Update python deps with known CVEs

Our dependency scanner for python has identified several packages that require updates:

+ ossaudit --username meddington@gitlab.com --token [MASKED] --installed
+-------------+---------+------------------------------------------------------+
|    name     | version |                        title                         |
+=============+=========+======================================================+
| setuptools  | 62.3.2  | [sonatype-2014-0148] CWE-61: UNIX Symbolic Link      |
|             |         | (Symlink) Following                                  |
+-------------+---------+------------------------------------------------------+
| pip         | 22.1.1  | [CVE-2018-20225] CWE-20: Improper Input Validation   |
+-------------+---------+------------------------------------------------------+
| click       | 6.7     | [sonatype-2021-4906] CWE-377: Insecure Temporary     |
|             |         | File                                                 |
+-------------+---------+------------------------------------------------------+
| ruamel.yaml | 0.17.4  | [CVE-2019-20478] CWE-20: Improper Input Validation   |
+-------------+---------+------------------------------------------------------+
| dparse      | 0.5.1   | [sonatype-2022-0719] CWE-20: Improper Input          |
|             |         | Validation                                           |
+-------------+---------+------------------------------------------------------+

Investigation

  • ruamel.yaml
    • doesn't affect us, we use safe_load
    • No clean package available
  • pip
    • This cve is disputed and doesn't affect us
    • No clean package available
  • dparse
    • No details
    • No clean packages
    • Unlikely to affect us
  • click
    • Update to latest 8.0 package recommended
    • Note: 8.1 drops support for py36 used by fips image

Ignoring with ossaudit argument:

--ignore-id TEXT     Ignore a vulnerability by Sonatype ID or CVE (can be
                       specified multiple times).

Tasks

  1. Verify package versions
  2. Update package versions
  3. Verify all tests are passing
  4. Release a new container image
Edited by Michael Eddington