tpwo2 opened a new issue, #35328:
URL: https://github.com/apache/beam/issues/35328
Hi, mend.io set up in our company detected CVE when scanning Python code
with installed apache-beam 2.65:
```
##[error] Build is failed due to policy violation.
LibraryFileName LibrarySHA1
Severity CVE CVSS3
Score
--------------- -----------
-------- --- -----
protobuf-5.29.5-cp38-abi3-manylinux2014_x86_64.whl
7358b68eb02e0026d7ffb921c10064e24b459b81 high CVE-2025-4565 7.5
```
The mentioned `protobuf==5.29.5` has a reported CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4565
I see that the newest Python SDK is not compatible with protobuf v6 which is
a problem, as we have to upgrade to `protobuf>=6.31.1` to resolve the CVE:
https://github.com/apache/beam/blob/e5e07c5100c0fdfdc6f864ee7b9fd69b04f6f51c/sdks/python/setup.py#L391-L393
Are there any plans to update to a newer protobuf version? Do you have any
timeline for that?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
