Review and mark found potential SSH security issues by bandit #36162
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
boring-cyborg
bot
added
area:dev-tools
area:providers
provider:google
Bandit releaed new version (1.7.6) few days ago. We had >=1.7.5 and it started to detect new potential issue (Auto Add Hostkey) in Google and SSH providers. Both case are valid however (in the first case the key is a throw-away one and just - dynamically - created so we cannot have it stored yet. Auto-Adding makes sense in this case. In case of SSH provider, the user must deliberately choose this option and they are clearly warned that it is not secure option. We are also fixing bandit to a pinned version. The problem with >= in case of pre-commit is that the result might depend on cache of pre-commit - in main we are still using 1.7.5 as it has been cached, but new PRs use 1.7.6 because they have no access to main cache. We will have a separate pre-commit added to make sure that we are updating to latest versions of other pre-commits soon. We need to make sure we are updating those deliberately.
potiuk
force-pushed
the
mark-seurity-issues-found-as-save
branch
from
d8b5b9f to
e53ca67
Compare
pankajkoti
approved these changes
Dec 11, 2023
|
Passed static checks. Merging |
84 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Bandit releaed new version (1.7.6) few days ago. We had >=1.7.5 and it started to detect new potential issue (Auto Add Hostkey) in Google and SSH providers. Both case are valid however (in the first case the key is a throw-away one and just - dynamically - created so we cannot have it stored yet. Auto-Adding makes sense in this case. In case of SSH provider, the user must deliberately choose this option and they are clearly warned that it is not secure option.
We are also fixing bandit to a pinned version. The problem with
We will have a separate pre-commit added to make sure that we are updating to latest versions of other pre-commits soon. We need to make sure we are updating those deliberately.
^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named
{pr_number}.significant.rstor{issue_number}.significant.rst, in newsfragments.