Opened 4 years ago

Last modified 4 years ago

#5528 assigned enhancement

Remove pywin32 and wmi dependencies used by bug reporter on Windows

Reported by: Tom Goddard Owned by: Tom Goddard
Priority: moderate Milestone:
Component: Platform Version:
Keywords: Cc: chimerax-programmers
Blocked By: Blocking:
Notify when closed: Platform: all
Project: ChimeraX

Description

We've been getting github security warnings about pywin32 in ChimeraX. It is only used by wmi. The wmi module is only used by bug reporter to provide the following information in Windows bug reports.

Manufacturer: Micro-Star International Co., Ltd.
Model: GS65 Stealth Thin 8RF
OS: Microsoft Windows 10 Pro (Build 19041)
Memory: 34,195,668,992
MaxProcessMemory: 137,438,953,344
CPU: 12 Intel(R) Core(TM) i7-8750H CPU @ 2.20GHz
OSLanguage: en-US

Most of this information can be obtained from the built-in platform module and the psutil module that ChimeraX uses on Mac and Linux. The OS and physical memory and language are the most useful and all available. Some processor info is available (platform.processor() -> 'Intel64 Family 6 Model 158 Stepping 10, GenuineIntel'). The manufacturer and model name are not available from standard python modules or psutil.

I suggest we remove pywin32 and wmi. pywin32 is 9 Mbytes compressed and 20 Mbytes uncompressed which is excessive for getting the computer model name in a bug report.

Change History (2)

in reply to:  1 ; comment:1 by Greg Couch, 4 years ago 

I'm surprised github is complaining about a security issue with 
pywin32.  It just wraps the Windows API.  We are using an old version, 
228 (the last one for Python 2!), and the current version is 302, so 
maybe that is what github is complaining about?  I don't see the 
reports.  If you ever need to something Windows specific, eg., for VR, 
pywin32 is a quick and supported way to go.

The manufacturer and model name are extremely useful for helping 
users.   Particularly for laptop users because they usually need to get 
their graphics driver updates from the laptop manufacturer instead of 
directly from AMD/Intel/NVidia.  I would really hate to lose that 
information.  With Chimera, I frequently ask users to run dxdiag and 
send me the output to get that information and information about the 
graphics setup.  I don't want to need to do that additional step with 
ChimeraX.  It would be awesome to increase the use of wmi to get a list 
of the installed graphics cards and their driver versions (not the 
OpenGL version, the driver version).  Then asking for dxdiag output 
wouldn't be needed.

in reply to:  2 ; comment:2 by goddard@…, 4 years ago 

Yes GitHub says pywin32 needs version 301 or newer

"RBVI / ChimeraX
Known security vulnerabilities detected
Dependency pywin32	
Version < 301	
Upgrade to ~> 301
Defined in app_requirements.txt
Vulnerabilities CVE-2021-32559 Moderate severity"

Of course we could update that.  But the issue is really that we are adding 20 Mbytes to our application in order to get the computer model name.  In ChimeraX I thought I responded to all the graphics errors, so I am a bit confused about how you have relied on the knowing the computer model in replying to graphics problems.  The model name can be obtained by running a subprocess using the Windows command systeminfo, but I do not think this is worth the effort.
Note: See TracTickets for help on using tickets.