Product Research Enterprise Plans Docs

PyPi: Scancode-Toolkit

CVE-2020-27783

Transitive

Safety vulnerability ID: 48402

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Dec 03, 2020 Updated at Jul 01, 2024

Scan your Python projects for vulnerabilities →

Advisory

Scancode-toolkit 21.2.9 updates its dependency 'lxml' to v4.6.2 to include a security fix.

Affected package

scancode-toolkit

Latest version: 32.2.1

ScanCode is a tool to scan code for license, copyright, package and their documented dependencies and other interesting facts.

Affected versions

Fixed versions

Vulnerability changelog

-------

Security:
~~~~~~~~~

- Update vulnerable LXML to version 4.6.2 to fix
https://nvd.nist.gov/vuln/detail/CVE-2020-27783
This was detected thanks to https://github.com/nexb/vulnerablecode

Operating system support:
~~~~~~~~~~~~~~~~~~~~~~~~~

- Drop support for Python 2 295
- Drop support for 32 bits on Windows 335
- Add support for Python 64 bits on Windows 64 bits 335
- Add support for Python 3.6, 37, 3.8 and 3.9 on Linux, Windows and macOS.
These are now tested on Azure.
- Add deprecation message for native Windows support 2366

License scanning:
~~~~~~~~~~~~~~~~~

- Improve license detection accuracy with over 8400 new license detection rules
added or updated
- Remove the previously deprecated --license-diag option
- Include pre-built license index in release archives to speed up start 988
- Use SPDX LicenseRef-scancode namespace for all licenses keys not in SPDX
- Replace DEJACODE_LICENSE_URL with SCANCODE_LICENSEDB_URL at
https://scancode-licensedb.aboutcode.org #2165
- Add new license flag in license detection results "is_license_intro" that
is used to indicate that a license rule is a short license introduction
statement (that typically may be reported as some unknown license)

Package scanning:
~~~~~~~~~~~~~~~~~

- Add detection of package-installed files
- Add analysis of system package installed databases for Debian, OpenWRT and
Alpine Linux packages
- Add support for Alpine Linux, Debian, OpenWRT.

Copyright scanning:
~~~~~~~~~~~~~~~~~~~

- Improve detection with minor grammar fixes

Misc.:
~~~~~~

- Adopt a new calendar date-based versioning for scancode-toolkit version numbers
- Update thirdparty dependencies and built-in plugins
- Allow installation without extractcode and typecode native plugins. Instead
one can elect to install these or not to have a lighter footprint if needed.
- Update configuration and bootstrap scripts to support a new PyPI-like
repository at https://thirdparty.aboutcode.org/pypi/
- Create new release scripts to populate released archives with just the
required wheels of a given OS and Python version.
- Updated scancode.bat to handle % signs in the arguments 1876

Resources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27783

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 6.1

CVSS v3 Details

MEDIUM 6.1

Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality Impact (C): LOW
Integrity Impact (I): LOW
Availability Availability (A): NONE

CVSS v2 Details

MEDIUM 4.3

Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (Au): NONE
Confidentiality Impact (C): NONE
Integrity Impact (I): PARTIAL
Availability Impact (A): NONE