CVE-2025-24359 found in own checkov sources

[nvuillam]

Please could you perform related upgrades so trivy does not flags checkov as risky because of the related CVE ?

Thanks a lot :)

You can see the failing job here -> https://github.com/oxsecurity/megalinter/actions/runs/16549876847/job/46803169141

cc @echoix

[echoix]

See #7194, #7200, #7205, #7142, especially this one #7142 (comment), #7185

[nvuillam]

@echoix damn, that's not very reassuring indeed...

If this is not fixed when we'll want to release the next version of MegaLinter, we might have to exclude checkov from it...

[behnazh-w]

We are also receiving the following CVE reports related to Checkov dependencies:

asteval    1.0.5   GHSA-vp47-9734-prjw
asteval    1.0.5   GHSA-3wwr-3g9f-9gc7
urllib3    1.26.20 GHSA-pq67-6m6q-mj2v 

I’ve opened a separate issue to address the update for urllib3 here: #7241

[behnazh-w]

Hi @gruebel , I wanted to check if there are any plans to address these dependency CVE issues? It's really important that these are resolved. If you're open to it, I'd be happy to open a PR to help with this.

[nvuillam]

It's sad, but we'll disable checkov from MegaLinter until this is solved :(

[jbrule]

Are @tsmithv11 or @maxamel available to comment? This has been sitting awhile

[jbrule]

Location

checkov/setup.py

Line 110 in cb764cb

"asteval==1.0.5",

[lirshindalman]

Hi, we are appreciate your patience. We are working on resolving this issue. The update of the affected versions involves dropping support for Python 3.8, which has extended the timeline.
wWe will provide an update as soon as the fix is available. Thank you for your understanding.

[lirshindalman]

Hi, I’ve merged the PR that upgrades Python in Checkov to version 3.9 and updates the estval package to resolve the vulnerability. #7303