You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have updated the transformers package to version 4.48.1, but both my AWS scanner and Trivy are still flagging this version as vulnerable. I have referred to the following GitHub thread, which discusses a similar issue, but unfortunately, I wasn't able to find a resolution:
My company places a strong emphasis on not using vulnerable package versions, and this has become a roadblock in my deployment process. I’m unable to proceed with my deployment due to these security concerns.
Could anyone provide guidance on how this issue can be resolved or suggest any alternative solutions? Your help would be greatly appreciated.
Who can help?
No response
Information
The official example scripts
My own modified scripts
Tasks
An officially supported task in the examples folder (such as GLUE/SQuAD, ...)
My own task or dataset (give details below)
Reproduction
Install the transformers package version 4.48.1 by running pip install transformers==4.48.1
Run the AWS scanner or Trivy on the environment where the package is installed.
Both scanners flag the transformers==4.48.1 version as vulnerable and flagged as [CVE-2024-11392]
Expected behavior
The transformers==4.48.1 package should not be flagged as vulnerable by AWS scanner or Trivy. After updating to this version, there should be no security vulnerabilities detected in the package, allowing for smooth deployment without triggering any security alerts from vulnerability scanners.
The text was updated successfully, but these errors were encountered:
hi @rajdeinno, I believe the issue refers to the convert_micvnets_to_pytorch.py script for MobileViT2, which is a conversion script like the ones mentioned in #34840. This script is not included in releases 4.48 or later, so the vulnerability scanners are incorrect.
System Info
I have updated the transformers package to version 4.48.1, but both my AWS scanner and Trivy are still flagging this version as vulnerable. I have referred to the following GitHub thread, which discusses a similar issue, but unfortunately, I wasn't able to find a resolution:
#34840
My company places a strong emphasis on not using vulnerable package versions, and this has become a roadblock in my deployment process. I’m unable to proceed with my deployment due to these security concerns.
Could anyone provide guidance on how this issue can be resolved or suggest any alternative solutions? Your help would be greatly appreciated.
Who can help?
No response
Information
Tasks
examples
folder (such as GLUE/SQuAD, ...)Reproduction
Expected behavior
The transformers==4.48.1 package should not be flagged as vulnerable by AWS scanner or Trivy. After updating to this version, there should be no security vulnerabilities detected in the package, allowing for smooth deployment without triggering any security alerts from vulnerability scanners.
The text was updated successfully, but these errors were encountered: