Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

πŸ”’οΈπŸ”¨ Upgrades redis-py to mitigate Race Condition vulnerability #4141

Merged
merged 6 commits into from
Apr 20, 2023
Merged

πŸ”’οΈπŸ”¨ Upgrades redis-py to mitigate Race Condition vulnerability #4141

merged 6 commits into from
Apr 20, 2023

Conversation

pcrespov
Copy link
Member

@pcrespov pcrespov commented Apr 20, 2023
edited
Loading

What do these changes do?

  • πŸ”’οΈ Fixes GHSA-24wv-mv5m-xv4h
  • πŸ”¨ Adds first blocked libraries in requirements/constraints.txt

Related issue/s

Highlights on updated libraries (only updated libraries are included)

  • #packages before: 1
  • #packages after : 1
# name before after upgrade count packages
1 redis 4.5.1, 4.4.1, 4.4.0 4.5.4 8 agent⬆️
api-server⬆️
catalog⬆️
dask-sidecar⬆️
datcore-adapter⬆️
dynamic-sidecar⬆️
invitations⬆️
storage⬆️

Legend:

  • ⬆️ base dependency (only services because packages are floating)
  • πŸ§ͺ test dependency
  • πŸ”§ tool dependency

Repo-wide overview of libraries

  • #reqs files parsed: 70
# name versions-base versions-test versions-tool
1 aio-pika 8.2.4, 8.2.5, 8.3.0, 9.0.4, 9.0.5 8.2.4, 9.0.5
2 aioboto3 9.6.0, 10.4.0 9.6.0, 11.1.0
3 aiobotocore 2.3.0, 2.4.2 2.3.0, 2.5.0
4 aiocache 0.11.1, 0.12.0 0.12.0
5 aiodebug 2.3.0 2.3.0
6 aiodocker 0.19.1, 0.21.0 0.21.0
7 aiofiles 0.8.0, 22.1.0, 23.1.0 23.1.0
8 aiohttp 3.8.3, 3.8.4 3.8.3, 3.8.4
9 aiohttp-jinja2 1.5
10 aiohttp-security 0.4.0
11 aiohttp-session 2.11.0
12 aiohttp-swagger 1.0.16
13 aioitertools 0.10.0, 0.11.0 0.11.0
14 aiopg 1.4.0 1.4.0
15 aioprocessing 2.0.1
16 aioredis 2.0.1
17 aioresponses 0.7.4
18 aiormq 6.4.2, 6.6.4, 6.7.2, 6.7.3, 6.7.4 6.4.2, 6.7.4
19 aiosignal 1.2.0, 1.3.1 1.2.0, 1.3.1
20 aiosmtplib 1.1.6
21 aiozipkin 1.1.1
22 alembic 1.8.1, 1.10.3 1.8.1, 1.10.3
23 anyio 3.6.1, 3.6.2 3.6.1, 3.6.2
24 arrow 1.2.3 1.2.3
25 asgi-lifespan 2.1.0
26 asgiref 3.5.2
27 astroid 2.15.2 2.15.2
28 async-asgi-testclient 1.4.11
29 async-timeout 4.0.2 4.0.2
30 asyncpg 0.27.0
31 attrs 21.4.0, 22.2.0 21.4.0, 22.2.0
32 aws-sam-translator 1.55.0, 1.64.0
33 aws-xray-sdk 2.12.0
34 bcrypt 3.2.0
35 bidict 0.22.0
36 black 22.12.0, 23.3.0
37 blosc 1.11.1
38 bokeh 2.4.3 2.4.3
39 boto3 1.21.21, 1.24.59, 1.24.96 1.21.21, 1.24.59, 1.26.76, 1.26.114
40 boto3-stubs 1.26.114
41 botocore 1.24.21, 1.27.59, 1.27.96 1.24.21, 1.27.59, 1.29.76, 1.29.114
42 botocore-stubs 1.27.17, 1.29.78 1.29.114
43 build 0.10.0
44 bump2version 1.0.1
45 certifi 2022.12.7 2022.12.7
46 cffi 1.15.0, 1.15.1 1.15.0, 1.15.1
47 cfgv 3.3.1
48 cfn-lint 0.72.0, 0.72.6, 0.77.0
49 change-case 0.5.2
50 charset-normalizer 2.0.12, 2.1.1, 3.0.1, 3.1.0 2.0.12, 2.1.1, 3.0.1, 3.1.0
51 click 8.1.3 8.1.3 8.1.3
52 cloudpickle 2.2.1 2.2.1
53 colorama 0.4.6
54 colorlog 6.7.0 6.7.0
55 commonmark 0.9.1
56 coverage 7.2.3
57 cryptography 39.0.1, 39.0.2 39.0.1, 40.0.2
58 dask 2023.3.0, 2023.4.0 2023.3.0
59 dask-gateway 2023.1.1 2023.1.1
60 dask-gateway-server 2023.1.1 2023.1.1
61 debugpy 1.6.7
62 decorator 4.4.2
63 deepdiff 6.3.0
64 dill 0.3.6 0.3.6
65 distlib 0.3.6
66 distributed 2023.3.0, 2023.4.0 2023.3.0
67 distro 1.5.0
68 dnspython 2.1.0, 2.2.1, 2.3.0 2.3.0
69 docker 6.0.0, 6.0.1 6.0.1
70 docker-compose 1.29.1
71 dockerpty 0.4.1
72 docopt 0.6.2
73 ecdsa 0.18.0
74 email-validator 1.2.1, 1.3.0, 1.3.1, 2.0.0 2.0.0
75 et-xmlfile 1.1.0
76 exceptiongroup 1.1.1 1.1.1
77 execnet 1.9.0
78 expiringdict 1.2.1
79 faker 18.4.0
80 fakeredis 2.10.3
81 fastapi 0.85.0, 0.85.1, 0.85.2, 0.89.1, 0.90.1
82 fastapi-contrib 0.2.11
83 fastapi-pagination 0.10.0
84 filelock 3.11.0
85 flaky 3.7.0
86 flask 2.1.3, 2.2.3
87 flask-cors 3.0.10
88 frozenlist 1.3.0, 1.3.1, 1.3.3 1.3.0, 1.3.1, 1.3.3
89 fsspec 2023.3.0, 2023.4.0 2023.3.0
90 graphql-core 3.2.3
91 greenlet 2.0.2 2.0.2
92 gunicorn 20.1.0
93 h11 0.12.0, 0.14.0 0.12.0, 0.14.0
94 h2 4.1.0
95 heapdict 1.0.1 1.0.1
96 hpack 4.0.0
97 httpcore 0.15.0, 0.16.3 0.15.0, 0.16.3, 0.17.0
98 httptools 0.2.0, 0.5.0
99 httpx 0.23.0, 0.23.3 0.23.0, 0.23.3, 0.24.0
100 hyperframe 6.0.1
101 hypothesis 6.72.0
102 icdiff 2.0.6
103 identify 2.5.22
104 idna 2.10, 3.3, 3.4 2.10, 3.3, 3.4
105 importlib-metadata 6.4.1
106 iniconfig 2.0.0 2.0.0
107 inotify 0.2.10
108 isodate 0.6.1
109 isort 5.12.0 5.12.0
110 itsdangerous 1.1.0, 2.1.2 2.1.2
111 jaeger-client 4.8.0
112 jinja-app-loader 1.0.2
113 jinja2 3.1.2 3.1.2 3.1.2
114 jmespath 1.0.0, 1.0.1 1.0.0, 1.0.1
115 jschema-to-python 1.2.3
116 json2html 1.3.0
117 jsondiff 2.0.0 2.0.0
118 jsonpatch 1.32
119 jsonpickle 3.0.1
120 jsonpointer 2.3
121 jsonschema 3.2.0, 4.17.3 3.2.0, 4.17.3
122 junit-xml 1.9
123 lazy-object-proxy 1.7.1 1.9.0 1.7.1, 1.9.0
124 locket 1.0.0 1.0.0
125 lupa 1.14.1
126 lz4 4.3.2 4.3.2
127 mako 1.2.2, 1.2.4 1.2.2, 1.2.4
128 markupsafe 2.1.1, 2.1.2 2.1.1, 2.1.2 2.1.1
129 mccabe 0.7.0 0.7.0
130 minio 7.0.4
131 moto 4.0.1, 4.1.7
132 mpmath 1.3.0
133 msgpack 1.0.3, 1.0.5 1.0.5
134 multidict 6.0.2, 6.0.3, 6.0.4 6.0.2, 6.0.4
135 mypy 1.2.0
136 mypy-extensions 1.0.0 1.0.0
137 networkx 2.5.1 2.8.8, 3.1
138 nodeenv 1.7.0
139 nose 1.3.7
140 numpy 1.24.2 1.24.2
141 openapi-core 0.12.0
142 openapi-schema-validator 0.2.3 0.2.3
143 openapi-spec-validator 0.4.0 0.4.0
144 openpyxl 3.0.9
145 opentracing 2.4.0
146 ordered-set 4.1.0 4.1.0
147 orjson 3.7.2
148 packaging 21.3, 23.0, 23.1 21.3, 23.0, 23.1 21.3, 23.0, 23.1
149 pamqp 3.2.1 3.2.1
150 pandas 2.0.0
151 paramiko 2.11.0
152 parfive 1.5.1
153 partd 1.3.0, 1.4.0 1.3.0
154 passlib 1.7.4
155 pathspec 0.11.1
156 pbr 5.11.1
157 pillow 9.4.0 9.5.0
158 pint 0.19.2, 0.20.1 0.20.1
159 pip-tools 6.13.0
160 platformdirs 3.2.0 3.2.0
161 pluggy 1.0.0 1.0.0
162 pprintpp 0.4.0
163 pre-commit 3.2.2
164 prometheus-client 0.14.1
165 psutil 5.9.1, 5.9.4 5.9.4
166 psycopg2-binary 2.9.6 2.9.6
167 ptvsd 4.3.2
168 py-cpuinfo 9.0.0
169 py-partiql-parser 0.1.0
170 pyasn1 0.4.8
171 pycparser 2.20, 2.21 2.21
172 pydantic 1.9.0, 1.10.2, 1.10.7 1.10.2, 1.10.7
173 pyftpdlib 1.5.7
174 pygments 2.13.0, 2.14.0, 2.15.0
175 pyinstrument 3.4.2, 4.1.1, 4.3.0, 4.4.0 4.4.0
176 pyinstrument-cext 0.2.4
177 pyjwt 2.4.0
178 pylint 2.17.2 2.17.2
179 pynacl 1.4.0
180 pyopenssl 23.1.1
181 pyparsing 3.0.9 3.0.9 3.0.9
182 pyproject-hooks 1.0.0
183 pyrsistent 0.18.1, 0.19.2, 0.19.3 0.18.1, 0.19.2, 0.19.3
184 pytest 7.3.1 7.3.1
185 pytest-aiohttp 1.0.4
186 pytest-asyncio 0.21.0
187 pytest-benchmark 4.0.0
188 pytest-cov 4.0.0
189 pytest-docker 1.0.1
190 pytest-icdiff 0.6
191 pytest-instafail 0.5.0
192 pytest-lazy-fixture 0.6.3
193 pytest-localftpserver 1.1.4
194 pytest-mock 3.10.0
195 pytest-runner 6.0.0
196 pytest-sugar 0.9.7
197 pytest-xdist 3.2.1
198 python-dateutil 2.8.2 2.8.2
199 python-dotenv 0.20.0, 0.21.0, 1.0.0 0.21.0, 1.0.0
200 python-engineio 4.3.4
201 python-jose 3.3.0
202 python-magic 0.4.25
203 python-multipart 0.0.5
204 python-socketio 5.7.2
205 pytz 2022.1 2023.3
206 pyyaml 5.4.1, 6.0 5.4.1, 6.0 5.4.1, 6.0
207 redis 4.5.4 4.5.4
208 regex 2023.3.23
209 requests 2.27.1, 2.28.1, 2.28.2 2.27.1, 2.28.1, 2.28.2
210 responses 0.23.1
211 respx 0.20.1
212 rfc3986 1.4.0, 1.5.0 1.4.0, 1.5.0
213 rich 12.5.1, 12.6.0
214 rsa 4.9
215 s3fs 2023.3.0
216 s3transfer 0.5.2, 0.6.0 0.5.2, 0.6.0
217 sarif-om 1.0.4
218 semantic-version 2.9.0
219 setproctitle 1.2.3
220 shellingham 1.5.0.post1
221 six 1.15.0, 1.16.0 1.15.0, 1.16.0
222 sniffio 1.2.0, 1.3.0 1.2.0, 1.3.0
223 sortedcontainers 2.4.0 2.4.0
224 sqlalchemy 1.4.47 1.4.47
225 sqlalchemy2-stubs 0.0.2a33
226 sshpubkeys 3.3.1
227 starlette 0.20.4, 0.22.0, 0.23.1
228 strict-rfc3339 0.7
229 sympy 1.11.1
230 tblib 1.7.0 1.7.0
231 tenacity 8.0.1, 8.1.0, 8.2.1, 8.2.2 8.0.1, 8.2.2
232 termcolor 2.2.0
233 texttable 1.6.3
234 threadloop 1.0.2
235 thrift 0.16.0
236 tomli 2.0.1 2.0.1 2.0.1
237 tomlkit 0.11.7 0.11.7
238 toolz 0.12.0 0.12.0
239 tornado 6.1, 6.2 6.2
240 tqdm 4.64.0, 4.64.1, 4.65.0 4.65.0
241 traitlets 5.9.0 5.9.0
242 twilio 7.12.0
243 typer 0.4.1, 0.6.1, 0.7.0 0.7.0 0.7.0
244 types-aiobotocore 2.3.3, 2.4.2.post1
245 types-aiobotocore-ec2 2.4.2
246 types-aiobotocore-s3 2.3.3
247 types-aiofiles 23.1.0.1
248 types-awscrt 0.16.10 0.16.14
249 types-boto3 1.0.2
250 types-pkg-resources 0.1.3
251 types-pyyaml 6.0.12.9
252 types-s3transfer 0.6.0.post7
253 typing-extensions 4.3.0, 4.4.0, 4.5.0 4.3.0, 4.4.0, 4.5.0 4.3.0, 4.4.0, 4.5.0
254 tzdata 2023.3
255 ujson 5.5.0
256 urllib3 1.26.9, 1.26.11, 1.26.12, 1.26.14, 1.26.15 1.26.9, 1.26.11, 1.26.12, 1.26.14, 1.26.15
257 uvicorn 0.15.0, 0.17.0, 0.19.0, 0.20.0
258 uvloop 0.16.0, 0.17.0
259 virtualenv 20.21.0
260 watchdog 2.1.5 3.0.0
261 watchfiles 0.18.0, 0.18.1
262 watchgod 0.8.2
263 websocket-client 0.59.0, 1.5.1 0.59.0, 1.5.1
264 websockets 10.1, 10.2, 10.3, 10.4 11.0.1
265 werkzeug 2.1.2, 2.2.2 2.1.2, 2.2.2, 2.2.3
266 wheel 0.40.0
267 wrapt 1.14.1, 1.15.0 1.14.1, 1.15.0 1.14.1, 1.15.0
268 xmltodict 0.13.0
269 yarl 1.5.1, 1.7.2, 1.8.1, 1.8.2 1.5.1, 1.7.2, 1.8.1, 1.8.2
270 zict 2.2.0 2.2.0
271 zipp 3.15.0

@pcrespov pcrespov self-assigned this Apr 20, 2023
@pcrespov pcrespov added a:webserver issue related to the webserver service dependencies t:maintenance Some planned maintenance work labels Apr 20, 2023
@pcrespov pcrespov enabled auto-merge (squash) April 20, 2023 12:50
@pcrespov pcrespov added this to the Jelly Beans milestone Apr 20, 2023
@codecov
Copy link

codecov bot commented Apr 20, 2023
edited
Loading

Codecov Report

Merging #4141 (7ab4816) into master (82a734d) will increase coverage by 1.2%.
The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff            @@
##           master   #4141      +/-   ##
=========================================
+ Coverage    85.4%   86.7%    +1.2%     
=========================================
  Files         952     265     -687     
  Lines       41350    9904   -31446     
  Branches      962       0     -962     
=========================================
- Hits        35352    8589   -26763     
+ Misses       5780    1315    -4465     
+ Partials      218       0     -218
Flag Coverage Ξ”
integrationtests ?
unittests 86.7% <ΓΈ> (+4.3%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

see 687 files with indirect coverage changes

GitHK
GitHK approved these changes Apr 20, 2023
View reviewed changes
Copy link
Contributor

@GitHK GitHK left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

πŸ‘

@codeclimate
Copy link

codeclimate bot commented Apr 20, 2023

Code Climate has analyzed commit 7ab4816 and detected 0 issues on this pull request.

View more on Code Climate.

@sonarcloud
Copy link

sonarcloud bot commented Apr 20, 2023

Kudos, SonarCloud Quality Gate passed!Β  Β  Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

@pcrespov pcrespov disabled auto-merge April 20, 2023 21:46
@pcrespov pcrespov merged commit 1d49346 into ITISFoundation:master Apr 20, 2023
@pcrespov pcrespov deleted the maintenance/redis-py-vulnerable branch April 20, 2023 21:46
@matusdrobuliak66 matusdrobuliak66 mentioned this pull request Apr 25, 2023
Closed
15 tasks
@matusdrobuliak66 matusdrobuliak66 mentioned this pull request May 30, 2023
Closed
24 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mguidon mguidon mguidon approved these changes

@GitHK GitHK GitHK approved these changes

@sanderegg sanderegg Awaiting requested review from sanderegg sanderegg is a code owner

@matusdrobuliak66 matusdrobuliak66 Awaiting requested review from matusdrobuliak66

Assignees

@pcrespov pcrespov

Labels
a:webserver issue related to the webserver service t:maintenance Some planned maintenance work
Projects
None yet
Milestone
Jelly Beans
Development

Successfully merging this pull request may close these issues.
3 participants
@pcrespov @GitHK @mguidon