Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update development dependencies to mitigate Snyk-reported vulnerabilities #42

Merged
merged 2 commits into from
Nov 6, 2023
Merged

Update development dependencies to mitigate Snyk-reported vulnerabilities #42

merged 2 commits into from
Nov 6, 2023

Conversation

owenlittlejohns
Copy link
Member

Description

This PR updates the dev.txt file to mitigate a high-severity vulnerability reported by Snyk (werzeug==2.2.3 via moto==1.3.16). This required werzeug~=3.0.1, which is now installed as part of the dependency tree with the updated dependencies.

Note - the updates are only to dev.txt, which means there is no change to the services itself (and the good news is that the vulnerability wasn't in our service, but it is present in our CI/CD environment when running tests). These changes do not require a new version of the service to be created.

Second note - we should probably bump up the version of Python used in the service from 3.9.14 at some point. It would be great to get to 3.10 or, preferably, 3.11.

Jira Issue ID

N/A

Local Test Steps

  • Check the tests complete successfully.
  • Alternatively, run the scripts to run the tests (which should all pass):
./bin/build-image
./bin/build-test
./bin/run-test

PR Acceptance Checklist

  • Jira ticket acceptance criteria met.
  • Tests added/updated and passing.
  • Documentation updated (if needed).
  • version.txt and CHANGELOG.md updated (if publishing a new release).

owenlittlejohns
owenlittlejohns commented Nov 3, 2023
View reviewed changes
requirements/dev.txt
autopep8 ~= 2.0.4
coverage ~= 7.3.2
flake8 ~= 6.1.0
ipython ~= 8.17.2
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There was also a medium severity vulnerability in ipython. That should now be squashed.

There was one last medium severity vulnerability in setuptools, but when I ran things locally, the new versions of everything didn't look like they included setuptools, so that should also be squashed.

owenlittlejohns
owenlittlejohns commented Nov 3, 2023
View reviewed changes
requirements/dev.txt
pytest ~= 7.4.3
python-dotenv ~=1.0.0
safety ~= 2.3.5
werkzeug ~= 3.0.1 # Dependency of moto, pinned to mitigate vulnerability.
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When running the installation on my local machine (in a Python 3.9 environment), moto~=4.2.7 led to werkzeug==3.0.1, which mitigates the issue. However, Snyk still pulled in an older version of werkzeug when running the scan. I suspect it relates to Snyk running the scan under Python 3.7.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't great, but I'm following along with the slack chat to see if we can resolve it differently for the future.

flamingbear
flamingbear approved these changes Nov 6, 2023
View reviewed changes
Copy link
Member

@flamingbear flamingbear left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Build and ran the tests everything looks good for now. Hopefully we can get snyk version straightenend out.

@owenlittlejohns owenlittlejohns merged commit 7c3e8e4 into main Nov 6, 2023
1 check passed
@owenlittlejohns owenlittlejohns deleted the snyk-vulnerabilities branch November 6, 2023 15:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@flamingbear flamingbear flamingbear approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@owenlittlejohns @flamingbear