Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2024-11392 - AWS Scanner and Trivy Flagging Transformers 4.48.1 as Vulnerable #36041

Open
4 tasks
rajdeinno opened this issue Feb 5, 2025 · 3 comments
Open
4 tasks

CVE-2024-11392 - AWS Scanner and Trivy Flagging Transformers 4.48.1 as Vulnerable #36041

rajdeinno opened this issue Feb 5, 2025 · 3 comments
Labels
bug

Comments

@rajdeinno
Copy link

System Info

I have updated the transformers package to version 4.48.1, but both my AWS scanner and Trivy are still flagging this version as vulnerable. I have referred to the following GitHub thread, which discusses a similar issue, but unfortunately, I wasn't able to find a resolution:

#34840

My company places a strong emphasis on not using vulnerable package versions, and this has become a roadblock in my deployment process. I’m unable to proceed with my deployment due to these security concerns.

Could anyone provide guidance on how this issue can be resolved or suggest any alternative solutions? Your help would be greatly appreciated.

Who can help?

No response

Information

  • The official example scripts
  • My own modified scripts

Tasks

  • An officially supported task in the examples folder (such as GLUE/SQuAD, ...)
  • My own task or dataset (give details below)

Reproduction

  1. Install the transformers package version 4.48.1 by running pip install transformers==4.48.1
  2. Run the AWS scanner or Trivy on the environment where the package is installed.
  3. Both scanners flag the transformers==4.48.1 version as vulnerable and flagged as [CVE-2024-11392]

Expected behavior

The transformers==4.48.1 package should not be flagged as vulnerable by AWS scanner or Trivy. After updating to this version, there should be no security vulnerabilities detected in the package, allowing for smooth deployment without triggering any security alerts from vulnerability scanners.
@rajdeinno rajdeinno added the bug label Feb 5, 2025
@Rocketknight1
Copy link
Member

hi @rajdeinno, I believe the issue refers to the convert_micvnets_to_pytorch.py script for MobileViT2, which is a conversion script like the ones mentioned in #34840. This script is not included in releases 4.48 or later, so the vulnerability scanners are incorrect.

@rajdeinno
Copy link
Author

rajdeinno commented Mar 5, 2025
edited
Loading

Its been a month, but still my scanners show the vulnerabilities. I don't know why.

@Rocketknight1
Copy link
Member

I don't know either, unfortunately! cc @Michellehbn - do we know where the AWS vulnerability scanner / Trivy get their vulnerability databases from?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Rocketknight1 @rajdeinno