2

I'm writing program for commercial use and the company vulnerability scan gave me this.

enter image description here

Clicking on the links leads me to here https://nvd.nist.gov/vuln/detail/CVE-2018-15560. Now I'm sure I've never explicitly used any of these packages, I don't even know what they do.

I ran pip show pycrypto, pip show pycryptodome inside the docker container running the program, but got this:

root@ism-core-es-deployment-dev-6d94bc549-959bt:/app# python3 -m pip show pycryptodome
WARNING: Package(s) not found: pycryptodome
root@ism-core-es-deployment-dev-6d94bc549-959bt:/app# pip show pycrypto
WARNING: Package(s) not found: pycrypto

And they're not importable in python for me to dig more information. So my question is: how do you find which library/which part of my code is running this? I only know pycrypto-2.6.1.tar.gz is the package in question.

Xuekai Du
  • 617
  • 1
  • 6
  • 27
  • 2
    Shouldn't the scanner tell you where it found the files? – Klaus D. Aug 11 '20 at 06:45
  • @KlausD. I'm also trying to wrap my head around why it doesn't do that. Maybe I'm just not looking hard enough. But I think I should solve that first before digging python functionalities.Thank you. – Xuekai Du Aug 11 '20 at 07:04
  • see my answer to [reverse dependencies](https://stackoverflow.com/a/62353494) . Might be helpful in your case. basically, find out where your site_package directory, then use a specialized grep search to find who is using what. how Docker affects that? not sure. – JL Peyret Aug 12 '20 at 03:13

0 Answers0