13d0e3ccfc2b6e26be000cb6568c832ba67ba32e719443bfe725814d3c42433c \ - --hash=sha256:a06a0425453864a270bc45e71f783330a7428defb4230fb5e6a731fde06ecd45 -python-dateutil==2.8.2 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:0123cacc1627ae19ddf3c27a5de5bd67ee4586fbdd6440d9748f8abb483d3e86 \ - --hash=sha256:961d03dc3453ebbc59dbdea9e4e11c5651520a876d0f4db161e8674aae935da9 -python-dotenv==0.20.0 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:b7e3b04a59693c42c36f9ab1cc2acc46fa5df8c78e178fc33a8d4cd05c8d498f \ - --hash=sha256:d92a187be61fe482e4fd675b6d52200e7be63a12b724abbf931a40ce4fa92938 -python-lsp-jsonrpc==1.0.0 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:079b143be64b0a378bdb21dff5e28a8c1393fe7e8a654ef068322d754e545fc7 \ - --hash=sha256:7bec170733db628d3506ea3a5288ff76aa33c70215ed223abdb0d95e957660bd -python-whois==0.8.0 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:dd336d3517eace2a7689406db7bb96ada3c5e74327423151aeee3e64225f6220 -pywin32==304 ; python_version >= "3.10" and python_version < "4" and sys_platform == "win32" \ - --hash=sha256:25746d841201fd9f96b648a248f731c1dec851c9a08b8e33da8b56148e4c65cc \ - --hash=sha256:30c53d6ce44c12a316a06c153ea74152d3b1342610f1b99d40ba2795e5af0269 \ - --hash=sha256:3c7bacf5e24298c86314f03fa20e16558a4e4138fc34615d7de4070c23e65af3 \ - --hash=sha256:4f32145913a2447736dad62495199a8e280a77a0ca662daa2332acf849f0be48 \ - --hash=sha256:7ffa0c0fa4ae4077e8b8aa73800540ef8c24530057768c3ac57c609f99a14fd4 \ - --hash=sha256:94037b5259701988954931333aafd39cf897e990852115656b014ce72e052e96 \ - --hash=sha256:bb2ea2aa81e96eee6a6b79d87e1d1648d3f8b87f9a64499e0b92b30d141e76df \ - --hash=sha256:be253e7b14bc601718f014d2832e4c18a5b023cbe72db826da63df76b77507a1 \ - --hash=sha256:cbbe34dad39bdbaa2889a424d28752f1b4971939b14b1bb48cbf0182a3bcfc43 \ - --hash=sha256:d24a3382f013b21aa24a5cfbfad5a2cd9926610c0affde3e8ab5b3d7dbcf4ac9 \ - --hash=sha256:d3ee45adff48e0551d1aa60d2ec066fec006083b791f5c3527c40cd8aefac71f \ - --hash=sha256:de9827c23321dcf43d2f288f09f3b6d772fee11e809015bdae9e69fe13213988 \ - --hash=sha256:ead865a2e179b30fb717831f73cf4373401fc62fbc3455a0889a7ddac848f83e \ - --hash=sha256:f64c0377cf01b61bd5e76c25e1480ca8ab3b73f0c4add50538d332afdf8f69c5 -requests==2.28.1 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:7c5599b102feddaa661c826c56ab4fee28bfd17f5abca1ebbe3e7f19d7c97983 \ - --hash=sha256:8fefa2a1a1365bf5520aac41836fbee479da67864514bdb821f31ce07ce65349 -ruamel-yaml-clib==0.2.6 ; platform_python_implementation == "CPython" and python_version < "3.11" and python_version >= "3.10" \ - --hash=sha256:066f886bc90cc2ce44df8b5f7acfc6a7e2b2e672713f027136464492b0c34d7c \ - --hash=sha256:0847201b767447fc33b9c235780d3aa90357d20dd6108b92be544427bea197dd \ - --hash=sha256:1070ba9dd7f9370d0513d649420c3b362ac2d687fe78c6e888f5b12bf8bc7bee \ - --hash=sha256:1866cf2c284a03b9524a5cc00daca56d80057c5ce3cdc86a52020f4c720856f0 \ - --hash=sha256:1b4139a6ffbca8ef60fdaf9b33dec05143ba746a6f0ae0f9d11d38239211d335 \ - --hash=sha256:210c8fcfeff90514b7133010bf14e3bad652c8efde6b20e00c43854bf94fa5a6 \ - --hash=sha256:221eca6f35076c6ae472a531afa1c223b9c29377e62936f61bc8e6e8bdc5f9e7 \ - --hash=sha256:31ea73e564a7b5fbbe8188ab8b334393e06d997914a4e184975348f204790277 \ - --hash=sha256:3fb9575a5acd13031c57a62cc7823e5d2ff8bc3835ba4d94b921b4e6ee664104 \ - --hash=sha256:4ff604ce439abb20794f05613c374759ce10e3595d1867764dd1ae675b85acbd \ - --hash=sha256:61bc5e5ca632d95925907c569daa559ea194a4d16084ba86084be98ab1cec1c6 \ - --hash=sha256:6e7be2c5bcb297f5b82fee9c665eb2eb7001d1050deaba8471842979293a80b0 \ - --hash=sha256:72a2b8b2ff0a627496aad76f37a652bcef400fd861721744201ef1b45199ab78 \ - --hash=sha256:77df077d32921ad46f34816a9a16e6356d8100374579bc35e15bab5d4e9377de \ - --hash=sha256:78988ed190206672da0f5d50c61afef8f67daa718d614377dcd5e3ed85ab4a99 \ - --hash=sha256:7b2927e92feb51d830f531de4ccb11b320255ee95e791022555971c466af4527 \ - --hash=sha256:7f7ecb53ae6848f959db6ae93bdff1740e651809780822270eab111500842a84 \ - --hash=sha256:825d5fccef6da42f3c8eccd4281af399f21c02b32d98e113dbc631ea6a6ecbc7 \ - --hash=sha256:846fc8336443106fe23f9b6d6b8c14a53d38cef9a375149d61f99d78782ea468 \ - --hash=sha256:89221ec6d6026f8ae859c09b9718799fea22c0e8da8b766b0b2c9a9ba2db326b \ - --hash=sha256:9efef4aab5353387b07f6b22ace0867032b900d8e91674b5d8ea9150db5cae94 \ - --hash=sha256:a32f8d81ea0c6173ab1b3da956869114cae53ba1e9f72374032e33ba3118c233 \ - --hash=sha256:a49e0161897901d1ac9c4a79984b8410f450565bbad64dbfcbf76152743a0cdb \ - --hash=sha256:ada3f400d9923a190ea8b59c8f60680c4ef8a4b0dfae134d2f2ff68429adfab5 \ - --hash=sha256:bf75d28fa071645c529b5474a550a44686821decebdd00e21127ef1fd566eabe \ - --hash=sha256:cfdb9389d888c5b74af297e51ce357b800dd844898af9d4a547ffc143fa56751 \ - --hash=sha256:d3c620a54748a3d4cf0bcfe623e388407c8e85a4b06b8188e126302bcab93ea8 \ - --hash=sha256:d67f273097c368265a7b81e152e07fb90ed395df6e552b9fa858c6d2c9f42502 \ - --hash=sha256:dc6a613d6c74eef5a14a214d433d06291526145431c3b964f5e16529b1842bed \ - --hash=sha256:de9c6b8a1ba52919ae919f3ae96abb72b994dd0350226e28f3686cb4f142165c -ruamel-yaml==0.17.21 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:742b35d3d665023981bd6d16b3d24248ce5df75fdb4e2924e93a05c1f8b61ca7 \ - --hash=sha256:8b7ce697a2f212752a35c1ac414471dc16c424c9573be4926b56ff3f5d23b7af -semgrep==0.107.0 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:202a3cc52e96b6603d22f3d5629e6f654008d53ab32613dbc9a8521be6cc42b9 \ - --hash=sha256:2902ca1825fa2a17a57b5b8fbe0828c4c714bbe82dff7bc5f415cd876f58d715 \ - --hash=sha256:51dc4813e2304efa9811d89c81614b6076a6d16f6ca56f19f672898d451946b5 \ - --hash=sha256:f357b650dcc517671286aa6df4b3e7a2eb1f12ca178edd6c18b9c8eeea3ca135 -six==1.16.0 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926 \ - --hash=sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254 -termcolor==2.1.0 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:91dd04fdf661b89d7169cefd35f609b19ca931eb033687eaa647cef1ff177c49 \ - --hash=sha256:b80df54667ce4f48c03fe35df194f052dc27a541ebbf2544e4d6b47b5d6949c4 -tomli==2.0.1 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:939de3e7a6161af0c887ef91b7d41a53e7c5a1ca976325f429cb46ea9bc30ecc \ - --hash=sha256:de526c12914f0c550d15924c62d72abc48d6fe7364aa87328337a31007fe8a4f -tqdm==4.64.0 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:40be55d30e200777a307a7585aee69e4eabb46b4ec6a4b4a5f2d9f11e7d5408d \ - --hash=sha256:74a2cdefe14d11442cedf3ba4e21a3b84ff9a2dbdc6cfae2c34addb2a14a5ea6 -typing-extensions==4.3.0 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:25642c956049920a5aa49edcdd6ab1e06d7e5d467fc00e0506c44ac86fbfca02 \ - --hash=sha256:e6d2677a32f47fc7eb2795db1dd15c1f34eff616bcaf2cfb5e997f854fa1c4a6 -ujson==5.4.0 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:025758cf6561af6986d77cd4af9367ab56dde5c7c50f13f59e6964b4b25df73e \ - --hash=sha256:0551c1ba0bc9e05b69d9c18266dbc93252b5fa3cd9940051bc88a0dd33607b19 \ - --hash=sha256:05e411627e5d6ee773232960ca7307e66017f78e3fa74f7e95c3a8cc5cb05415 \ - --hash=sha256:0b46aee21e5d75426c4058dfdb42f7e7b1d130c664ee5027a8dbbc50872dc32b \ - --hash=sha256:0bcde3135265ecdd5714a7de4fdc167925390d7b17ca325e59980f4114c962b8 \ - --hash=sha256:1120c8263f7d85e89533a2b46d80cc6def15114772010ede4d197739e111dba6 \ - --hash=sha256:13297a7d501f9c8c53e409d4fa57cc574e4fbfbe8807ef2c4c7ce2e3ec933a85 \ - --hash=sha256:191f88d5865740497b9827ef9b7c12f37a79872ac984e09f0901a10024019380 \ - --hash=sha256:1a2e645325f844f9c890c9d956fc2d35ca91f38c857278238ef6516c2f99cf7c \ - --hash=sha256:2974b17bc522ef86d98b498959d82f03c02e07d9eb08746026415298f4a4bca3 \ - --hash=sha256:2d98248f1df1e1aab67e0374ab98945dd36bc1764753d71fd8aea5f296360b76 \ - --hash=sha256:31bdb6d771d5ef6d37134b42211500bfe176c55d399f3317e569783dc42ed38e \ - --hash=sha256:3212847d3885bfd4f5fd56cdc37645a8f8e8a80d6cb569505da22fd9eb0e1a02 \ - --hash=sha256:326a96324ed9215b0bc9f1a5af324fb33900b6b0901516bcc421475d6596de0d \ - --hash=sha256:381c97d326d1ec569d318cc0ae83940ea2df125ede1000871680fefd5b7fdea9 \ - --hash=sha256:39bb702ca1612253b5e4b6004e0f20208c98a446606aa351f9a7ba5ceaff0eb8 \ - --hash=sha256:3a0707f381f97e1287c0dbf94d95bd6c0bbf6e4eeeaa656f0076b7883010c818 \ - --hash=sha256:400e4ca8a59f71398e8fa56c4d2d6f535e2a121ddb57284ec15752ffce2dd63a \ - --hash=sha256:422653083c6df6cec17fdb5d6106c209aad9b0c94131c53b073980403db22167 \ - --hash=sha256:511aa641a5b91d19280183b134fb6c473039d4dd82e987ac810cffba783521ac \ - --hash=sha256:5df8b6369ee5ee2685fcc917f6c46b34e599c6e9a512fada6dfd752b909fa06a \ - --hash=sha256:67f4e2fa81e1d99c01e7b1978ab0cbf3c9a8b663f683a709f87baad110d5b940 \ - --hash=sha256:68c7f753aec490c6566fd3cd301887c413ac3a588316e446f30a4134ac665668 \ - --hash=sha256:6a20f2f6e8818c1ab89dd4be6bbad3fc2ddb15287f89e7ea35f3eb849afebbd9 \ - --hash=sha256:6b953e09441e307504130755e5bd6b15850178d591f66292bba4608c4f7f9b00 \ - --hash=sha256:754f422aba8db8201a1073f25e2f732effc6471f8755708b16e6ebf19dd23634 \ - --hash=sha256:784dbd12925845a3f0757a956447e2fd31418abb5aeaebf3aca1203195f16fd1 \ - --hash=sha256:7d4c9ccd30e621e714ec24ca911ad8873567dc1ac1e5e914405ea9dd16b9d40c \ - --hash=sha256:7e12272361e9722777c83b3f5b0bb91d402531f36e80c6e5fafb6acb89e897e3 \ - --hash=sha256:8cce79ce47c37132373fbdf55b683883c262a3a60763130e080b8394c1201d32 \ - --hash=sha256:8cd6117e33233f2de6bc896eea6a5a59b58a37db08f371157264e0ec5e51c76a \ - --hash=sha256:8d472efa9c92e1b2933a22d2f1dbd5237087997136b24ac2b913bf4e8be03135 \ - --hash=sha256:91edcf9978ee401119e9c8589376ae37fd3e6e75ee365c49385cb005eaff1535 \ - --hash=sha256:9ae1d0094ce730e39e09656bc14074d9573cdd80adec1a55b06d8bf1f9613a01 \ - --hash=sha256:aa00b746138835271653b0c3da171d2a8b510c579381f71e8b8e03484d50d825 \ - --hash=sha256:aaa77af91df3f71858a1f792c74d3f2d3abf3875f93ab1a2b9a24b3797743b02 \ - --hash=sha256:b045ca5497a950cc3492840adb3bcb3b9e305ed6599ed14c6aeaa08011aa463f \ - --hash=sha256:b40a3757a563ef77c3f2f9ea1732c2924e8b3b2bda3fa89513f949472ad40b6e \ - --hash=sha256:baa76a6f707a6d22437fe9c7ec9719672fb04d4d9435a3e80ee9b1aaeb2089d9 \ - --hash=sha256:cec010d318a0238b1333ea9f40d5603d374cc026c29c4471e2661712c6682da1 \ - --hash=sha256:dd0d4ec694cab8a0a4d85f45f81ae0065465c4670f0db72ba48d6c4e7ae42834 \ - --hash=sha256:e2a9ddb5c6d1427056b8d62a1a172a18ae522b14d9ba5996b8281b09cba87edd \ - --hash=sha256:e844be0831042aa91e847e5ab03bddd1089ab1a8dd0a1bf90411abf864f058b2 \ - --hash=sha256:e91947fda8354ea7faf698b084ebcdbabd239e7b15d8436fb74394f59a207ac9 \ - --hash=sha256:ea7fbc540bc04d5b05e5cd54e60ee8745ac665eedf2bad2ba9d12d5c7a7b7d2e \ - --hash=sha256:ee29cf5cfc1e841708297633e1ce749aa851fb96830bbe51f2e5940741ff2441 \ - --hash=sha256:ef985eb2770900a485431910bd3f333b56d1a34b65f8c26a6ed8e8adf55f98d9 \ - --hash=sha256:f5c547d49a7e9d3f231e9323171bbbbcef63173fb007a2787cd4f05ac6269315 \ - --hash=sha256:fbea46c0fbc1c3bc8f957afd8dbb25b4ea3a356e18ee6dd79ace6cf32bd4cff7 \ - --hash=sha256:fd82932aaa224abd7d01e823b77aef9970f5ac1695027331d99e7f5fda9d37f5 -urllib3==1.26.11 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:c33ccba33c819596124764c23a97d25f32b28433ba0dedeb77d873a38722c9bc \ - --hash=sha256:ea6e8fb210b19d950fab93b60c9009226c63a28808bc8386e05301e25883ac0a -wcmatch==8.4 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:ba4fc5558f8946bf1ffc7034b05b814d825d694112499c86035e0e4d398b6a67 \ - --hash=sha256:dc7351e5a7f8bbf4c6828d51ad20c1770113f5f3fd3dfe2a03cfde2a63f03f98 -websocket-client==1.3.3 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:5d55652dc1d0b3c734f044337d929aaf83f4f9138816ec680c1aefefb4dc4877 \ - --hash=sha256:d58c5f284d6a9bf8379dab423259fe8f85b70d5fa5d2916d5791a84594b122b1 -setuptools==65.6.3 ; python_version >= "3.10" and python_version < "4" \ - --hash=sha256:57f6f22bde4e042978bcd50176fdb381d7c21a9efa4041202288d3737a0c6a54 +attrs==21.4.0 ; python_version >= "3.9" and python_version < "4" +boltons==21.0.0 ; python_version >= "3.9" and python_version < "4" +bracex==2.3.post1 ; python_version >= "3.9" and python_version < "4" +certifi==2022.9.24 ; python_version >= "3.9" and python_version < "4" +charset-normalizer==2.1.0 ; python_version >= "3.9" and python_version < "4" +click-option-group==0.5.3 ; python_version >= "3.9" and python_version < "4" +click==8.1.3 ; python_version >= "3.9" and python_version < "4" +colorama==0.4.5 ; python_version >= "3.9" and python_version < "4" +defusedxml==0.7.1 ; python_version >= "3.9" and python_version < "4" +dill==0.3.6 ; python_version >= "3.9" and python_version < "4" +docker==6.0.0b1 ; python_version >= "3.9" and python_version < "4" +exceptiongroup==1.0.4 ; python_version >= "3.9" and python_version < "3.11" +face==20.1.1 ; python_version >= "3.9" and python_version < "4" +flake8==5.0.4 ; python_version >= "3.9" and python_version < "4" +future==0.18.2 ; python_version >= "3.9" and python_version < "4" +glom==22.1.0 ; python_version >= "3.9" and python_version < "4" +idna==3.3 ; python_version >= "3.9" and python_version < "4" +iniconfig==1.1.1 ; python_version >= "3.9" and python_version < "4" +jsonschema==4.9.1 ; python_version >= "3.9" and python_version < "4" +mccabe==0.7.0 ; python_version >= "3.9" and python_version < "4" +multiprocess==0.70.14 ; python_version >= "3.9" and python_version < "4" +mypy-extensions==0.4.3 ; python_version >= "3.9" and python_version < "4" +packaging==21.3 ; python_version >= "3.9" and python_version < "4" +pathos==0.2.9 ; python_version >= "3.9" and python_version < "4" +pathspec==0.9.0 ; python_version >= "3.9" and python_version < "4" +peewee==3.15.4 ; python_version >= "3.9" and python_version < "4" +platformdirs==2.5.2 ; python_version >= "3.9" and python_version < "4" +pluggy==1.0.0 ; python_version >= "3.9" and python_version < "4" +pox==0.3.2 ; python_version >= "3.9" and python_version < "4" +ppft==1.7.6.6 ; python_version >= "3.9" and python_version < "4" +pycodestyle==2.9.1 ; python_version >= "3.9" and python_version < "4" +pyflakes==2.5.0 ; python_version >= "3.9" and python_version < "4" +pyparsing==3.0.9 ; python_version >= "3.9" and python_version < "4" +pyrsistent==0.19.2 ; python_version >= "3.9" and python_version < "4" +pytest==7.2.0 ; python_version >= "3.9" and python_version < "4" +python-dateutil==2.8.2 ; python_version >= "3.9" and python_version < "4" +python-dotenv==0.20.0 ; python_version >= "3.9" and python_version < "4" +python-lsp-jsonrpc==1.0.0 ; python_version >= "3.9" and python_version < "4" +python-whois==0.8.0 ; python_version >= "3.9" and python_version < "4" +pywin32==305 ; python_version >= "3.9" and python_version < "4" and sys_platform == "win32" +requests==2.28.1 ; python_version >= "3.9" and python_version < "4" +ruamel-yaml-clib==0.2.7 ; platform_python_implementation == "CPython" and python_version < "3.11" and python_version >= "3.9" +ruamel-yaml==0.17.21 ; python_version >= "3.9" and python_version < "4" +semgrep==0.112.1 ; python_version >= "3.9" and python_version < "4" +setuptools==65.6.3 ; python_version >= "3.9" and python_version < "4" +six==1.16.0 ; python_version >= "3.9" and python_version < "4" +tarsafe==0.0.4 ; python_version >= "3.9" and python_version < "4" +termcolor==2.1.1 ; python_version >= "3.9" and python_version < "4" +tomli==2.0.1 ; python_version >= "3.9" and python_version < "4" +tqdm==4.64.0 ; python_version >= "3.9" and python_version < "4" +typing-extensions==4.3.0 ; python_version >= "3.9" and python_version < "4" +ujson==5.4.0 ; python_version >= "3.9" and python_version < "4" +urllib3==1.26.11 ; python_version >= "3.9" and python_version < "4" +wcmatch==8.4 ; python_version >= "3.9" and python_version < "4" +websocket-client==1.3.3 ; python_version >= "3.9" and python_version < "4"
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-rp2v-v467-q9vqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-23531ghsaADVISORY
- github.com/DataDog/guarddog/commit/98af5c8c1e9c15fa888c900252e76116b0ec25d1ghsaWEB
- github.com/DataDog/guarddog/pull/89ghsaWEB
- github.com/DataDog/guarddog/pull/89/commits/a56aff58264cb6b7855d71b00dc10c39a5dbd306mitrex_refsource_MISC
- github.com/DataDog/guarddog/releases/tag/v0.1.5ghsax_refsource_MISCWEB
- github.com/DataDog/guarddog/security/advisories/GHSA-rp2v-v467-q9vqghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/guarddog/PYSEC-2022-42994.yamlghsaWEB
News mentions
0No linked articles in our index yet.