Snyk reporting vulnerabilities in Apache-Beam 2.52.0

83 views Asked by At

We have Snyk integrated with our Python repository to identify any vulnerabilities in any of the libraries we are using. I am trying to add the dependency of apache-beam 2.52.0 (latest version) to pyproject.toml file. However, Synk is reporting a vulnerability during the build process in pyarrow 11.0.0 which Apache beam uses internally. This is also causing the build to fail.

Pin [email protected] to [email protected] to fix
  ✗ Deserialization of Untrusted Data (new) [Critical Severity][https://security.snyk.io/vuln/SNYK-PYTHON-PYARROW-6052811] in [email protected]
    introduced by [email protected] > [email protected]

I tried going to back to Apache beam 2.44.0 which uses pyarrow 9 internally but same vulnerability is being reported with all the versions. Is there any workaround for this? (I might not be able to disable Synk or add any exclusions)

1

There are 1 answers

1
XQ Hu On BEST ANSWER

This should already be handled by https://github.com/apache/beam/issues/29392 with Beam 2.52.0 as long as pyarrow_hotfix is installed. You can ignore Synk.