From abc00bd0ed493f1c972a2460b8ddfc1e00ebfc72 Mon Sep 17 00:00:00 2001 From: heartsucker Date: Mon, 25 Mar 2019 13:09:08 +0100 Subject: [PATCH 1/4] remove ignore rule on safety check --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 865ac72993..2f2e12d3ec 100644 --- a/Makefile +++ b/Makefile @@ -109,7 +109,7 @@ safety: ## Runs `safety check` to check python dependencies for vulnerabilities pip install --upgrade safety && \ for req_file in `find . -type f -name '*requirements.txt'`; do \ echo "Checking file $$req_file" \ - && safety check --ignore 36351 --full-report -r $$req_file \ + && safety check --full-report -r $$req_file \ && echo -e '\n' \ || exit 1; \ done From 006343f67606f5030a9df18d122c50e43cdcc483 Mon Sep 17 00:00:00 2001 From: heartsucker Date: Mon, 25 Mar 2019 14:29:48 +0100 Subject: [PATCH 2/4] bump version of cryptography --- securedrop/requirements/securedrop-app-code-requirements.in | 4 ++-- securedrop/requirements/securedrop-app-code-requirements.txt | 5 ++--- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/securedrop/requirements/securedrop-app-code-requirements.in b/securedrop/requirements/securedrop-app-code-requirements.in index c7eb5771a6..f9ec691004 100644 --- a/securedrop/requirements/securedrop-app-code-requirements.in +++ b/securedrop/requirements/securedrop-app-code-requirements.in @@ -1,15 +1,15 @@ alembic argon2_cffi -cryptography==2.0.3 +cryptography>2.3 Flask-Assets Flask-Babel Flask-SQLAlchemy Flask-WTF Flask>0.12.2 -pretty-bad-protocol>=3.1.1 Jinja2 jsmin passlib +pretty-bad-protocol>=3.1.1 psutil pyotp qrcode diff --git a/securedrop/requirements/securedrop-app-code-requirements.txt b/securedrop/requirements/securedrop-app-code-requirements.txt index 81ba4dddf4..9d010f6562 100644 --- a/securedrop/requirements/securedrop-app-code-requirements.txt +++ b/securedrop/requirements/securedrop-app-code-requirements.txt @@ -10,15 +10,13 @@ asn1crypto==0.24.0 # via cryptography babel==2.5.1 # via flask-babel cffi==1.11.5 # via argon2-cffi, cryptography click==6.7 # via flask, rq -cryptography==2.0.3 +cryptography==2.6.1 enum34==1.1.6 # via argon2-cffi, cryptography flask-assets==0.12 flask-babel==0.11.2 flask-sqlalchemy==2.3.2 flask-wtf==0.14.2 flask==1.0.2 -pretty-bad-protocol==3.1.1 -idna==2.6 # via cryptography ipaddress==1.0.22 # via cryptography itsdangerous==0.24 # via flask jinja2==2.10 @@ -26,6 +24,7 @@ jsmin==2.2.2 mako==1.0.7 # via alembic markupsafe==1.0 # via jinja2, mako passlib==1.7.1 +pretty-bad-protocol==3.1.1 psutil==5.4.3 pycparser==2.18 # via cffi pyotp==2.2.6 From 5a8fff4fc12a79296496647977b000ad3835f425 Mon Sep 17 00:00:00 2001 From: heartsucker Date: Mon, 25 Mar 2019 14:32:41 +0100 Subject: [PATCH 3/4] bump setuptools version --- securedrop/dockerfiles/trusty/Dockerfile | 3 ++- securedrop/dockerfiles/xenial/Dockerfile | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/securedrop/dockerfiles/trusty/Dockerfile b/securedrop/dockerfiles/trusty/Dockerfile index 08c10f91c3..68e218127d 100644 --- a/securedrop/dockerfiles/trusty/Dockerfile +++ b/securedrop/dockerfiles/trusty/Dockerfile @@ -30,7 +30,8 @@ RUN echo deb http://archive.ubuntu.com/ubuntu/ xenial main > /etc/apt/sources.li apt-get update COPY requirements requirements -RUN pip install -r requirements/securedrop-app-code-requirements.txt && \ +RUN pip install -U setuptools==40.8.0 && \ + pip install -r requirements/securedrop-app-code-requirements.txt && \ pip install -r requirements/test-requirements.txt RUN if test $USER_NAME != root ; then useradd --no-create-home --home-dir /tmp --uid $USER_ID $USER_NAME && echo "$USER_NAME ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers ; fi diff --git a/securedrop/dockerfiles/xenial/Dockerfile b/securedrop/dockerfiles/xenial/Dockerfile index 56ae80a0d0..e4971ce4eb 100644 --- a/securedrop/dockerfiles/xenial/Dockerfile +++ b/securedrop/dockerfiles/xenial/Dockerfile @@ -26,7 +26,8 @@ RUN curl -LO https://launchpad.net/~ubuntu-mozilla-security/+archive/ubuntu/ppa/ RUN gem install sass -v 3.4.23 COPY requirements requirements -RUN pip install -r requirements/securedrop-app-code-requirements.txt && \ +RUN pip install -U setuptools==40.8.0 && \ + pip install -r requirements/securedrop-app-code-requirements.txt && \ pip install -r requirements/test-requirements.txt # Fixes #4036 pybabel requires latest version of setuptools From b79fc1dff2cd01b572f9d28eaf51f2687058a8ff Mon Sep 17 00:00:00 2001 From: mickael e Date: Thu, 28 Mar 2019 13:16:27 -0400 Subject: [PATCH 4/4] Remove trusty staging target in CI Update to cryptography now means that packaging and application will no longer work under Trusty. Remove CI targets for trusty-staging and remove setuptools for Xenial container, as it shouldn't be necessary. --- .circleci/config.yml | 28 ------------------------ securedrop/dockerfiles/xenial/Dockerfile | 4 ++-- 2 files changed, 2 insertions(+), 30 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index b811d43255..4371643ccf 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -237,33 +237,6 @@ jobs: name: Run static security testing on source code command: make bandit - staging-test-with-rebase-trusty: - machine: - enabled: true - - working_directory: ~/sd - steps: - - checkout - - *rebaseontarget - - - run: - name: Run Staging tests on GCE - command: make ci-go-trusty - no_output_timeout: 20m - - - run: - name: Ensure environment torn down - # Always report true, since env should will destroyed already - # if all tests passed. - command: make ci-teardown || true - when: always - - - store_test_results: - path: ~/sd/junit - - - store_artifacts: - path: ~/sd/junit - staging-test-with-rebase: machine: enabled: true @@ -344,5 +317,4 @@ workflows: - develop jobs: - static-analysis-and-no-known-cves - - staging-test-with-rebase-trusty - trusty-app-tests diff --git a/securedrop/dockerfiles/xenial/Dockerfile b/securedrop/dockerfiles/xenial/Dockerfile index e4971ce4eb..9b0291777e 100644 --- a/securedrop/dockerfiles/xenial/Dockerfile +++ b/securedrop/dockerfiles/xenial/Dockerfile @@ -26,8 +26,8 @@ RUN curl -LO https://launchpad.net/~ubuntu-mozilla-security/+archive/ubuntu/ppa/ RUN gem install sass -v 3.4.23 COPY requirements requirements -RUN pip install -U setuptools==40.8.0 && \ - pip install -r requirements/securedrop-app-code-requirements.txt && \ + +RUN pip install -r requirements/securedrop-app-code-requirements.txt && \ pip install -r requirements/test-requirements.txt # Fixes #4036 pybabel requires latest version of setuptools