Re: [PR] feat: support litellm LLM provider [incubator-hugegraph-ai]

Tue, 25 Feb 2025 04:35:19 -0800 


github-actions[bot] commented on PR #178:
URL: 
https://github.com/apache/incubator-hugegraph-ai/pull/178#issuecomment-2681823914

   <h1>Dependency Review</h1>
   The following issues were found:<ul><li>❌ 1 vulnerable package(s)</li><li>✅ 
0 package(s) with incompatible licenses</li><li>✅ 0 package(s) with invalid 
SPDX license definitions</li><li>⚠️ 2 package(s) with unknown 
licenses.</li></ul>
   See the Details below.<h2>Vulnerabilities</h2>
   <h4><em>hugegraph-llm/poetry.lock</em></h4>
   
<table><tr><th>Name</th><th>Version</th><th>Vulnerability</th><th>Severity</th></tr><tr><td><a
 
href="https://github.com/BerriAI/litellm";>litellm</a></td><td>1.30.7</td><td><a 
href="https://github.com/advisories/GHSA-46cm-pfwv-cgf8";>LiteLLM has 
Server-Side Template Injection vulnerability in /completions 
endpoint</a></td><td>critical</td></tr><tr><td colspan="2"><td><a 
href="https://github.com/advisories/GHSA-gppg-gqw8-wh9g";>litellm vulnerable to 
remote code execution based on using eval 
unsafely</a></td><td>critical</td></tr><tr><td colspan="2"><td><a 
href="https://github.com/advisories/GHSA-3xr8-qfvj-9p9j";>Arbitrary file 
deletion in litellm</a></td><td>high</td></tr><tr><td colspan="2"><td><a 
href="https://github.com/advisories/GHSA-g26j-5385-hhw3";>LiteLLM Server-Side 
Request Forgery (SSRF) vulnerability</a></td><td>high</td></tr><tr><td 
colspan="2"><td><a href="https://github.com/advisories/GHSA-h6m6-jj8v-94jj";>SQL 
injection in litellm</a></td><td>moderate</td></tr><tr><td colsp
 an="2"><td><a href="https://github.com/advisories/GHSA-qqcv-vg9f-5rr3";>litellm 
vulnerable to improper access control in team 
management</a></td><td>moderate</td></tr></table>
   <h2>License Issues</h2>
   <h4><em>hugegraph-llm/pyproject.toml</em></h4>
   <table><tr><td>Package</td><td>Version</td><td>License</td><td>Issue 
Type</td></tr><tr><td><a 
href="https://github.com/BerriAI/litellm";>litellm</a></td><td>~ 
1.61.13</td><td>Null</td><td>Unknown License</td></tr></table>
   <h4><em>hugegraph-llm/requirements.txt</em></h4>
   <table><tr><td>Package</td><td>Version</td><td>License</td><td>Issue 
Type</td></tr><tr><td><a 
href="https://github.com/BerriAI/litellm";>litellm</a></td><td>~> 
1.61.13</td><td>Null</td><td>Unknown License</td></tr></table>
   <blockquote><strong>Denied Licenses</strong>: GPL-3.0, AGPL-1.0, AGPL-3.0, 
LGPL-2.0, CC-BY-3.0</blockquote>
   <h2>OpenSSF Scorecard</h2>
   
<table><tr><th>Package</th><th>Version</th><th>Score</th><th>Details</th></tr>
   <tr><td><a href="https://github.com/BerriAI/litellm";> pip/litellm 
</a></td><td>1.30.7</td>
         <td> Unknown</td><td>Unknown</td></tr>
   <tr><td><a href="https://github.com/python/importlib_metadata";> 
pip/importlib-metadata </a></td><td>8.6.1</td>
         <td>:green_circle: 
6.1</td><td><details><summary>Details</summary><table><tr><th>Check</th><th>Score</th><th>Reason</th></tr><tr><td>Dangerous-Workflow</td><td>:green_circle:
 10</td><td>no dangerous workflow patterns 
detected</td></tr><tr><td>Packaging</td><td>:warning: -1</td><td>packaging 
workflow not detected</td></tr><tr><td>Code-Review</td><td>:warning: 
1</td><td>Found 4/24 approved changesets -- score normalized to 
1</td></tr><tr><td>Binary-Artifacts</td><td>:green_circle: 8</td><td>binaries 
present in source 
code</td></tr><tr><td>Token-Permissions</td><td>:green_circle: 
10</td><td>GitHub workflow tokens follow principle of least 
privilege</td></tr><tr><td>Maintained</td><td>:green_circle: 6</td><td>5 
commit(s) and 3 issue activity found in the last 90 days -- score normalized to 
6</td></tr><tr><td>Security-Policy</td><td>:green_circle: 10</td><td>security 
policy file detected</td></tr><tr><td>Pinned-Dependencies</td><td>:warning: 
0</td><td>dependency not pinned by has
 h detected -- score normalized to 
0</td></tr><tr><td>CII-Best-Practices</td><td>:warning: 0</td><td>no effort to 
earn an OpenSSF best practices badge 
detected</td></tr><tr><td>Fuzzing</td><td>:green_circle: 10</td><td>project is 
fuzzed</td></tr><tr><td>Vulnerabilities</td><td>:green_circle: 10</td><td>0 
existing vulnerabilities 
detected</td></tr><tr><td>License</td><td>:green_circle: 10</td><td>license 
file detected</td></tr><tr><td>Signed-Releases</td><td>:warning: -1</td><td>no 
releases found</td></tr><tr><td>Branch-Protection</td><td>:warning: 
0</td><td>branch protection not enabled on development/release 
branches</td></tr><tr><td>SAST</td><td>:warning: 0</td><td>SAST tool is not run 
on all commits -- score normalized to 0</td></tr></table></details></td></tr>
   <tr><td><a href="https://github.com/huggingface/tokenizers";> pip/tokenizers 
</a></td><td>0.21.0</td>
         <td>:green_circle: 
5.1</td><td><details><summary>Details</summary><table><tr><th>Check</th><th>Score</th><th>Reason</th></tr><tr><td>Code-Review</td><td>:green_circle:
 7</td><td>Found 21/29 approved changesets -- score normalized to 
7</td></tr><tr><td>Maintained</td><td>:green_circle: 10</td><td>15 commit(s) 
and 13 issue activity found in the last 90 days -- score normalized to 
10</td></tr><tr><td>CII-Best-Practices</td><td>:warning: 0</td><td>no effort to 
earn an OpenSSF best practices badge 
detected</td></tr><tr><td>Branch-Protection</td><td>:warning: 
-1</td><td>internal error: error during branchesHandler.setup: internal error: 
githubv4.Query: Resource not accessible by 
integration</td></tr><tr><td>Security-Policy</td><td>:warning: 
0</td><td>security policy file not 
detected</td></tr><tr><td>License</td><td>:green_circle: 10</td><td>license 
file detected</td></tr><tr><td>Dangerous-Workflow</td><td>:green_circle: 
10</td><td>no dangerous workflow patterns detected</td></tr>
 <tr><td>Binary-Artifacts</td><td>:green_circle: 10</td><td>no binaries found 
in the repo</td></tr><tr><td>Packaging</td><td>:green_circle: 
10</td><td>packaging workflow 
detected</td></tr><tr><td>Token-Permissions</td><td>:warning: 
0</td><td>detected GitHub workflow tokens with excessive 
permissions</td></tr><tr><td>Fuzzing</td><td>:warning: 0</td><td>project is not 
fuzzed</td></tr><tr><td>Signed-Releases</td><td>:warning: -1</td><td>no 
releases found</td></tr><tr><td>SAST</td><td>:warning: 0</td><td>SAST tool is 
not run on all commits -- score normalized to 
0</td></tr><tr><td>Pinned-Dependencies</td><td>:warning: 0</td><td>dependency 
not pinned by hash detected -- score normalized to 
0</td></tr><tr><td>Vulnerabilities</td><td>:warning: 2</td><td>8 existing 
vulnerabilities detected</td></tr></table></details></td></tr>
   <tr><td><a href="https://github.com/jaraco/zipp";> pip/zipp 
</a></td><td>3.21.0</td>
         <td>:green_circle: 
5.6</td><td><details><summary>Details</summary><table><tr><th>Check</th><th>Score</th><th>Reason</th></tr><tr><td>Binary-Artifacts</td><td>:green_circle:
 10</td><td>no binaries found in the 
repo</td></tr><tr><td>Dangerous-Workflow</td><td>:green_circle: 10</td><td>no 
dangerous workflow patterns 
detected</td></tr><tr><td>Security-Policy</td><td>:green_circle: 
10</td><td>security policy file 
detected</td></tr><tr><td>Code-Review</td><td>:warning: 0</td><td>Found 1/28 
approved changesets -- score normalized to 
0</td></tr><tr><td>Maintained</td><td>:warning: 0</td><td>0 commit(s) and 0 
issue activity found in the last 90 days -- score normalized to 
0</td></tr><tr><td>Packaging</td><td>:warning: -1</td><td>packaging workflow 
not detected</td></tr><tr><td>Token-Permissions</td><td>:green_circle: 
10</td><td>GitHub workflow tokens follow principle of least 
privilege</td></tr><tr><td>Pinned-Dependencies</td><td>:warning: 
0</td><td>dependency not pinned by hash dete
 cted -- score normalized to 
0</td></tr><tr><td>CII-Best-Practices</td><td>:warning: 0</td><td>no effort to 
earn an OpenSSF best practices badge 
detected</td></tr><tr><td>Fuzzing</td><td>:green_circle: 10</td><td>project is 
fuzzed</td></tr><tr><td>Vulnerabilities</td><td>:green_circle: 10</td><td>0 
existing vulnerabilities 
detected</td></tr><tr><td>License</td><td>:green_circle: 10</td><td>license 
file detected</td></tr><tr><td>Signed-Releases</td><td>:warning: -1</td><td>no 
releases found</td></tr><tr><td>Branch-Protection</td><td>:warning: 
0</td><td>branch protection not enabled on development/release 
branches</td></tr><tr><td>SAST</td><td>:warning: 0</td><td>SAST tool is not run 
on all commits -- score normalized to 0</td></tr></table></details></td></tr>
   <tr><td><a href="https://github.com/BerriAI/litellm";> pip/litellm 
</a></td><td>~ 1.61.13</td>
         <td> Unknown</td><td>Unknown</td></tr>
   <tr><td><a href="https://github.com/openai/openai-python";> pip/openai 
</a></td><td>~ 1.61.0</td>
         <td>:green_circle: 
6.2</td><td><details><summary>Details</summary><table><tr><th>Check</th><th>Score</th><th>Reason</th></tr><tr><td>Security-Policy</td><td>:green_circle:
 10</td><td>security policy file 
detected</td></tr><tr><td>Maintained</td><td>:green_circle: 10</td><td>30 
commit(s) and 23 issue activity found in the last 90 days -- score normalized 
to 10</td></tr><tr><td>Dangerous-Workflow</td><td>:green_circle: 10</td><td>no 
dangerous workflow patterns 
detected</td></tr><tr><td>Packaging</td><td>:warning: -1</td><td>packaging 
workflow not detected</td></tr><tr><td>Code-Review</td><td>:warning: 
-1</td><td>Found no human activity in the last 8 
changesets</td></tr><tr><td>Token-Permissions</td><td>:warning: 
0</td><td>detected GitHub workflow tokens with excessive 
permissions</td></tr><tr><td>CII-Best-Practices</td><td>:warning: 0</td><td>no 
effort to earn an OpenSSF best practices badge 
detected</td></tr><tr><td>Binary-Artifacts</td><td>:green_circle: 10</td><td>no 
binari
 es found in the repo</td></tr><tr><td>Vulnerabilities</td><td>:green_circle: 
10</td><td>0 existing vulnerabilities 
detected</td></tr><tr><td>License</td><td>:green_circle: 10</td><td>license 
file detected</td></tr><tr><td>Pinned-Dependencies</td><td>:warning: 
0</td><td>dependency not pinned by hash detected -- score normalized to 
0</td></tr><tr><td>Fuzzing</td><td>:warning: 0</td><td>project is not 
fuzzed</td></tr><tr><td>Signed-Releases</td><td>:warning: -1</td><td>no 
releases found</td></tr><tr><td>Branch-Protection</td><td>:warning: 
-1</td><td>internal error: error during branchesHandler.setup: internal error: 
githubv4.Query: Resource not accessible by 
integration</td></tr><tr><td>SAST</td><td>:warning: 0</td><td>SAST tool is not 
run on all commits -- score normalized to 
0</td></tr></table></details></td></tr>
   <tr><td><a href="https://github.com/BerriAI/litellm";> pip/litellm 
</a></td><td>~> 1.61.13</td>
         <td> Unknown</td><td>Unknown</td></tr>
   <tr><td><a href="https://github.com/openai/openai-python";> pip/openai 
</a></td><td>~> 1.61.0</td>
         <td>:green_circle: 
6.2</td><td><details><summary>Details</summary><table><tr><th>Check</th><th>Score</th><th>Reason</th></tr><tr><td>Security-Policy</td><td>:green_circle:
 10</td><td>security policy file 
detected</td></tr><tr><td>Maintained</td><td>:green_circle: 10</td><td>30 
commit(s) and 23 issue activity found in the last 90 days -- score normalized 
to 10</td></tr><tr><td>Dangerous-Workflow</td><td>:green_circle: 10</td><td>no 
dangerous workflow patterns 
detected</td></tr><tr><td>Packaging</td><td>:warning: -1</td><td>packaging 
workflow not detected</td></tr><tr><td>Code-Review</td><td>:warning: 
-1</td><td>Found no human activity in the last 8 
changesets</td></tr><tr><td>Token-Permissions</td><td>:warning: 
0</td><td>detected GitHub workflow tokens with excessive 
permissions</td></tr><tr><td>CII-Best-Practices</td><td>:warning: 0</td><td>no 
effort to earn an OpenSSF best practices badge 
detected</td></tr><tr><td>Binary-Artifacts</td><td>:green_circle: 10</td><td>no 
binari
 es found in the repo</td></tr><tr><td>Vulnerabilities</td><td>:green_circle: 
10</td><td>0 existing vulnerabilities 
detected</td></tr><tr><td>License</td><td>:green_circle: 10</td><td>license 
file detected</td></tr><tr><td>Pinned-Dependencies</td><td>:warning: 
0</td><td>dependency not pinned by hash detected -- score normalized to 
0</td></tr><tr><td>Fuzzing</td><td>:warning: 0</td><td>project is not 
fuzzed</td></tr><tr><td>Signed-Releases</td><td>:warning: -1</td><td>no 
releases found</td></tr><tr><td>Branch-Protection</td><td>:warning: 
-1</td><td>internal error: error during branchesHandler.setup: internal error: 
githubv4.Query: Resource not accessible by 
integration</td></tr><tr><td>SAST</td><td>:warning: 0</td><td>SAST tool is not 
run on all commits -- score normalized to 
0</td></tr></table></details></td></tr>
   </table><h2>Scanned Files</h2>
   
<ul><li>hugegraph-llm/poetry.lock</li><li>hugegraph-llm/pyproject.toml</li><li>hugegraph-llm/requirements.txt</li></ul>
   
   
   <!-- dependency-review-pr-comment-marker -->


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to