Skip to content

fix(anonymizer): bump cryptography to >=48.0.1,<49.0.0 to resolve GHSA-537c-gmf6-5ccf#2144

Open
SharonHart with Copilot wants to merge 2 commits into
mainfrom
copilot/fix-cryptography-vulnerability
Open

fix(anonymizer): bump cryptography to >=48.0.1,<49.0.0 to resolve GHSA-537c-gmf6-5ccf#2144
SharonHart with Copilot wants to merge 2 commits into
mainfrom
copilot/fix-cryptography-vulnerability

Conversation

Copilot AI commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

The cryptography <47.0.0 upper bound forced resolution to a range entirely below the patched version for GHSA-537c-gmf6-5ccf (HIGH — vulnerable OpenSSL statically linked into wheels, fixed only in 48.0.1), making presidio-anonymizer unadoptable in environments with CVE gates.

Changes

  • presidio-anonymizer/pyproject.toml: Raise the cryptography floor to 48.0.1 and cap to <49.0.0
# Before
"cryptography (>=46.0.4,<47.0.0)"

# After
"cryptography (>=48.0.1,<49.0.0)"

The anonymizer uses only cryptography.hazmat.primitives.ciphers (AES-CBC) and cryptography.hazmat.primitives.padding (PKCS7) — stable APIs with no breaking changes in 48.x.

Copilot AI changed the title [WIP] Fix cryptography vulnerability in presidio-anonymizer 2.2.363 fix(anonymizer): bump cryptography to >=48.0.1,<49.0.0 to resolve GHSA-537c-gmf6-5ccf Jul 5, 2026
Copilot AI requested a review from SharonHart July 5, 2026 08:01
@SharonHart SharonHart marked this pull request as ready for review July 5, 2026 08:02
Copilot AI review requested due to automatic review settings July 5, 2026 08:02

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates presidio-anonymizer’s cryptography dependency range to ensure installations can pick up the patched wheel version addressing GHSA-537c-gmf6-5ccf, improving security posture and compatibility with CVE-gated environments.

Changes:

  • Bump cryptography lower bound to >=48.0.1 (patched) and set an upper cap of <49.0.0 in presidio-anonymizer packaging metadata.

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Coverage report (presidio-cli)

Click to see where and how coverage changed

FileStatementsMissingCoverageCoverage
(new stmts)
Lines missing
  presidio-cli/presidio_cli
  cli.py
Project Total  

This report was generated by python-coverage-comment-action

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Coverage report (presidio-anonymizer)

Click to see where and how coverage changed

FileStatementsMissingCoverageCoverage
(new stmts)
Lines missing
  presidio-anonymizer/presidio_anonymizer
  anonymizer_engine.py
  presidio-anonymizer/presidio_anonymizer/operators
  custom.py
Project Total  

This report was generated by python-coverage-comment-action

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Coverage report (presidio-structured)

This PR does not seem to contain any modification to coverable code.

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Coverage report (presidio-image-redactor)

Click to see where and how coverage changed

FileStatementsMissingCoverageCoverage
(new stmts)
Lines missing
  presidio-image-redactor/presidio_image_redactor
  dicom_image_pii_verify_engine.py
  document_intelligence_ocr.py
  image_analyzer_engine.py
Project Total  

This report was generated by python-coverage-comment-action

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Coverage report (presidio-analyzer)

Click to see where and how coverage changed

FileStatementsMissingCoverageCoverage
(new stmts)
Lines missing
  presidio-analyzer/presidio_analyzer
  analyzer_engine.py
  entity_recognizer.py
  presidio-analyzer/presidio_analyzer/input_validation
  schemas.py
  yaml_recognizer_models.py
  presidio-analyzer/presidio_analyzer/nlp_engine
  __init__.py
  nlp_engine_provider.py
  presidio-analyzer/presidio_analyzer/predefined_recognizers
  __init__.py
  presidio-analyzer/presidio_analyzer/predefined_recognizers/country_specific
  __init__.py
  presidio-analyzer/presidio_analyzer/predefined_recognizers/country_specific/australia
  au_abn_recognizer.py
  au_acn_recognizer.py
  au_medicare_recognizer.py
  au_tfn_recognizer.py
  presidio-analyzer/presidio_analyzer/predefined_recognizers/country_specific/finland
  fi_personal_identity_code_recognizer.py
  presidio-analyzer/presidio_analyzer/predefined_recognizers/country_specific/germany
  de_bsnr_recognizer.py
  de_id_card_recognizer.py
  de_lanr_recognizer.py
  de_passport_recognizer.py
  de_social_security_recognizer.py
  de_tax_id_recognizer.py
  de_vat_id_recognizer.py
  presidio-analyzer/presidio_analyzer/predefined_recognizers/country_specific/india
  in_vehicle_registration_recognizer.py
  presidio-analyzer/presidio_analyzer/predefined_recognizers/country_specific/poland
  pl_pesel_recognizer.py
  presidio-analyzer/presidio_analyzer/predefined_recognizers/generic
  phone_recognizer.py
  presidio-analyzer/presidio_analyzer/recognizer_registry
  recognizer_registry.py
  recognizers_loader_utils.py
Project Total  

The report is truncated to 25 files out of 69. To see the full report, please visit the workflow summary page.

This report was generated by python-coverage-comment-action

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

3 participants