WhiteSource Issue with pyarrow 12.0.1 in db_dttypes 1.2.0 Transitive Dependency #250
Assignees
Labels
api: bigquery
Issues related to the googleapis/python-db-dtypes-pandas API.
needs more info
This issue needs more information from the customer to proceed.
Comments
product-auto-label
bot
added
the
api: bigquery
|
Hi @rakesh-sanyashiv, thank you for reporting this issue! Could you tell me more about the details of this bug, such as the steps to reproduce it, and the error message or error tracing? This will help us pin point the issue with no ambiguity. Thank you! |
Linchin
added
the
needs more info
|
Thank you for your response.
We have identified a critical issue within our Python service that utilizes the latest version of db-dttypes. During the code scan conducted with WhiteSource Mend, critical vulnerabilities were flagged for pyarrow-12.0.1. Upon further investigation, it was revealed that these vulnerabilities are associated with the pyarrow-12.0.1 version embedded in db-dttypes.
As a recommended solution, we propose upgrading the pyarrow version within db-dttypes to address and resolve these identified vulnerabilities. This proactive step will contribute to the overall security and stability of our Python service.
Your attention to this matter is greatly appreciated. If you have any further questions or require additional information, please don't hesitate to reach out.
[cid:0614bc02-3d9d-41dd-a785-ba1492c02e72]
Rakesh Sanyashiv
Team Lead | TRIARQ Health
Mobile: +91.9028136207
Office: +91.253.2344395/96
www.TRIARQhealth.com<http://www.triarqhealth.com/>
[cid:c0debbb9-3e2e-45a9-b871-9c8a60226dd2]
This e-mail message and any documents attached to it are confidential and may contain information that is protected from disclosure by various federal and state laws, including the HIPAA privacy rule (45 C.F.R., Part 164). This information is intended to be used solely by the entity or individual to whom this message is addressed. If you are not the intended recipient, be advised that any use, dissemination, forwarding, printing, or copying of this message without the sender's written permission is strictly prohibited and may be unlawful. Accordingly, if you have received this message in error, please notify the sender immediately by phone at 1.877.456.3671, and then delete this message.
…________________________________
From: Lingqing Gan ***@***.***>
Sent: Thursday, March 7, 2024 2:39 AM
To: googleapis/python-db-dtypes-pandas ***@***.***>
Cc: Rakesh Sanyashiv ***@***.***>; Mention ***@***.***>
Subject: Re: [googleapis/python-db-dtypes-pandas] WhiteSource Issue with pyarrow 12.0.1 in db_dttypes 1.2.0 Transitive Dependency (Issue #250)
Hi @rakesh-sanyashiv<https://github.com/rakesh-sanyashiv>, thank you for reporting this issue! Could you tell me more about the details of this bug, such as the steps to reproduce it, and the error message or error tracing? This will help us pin point the issue with no ambiguity. Thank you!
—
Reply to this email directly, view it on GitHub<#250 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ASHPFTVD5XU7XLQI3HSTFPDYW6AW5AVCNFSM6AAAAABEIZPCI2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSOBRG44DSOBYHA>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
If I understand correctly, the request here is to bump the minimum version of Change python-db-dtypes-pandas/setup.py Line 34 in 61f6030 to |
|
Despite implementing pyarrow version 14.0.0 in our codebase, WhiteSource continues to flag vulnerabilities associated with pyarrow 12.0.1. A thorough investigation revealed that pyarrow 12.0.1 is indirectly included through the dependency chain originating from db-dttype 1.2.0, as illustrated in the attached screenshot from the previous email.
Rakesh Sanyashiv
Team Lead | TRIARQ Health
Mobile: +91.9028136207
Office: +91.253.2344395/96
www.TRIARQhealth.com<http://www.triarqhealth.com/>
[cid:b1c1be9a-4164-413a-9b23-ab8b31638ecf]
This e-mail message and any documents attached to it are confidential and may contain information that is protected from disclosure by various federal and state laws, including the HIPAA privacy rule (45 C.F.R., Part 164). This information is intended to be used solely by the entity or individual to whom this message is addressed. If you are not the intended recipient, be advised that any use, dissemination, forwarding, printing, or copying of this message without the sender's written permission is strictly prohibited and may be unlawful. Accordingly, if you have received this message in error, please notify the sender immediately by phone at 1.877.456.3671, and then delete this message.
…________________________________
From: Anthonios Partheniou ***@***.***>
Sent: Thursday, March 7, 2024 5:19 PM
To: googleapis/python-db-dtypes-pandas ***@***.***>
Cc: Rakesh Sanyashiv ***@***.***>; Mention ***@***.***>
Subject: Re: [googleapis/python-db-dtypes-pandas] WhiteSource Issue with pyarrow 12.0.1 in db_dttypes 1.2.0 Transitive Dependency (Issue #250)
If I understand correctly, the request here is to bump the minimum version of pyarrow for this client library to a version greater than 12.0.1. Based on initial research, it looks like 14.0.1 is the recommended version.
Change
https://github.com/googleapis/python-db-dtypes-pandas/blob/61f6030b37bc5af1defe86c885580116babca10c/setup.py#L34<https://github.com/googleapis/python-db-dtypes-pandas/blob/61f6030b37bc5af1defe86c885580116babca10c/setup.py#L34>
to
"pyarrow>=14.0.1",
—
Reply to this email directly, view it on GitHub<#250 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ASHPFTQU55NCRQ2M4HPA2T3YXBH3FAVCNFSM6AAAAABEIZPCI2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSOBTGM2DGOBRGA>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
@rakesh-sanyashiv , regrettably the screenshot didn't come through. I only have the text information. |
|
Please verify and let me know if you have any questions!
Rakesh Sanyashiv
Team Lead | TRIARQ Health
Mobile: +91.9028136207
Office: +91.253.2344395/96
www.TRIARQhealth.com<http://www.triarqhealth.com/>
[cid:66697ee5-611e-4802-8132-6eb7670c94be]
This e-mail message and any documents attached to it are confidential and may contain information that is protected from disclosure by various federal and state laws, including the HIPAA privacy rule (45 C.F.R., Part 164). This information is intended to be used solely by the entity or individual to whom this message is addressed. If you are not the intended recipient, be advised that any use, dissemination, forwarding, printing, or copying of this message without the sender's written permission is strictly prohibited and may be unlawful. Accordingly, if you have received this message in error, please notify the sender immediately by phone at 1.877.456.3671, and then delete this message.
…________________________________
From: Anthonios Partheniou ***@***.***>
Sent: Thursday, March 7, 2024 6:19 PM
To: googleapis/python-db-dtypes-pandas ***@***.***>
Cc: Rakesh Sanyashiv ***@***.***>; Mention ***@***.***>
Subject: Re: [googleapis/python-db-dtypes-pandas] WhiteSource Issue with pyarrow 12.0.1 in db_dttypes 1.2.0 Transitive Dependency (Issue #250)
@rakesh-sanyashiv<https://github.com/rakesh-sanyashiv> , regrettably the screenshot didn't come through. I only have the text information.
—
Reply to this email directly, view it on GitHub<#250 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ASHPFTRTXP3KTLKV65GILYTYXBO6TAVCNFSM6AAAAABEIZPCI2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSOBTGQ2DAOJUG4>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
@rakesh-sanyashiv We still could not see the screenshot. Could you send a link instead of as an email attachment? Or reply using github webpage instead. |
|
@rakesh-sanyashiv I'm also unable to reproduce the issue with a clean python 3.12 environment. Installing |
|
Thanks for update we are working with whitesource why they are showing issue.
Get Outlook for iOS<https://aka.ms/o0ukef>
…________________________________
From: Lingqing Gan ***@***.***>
Sent: Friday, March 8, 2024 4:13 AM
To: googleapis/python-db-dtypes-pandas ***@***.***>
Cc: Rakesh Sanyashiv ***@***.***>; Mention ***@***.***>
Subject: Re: [googleapis/python-db-dtypes-pandas] WhiteSource Issue with pyarrow 12.0.1 in db_dttypes 1.2.0 Transitive Dependency (Issue #250)
@rakesh-sanyashiv<https://github.com/rakesh-sanyashiv> I'm also unable to reproduce the issue with a clean python 3.12 environment. Installing db-dtypes gives me pyarrow==15.0.1:
$ pip list
Package Version
--------------- -----------
db-dtypes 1.2.0
numpy 1.26.4
packaging 23.2
pandas 2.2.1
pip 24.0
pyarrow 15.0.1
python-dateutil 2.9.0.post0
pytz 2024.1
setuptools 69.1.1
six 1.16.0
tzdata 2024.1
wheel 0.42.0
—
Reply to this email directly, view it on GitHub<#250 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ASHPFTVR36PHWIEXS4HWPPTYXDUPJAVCNFSM6AAAAABEIZPCI2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSOBUGY4DOMJRGA>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
I will close this issue for now, as this appears to be a whitesource related problem. @rakesh-sanyashiv Please let us know if there's anything further we can do to help. |
|
[like] Rakesh Sanyashiv reacted to your message:
…________________________________
From: Lingqing Gan ***@***.***>
Sent: Wednesday, March 13, 2024 6:02:28 PM
To: googleapis/python-db-dtypes-pandas ***@***.***>
Cc: Rakesh Sanyashiv ***@***.***>; Mention ***@***.***>
Subject: Re: [googleapis/python-db-dtypes-pandas] WhiteSource Issue with pyarrow 12.0.1 in db_dttypes 1.2.0 Transitive Dependency (Issue #250)
I will close this issue for now, as this appears to be a whitesource related problem. @rakesh-sanyashiv<https://github.com/rakesh-sanyashiv> Please let us know if there's anything further we can do to help.
—
Reply to this email directly, view it on GitHub<#250 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ASHPFTQYEYPXTJ52QEF6N2TYYCIDJAVCNFSM6AAAAABEIZPCI2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSOJVGIYDKNBRG4>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Encountering a WhiteSource issue related to the transitive dependency of pyarrow version 12.0.1 within the db_dttypes library version 1.2.0. Despite upgrading pyarrow as recommended, the issue persists.
The text was updated successfully, but these errors were encountered: