Update python deps with known CVEs
Our dependency scanner for python has identified several packages that require updates:
+ ossaudit --username meddington@gitlab.com --token [MASKED] --installed
+-------------+---------+------------------------------------------------------+
| name | version | title |
+=============+=========+======================================================+
| setuptools | 62.3.2 | [sonatype-2014-0148] CWE-61: UNIX Symbolic Link |
| | | (Symlink) Following |
+-------------+---------+------------------------------------------------------+
| pip | 22.1.1 | [CVE-2018-20225] CWE-20: Improper Input Validation |
+-------------+---------+------------------------------------------------------+
| click | 6.7 | [sonatype-2021-4906] CWE-377: Insecure Temporary |
| | | File |
+-------------+---------+------------------------------------------------------+
| ruamel.yaml | 0.17.4 | [CVE-2019-20478] CWE-20: Improper Input Validation |
+-------------+---------+------------------------------------------------------+
| dparse | 0.5.1 | [sonatype-2022-0719] CWE-20: Improper Input |
| | | Validation |
+-------------+---------+------------------------------------------------------+
Investigation
-
ruamel.yaml- doesn't affect us, we use
safe_load - No clean package available
- doesn't affect us, we use
-
pip- This cve is disputed and doesn't affect us
- No clean package available
-
dparse- No details
- No clean packages
- Unlikely to affect us
-
click- Update to latest
8.0package recommended - Note:
8.1drops support for py36 used by fips image
- Update to latest
Ignoring with ossaudit argument:
--ignore-id TEXT Ignore a vulnerability by Sonatype ID or CVE (can be
specified multiple times).
Tasks
-
Verify package versions -
Update package versions -
Verify all tests are passing -
Release a new container image
Edited by Michael Eddington