Skip to content

Commit

Permalink
#216: Updated dependencies to fix vulnerabilities and refactorings (#…
Browse files Browse the repository at this point in the history 
…217)

* #216: Updated dependencies to fix vulnerabilities
* Updated dependencies and URL for centos 7 docker image
* Removed test for CentOs7
* Removed version spec for dependency requests in test/resources/test_container/full/build/deps/requirements.txt
* Updated URLS to drivers JDBC and ODBC and ExaPlus from Exasol website
* Updated file dependencies.md
* Updated tar command for extracting downloaded drivers and exaplus
* Updated path to ODBC driver
* Updated version of github actions/checkout
* Update documentation
* refactored test_run_db_test_builtin_languages.py
* Updated test-container OS to ubuntu:22.04
* Update pip in Docker TestContainer
* Use latest version of exasol-python-test-framework  from pypi
* Added file error_code_config.yml
* Removed file release_config.yml
  • Loading branch information
@ckunki
ckunki authored Jul 9, 2024
1 parent 90261c0 commit ea553e9
Show file tree
Hide file tree
Showing 19 changed files with 386 additions and 488 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/check_version.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ jobs:

runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: ./.github/actions/prepare_poetry_env
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/env_test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ jobs:
prep-testbed:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- id: set-matrix
run: |
sudo apt-get install jq
Expand All @@ -23,7 +23,7 @@ jobs:
test-path: ${{fromJson(needs.prep-testbed.outputs.matrix)}}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4

- name: Run all env tests
run: ./scripts/test/ci_tests/run_ci_test.sh ${{ matrix.test-path }}
10 changes: 5 additions & 5 deletions .github/workflows/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,15 @@ jobs:
test-docker-starter:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4

- name: Test ./exaslct
run: ./exaslct --help

prep-testbed:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- id: set-matrix
run: |
sudo apt-get install jq
Expand All @@ -37,7 +37,7 @@ jobs:
runs-on: ubuntu-latest
name: ${{ matrix.test-path.name }}
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4

- uses: ./.github/actions/prepare_poetry_env

Expand All @@ -55,7 +55,7 @@ jobs:
runs-on: ubuntu-latest
environment: publish
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- name: Build new Docker image
run: "bash scripts/build/build_docker_runner_image.sh"
- name: Docker login
Expand All @@ -64,4 +64,4 @@ jobs:
SECRET_DOCKER_USER_NAME: ${{ secrets.DOCKER_USER_NAME }}
SECRET_DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
- name: Push new Docker image
run: "bash scripts/build/push_docker_runner_image.sh main"
run: "bash scripts/build/push_docker_runner_image.sh main"
2 changes: 1 addition & 1 deletion .github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ jobs:
steps:

- name: SCM Checkout
uses: actions/checkout@v3
uses: actions/checkout@v4

- name: Setup Python & Poetry Environment
uses: ./.github/actions/prepare_poetry_env
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/shellcheck.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,6 @@ jobs:
shellcheck:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- name: Run shellcheck
run: ./scripts/build/shellcheck.sh
2 changes: 2 additions & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -140,3 +140,5 @@ dmypy.json
# Project
.build_output/

# Emacs
TAGS
1 change: 1 addition & 0 deletions doc/changes/changelog.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
# Changes

* [0.20.0](changes_0.20.0.md)
* [0.19.0](changes_0.19.0.md)
* [0.18.3](changes_0.18.3.md)
* [0.18.2](changes_0.18.2.md)
Expand Down
18 changes: 18 additions & 0 deletions doc/changes/changes_0.20.0.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# Script-Languages-Container-Tool 0.20.0, released 2024-07-09

Code name: Fix vulnerabilities

## Summary

This release fixes the following vulnerabilities by updating dependencies:
* CVE-2024-35195 in dependency `requests` in versions < `2.32.0` caused by requests `Session` object not verifying requests after making first request with `verify=False`
* CVE-2024-37891 in transitive dependency via `boto3` to `urllib3` in versions < `2.2.2` caused by proxy-authorization request header not to be stripped during cross-origin redirects as no update of notebook-connector is available, yet.
* GHSA-w235-7p84-xx57 in transitive dependency via `luigi` to `tornado` in versions < `6.4.1` enabling CRLF injection in `CurlAsyncHTTPClient` headers.
* GHSA-753j-mpmx-qq6g in transitive dependency via `luigi` to `tornado` in versions < `6.4.1` due to inconsistent interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

However, the release ignores the following vulnerabilities
* GHSA-753j-mpmx-qq6g in dependency `configobj` in versions &le; `5.0.8` being ReDoS exploitable by developers using values in a server-side configuration file as SLCT is used only client side and a patched version is not available, yet.

## Security Issues

* #216: Updated dependencies to fix vulnerabilities
110 changes: 66 additions & 44 deletions doc/dependencies.md
View file
Original file line number Diff line number Diff line change
@@ -1,51 +1,73 @@
<!-- @formatter:off -->
# Dependencies

## Compile Dependencies

|Package| Version |
|---|---------|
|poetry| 1.1.11 |
| Package | Version |
|---------|---------|
| poetry | 1.1.11 |

## Runtime Dependencies

| Package | Version |
|---------------------------------------------------------------------------------------------------------------------------|-----------|
| Python | >=3.8 |
| certifi | 2020.12.5 |
| chardet | 4.0.0 |
| click | 7.1.2 |
| decorator | 4.4.2 |
| docker | 5.0.0 |
| docutils | 0.17.1 |
| exasol-integration-test-docker-environment @ git+https://github.com/exasol/integration-test-docker-environment.git@0.11.0 |
| gitdb | 4.0.7 |
| gitpython | 3.1.15 |
| humanfriendly | 9.1 |
| idna | 2.10 |
| importlib-metadata | 4.0.1 |
| importlib-resources | 5.1.2 |
| jinja2 | 2.11.3 |
| jsonpickle | 2.0.0 |
| lockfile | 0.12.2 |
| luigi | 3.0.3 |
| markupsafe | 1.1.1 |
| netaddr | 0.8.0 |
| networkx | 2.5.1 |
| pydot | 1.4.2 |
| pyparsing | 2.4.7 |
| pyreadline | 2.1 |
| python-daemon | 2.3.0 |
| python-dateutil | 2.8.1 |
| pywin32 | 227 |
| requests | 2.25.1 |
| simplejson | 3.17.2 |
| six | 1.15.0 |
| smmap | 4.0.0 |
| stopwatch.py | 1.0.1 |
| tenacity | 6.3.1 |
| tornado | 6.1 |
| typing-extensions | 3.7.4.3 |
| urllib3 | 1.22 |
| websocket-client | 0.58.0 |
| zipp | 3.4.1 |
| Package | Version | Description |
|--------------------------------------------|-----------------|------------------------------------------------------------------------------------------------|
| anyio | 4.4.0 | High level compatibility layer for multiple asynchronous event loop implementations |
| attrs | 23.2.0 | Classes Without Boilerplate |
| bcrypt | 4.1.3 | Modern password hashing for your software and your servers |
| certifi | 2024.7.4 | Python package for providing Mozilla's CA Bundle. |
| cffi | 1.16.0 | Foreign Function Interface for Python calling C code. |
| charset-normalizer | 3.3.2 | The Real First Universal Charset Detector. Open, modern and actively maintained alternative... |
| click | 8.1.7 | Composable command line interface toolkit |
| configobj | 5.0.8 | Config file reading, writing and validation. |
| cryptography | 42.0.8 | cryptography is a package which provides cryptographic recipes and primitives to Python dev... |
| decorator | 5.1.1 | Decorators for Humans |
| deprecated | 1.2.14 | Python @deprecated decorator to deprecate old python classes, functions or methods. |
| docker | 7.1.0 | A Python library for the Docker Engine API. |
| docutils | 0.20.1 | Docutils -- Python Documentation Utilities |
| exasol-bucketfs | 0.11.0 | BucketFS utilities for the Python programming language |
| exasol-error-reporting | 0.4.0 | Exasol Python Error Reporting |
| exasol-integration-test-docker-environment | 3.1.0 | Integration Test Docker Environment for Exasol |
| exasol-saas-api | 0.7.0 | API enabling Python applications connecting to Exasol database SaaS instances and using the... |
| fabric | 3.2.2 | High level SSH command execution |
| gitdb | 4.0.11 | Git Object Database |
| gitpython | 3.1.43 | GitPython is a Python library used to interact with Git repositories |
| h11 | 0.14.0 | A pure-Python, bring-your-own-I/O implementation of HTTP/1.1 |
| httpcore | 1.0.5 | A minimal low-level HTTP client. |
| httpx | 0.27.0 | The next generation HTTP client. |
| humanfriendly | 10.0 | Human friendly output for text interfaces using Python |
| idna | 3.7 | Internationalized Domain Names in Applications (IDNA) |
| ifaddr | 0.2.0 | Cross-platform network interface and IP address enumeration library |
| importlib-metadata | 8.0.0 | Read metadata from Python packages |
| importlib-resources | 6.4.0 | Read resources from Python packages |
| invoke | 2.2.0 | Pythonic task execution |
| jinja2 | 3.1.4 | A very fast and expressive template engine. |
| joblib | 1.4.2 | Lightweight pipelining with Python functions |
| jsonpickle | 3.2.2 | Python library for serializing arbitrary object graphs into JSON |
| lockfile | 0.12.2 | Platform-independent file locking module |
| luigi | 3.5.1 | Workflow mgmgt + task scheduling + dependency resolution. |
| markupsafe | 2.1.5 | Safely add untrusted strings to HTML/XML markup. |
| netaddr | 1.3.0 | A network address manipulation library for Python |
| networkx | 2.8.8 | Python package for creating and manipulating graphs and networks |
| paramiko | 3.4.0 | SSH2 protocol library |
| portalocker | 2.10.0 | Wraps the portalocker recipe for easy usage |
| pycparser | 2.22 | C parser in Python |
| pydot | 2.0.0 | Python interface to Graphviz's Dot |
| pynacl | 1.5.0 | Python binding to the Networking and Cryptography (NaCl) library |
| pyparsing | 3.1.2 | pyparsing module - Classes and methods to define and execute parsing grammars |
| python-daemon | 3.0.1 | Library to implement a well-behaved Unix daemon process. |
| python-dateutil | 2.9.0.post0 | Extensions to the standard Python datetime module |
| requests | 2.32.3 | Python HTTP for Humans. |
| setuptools | 70.2.0 | Easily download, build, install, upgrade, and uninstall Python packages |
| simplejson | 3.19.2 | Simple, fast, extensible JSON encoder/decoder for Python |
| six | 1.16.0 | Python 2 and 3 compatibility utilities |
| smmap | 5.0.1 | A pure Python implementation of a sliding window memory map manager |
| sniffio | 1.3.1 | Sniff out which async library your code is running under |
| stopwatch-py | 2.0.1 | A simple stopwatch for python |
| tenacity | 8.4.2 | Retry code until it succeeds |
| toml | 0.10.2 | Python Library for Tom's Obvious, Minimal Language |
| tornado | 6.4.1 | Tornado is a Python web framework and asynchronous networking library, originally developed... |
| typeguard | 4.0.0 | Run-time type checker for Python |
| types-requests | 2.32.0.20240622 | Typing stubs for requests |
| urllib3 | 2.2.2 | HTTP library with thread-safe connection pooling, file post, and more. |
| wrapt | 1.16.0 | Module for decorators, wrappers and monkey patching. |
| zipp | 3.19.2 | Backport of pathlib-compatible object wrapper for zip files |
Loading

0 comments on commit ea553e9

Please sign in to comment.