kubeflow-pipelines-visualization-server: Advisories

Signed-off-by: Philippe Deslauriers <[email protected]>
sergio-chainguard · Feb 21, 2024 · b71d384 · b71d384
1 parent f179644
commit b71d384
Showing 1 changed file with 44 additions and 0 deletions.
diff --git a/kubeflow-pipelines-visualization-server.advisories.yaml b/kubeflow-pipelines-visualization-server.advisories.yaml
@@ -20,6 +20,10 @@ advisories:
             componentType: python
             componentLocation: /usr/lib/python3.10/site-packages/nbconvert-5.5.0.dist-info/METADATA, /usr/lib/python3.10/site-packages/nbconvert-5.5.0.dist-info/RECORD, /usr/lib/python3.10/site-packages/nbconvert-5.5.0.dist-info/top_level.txt
             scanner: grype
+      - timestamp: 2024-02-21T00:49:08Z
+        type: pending-upstream-fix
+        data:
+          note: Version 5.5.0 is a hard transitive dependency, and cannot be upgraded.
 
   - id: CVE-2022-21699
     aliases:
@@ -37,6 +41,10 @@ advisories:
             componentType: python
             componentLocation: /usr/lib/python3.10/site-packages/ipython-7.12.0.dist-info/METADATA, /usr/lib/python3.10/site-packages/ipython-7.12.0.dist-info/RECORD, /usr/lib/python3.10/site-packages/ipython-7.12.0.dist-info/top_level.txt
             scanner: grype
+      - timestamp: 2024-02-21T00:38:51Z
+        type: pending-upstream-fix
+        data:
+          note: 'Bumping the dependency to 7.16.3+ is not possible, the application fails with the error: ImportError: cannot import name ''soft_unicode'' from ''markupsafe'''
 
   - id: CVE-2022-29241
     aliases:
@@ -54,6 +62,10 @@ advisories:
             componentType: python
             componentLocation: /usr/lib/python3.10/site-packages/jupyter_server-1.15.6.dist-info/METADATA, /usr/lib/python3.10/site-packages/jupyter_server-1.15.6.dist-info/RECORD, /usr/lib/python3.10/site-packages/jupyter_server-1.15.6.dist-info/top_level.txt
             scanner: grype
+      - timestamp: 2024-02-21T00:42:57Z
+        type: pending-upstream-fix
+        data:
+          note: 'Bumping the dependency to 7.16.3+ is not possible, the application fails with the error: ImportError: cannot import name ''soft_unicode'' from ''markupsafe'''
 
   - id: CVE-2023-23934
     aliases:
@@ -71,6 +83,10 @@ advisories:
             componentType: python
             componentLocation: /usr/lib/python3.10/site-packages/Werkzeug-2.1.2.dist-info/METADATA, /usr/lib/python3.10/site-packages/Werkzeug-2.1.2.dist-info/RECORD, /usr/lib/python3.10/site-packages/Werkzeug-2.1.2.dist-info/top_level.txt
             scanner: grype
+      - timestamp: 2024-02-21T00:36:13Z
+        type: pending-upstream-fix
+        data:
+          note: 'Bumping the dependency to 2.2.3 is not possible, the application fails with the error: ImportError: cannot import name ''soft_unicode'' from ''markupsafe'''
 
   - id: CVE-2023-24816
     aliases:
@@ -88,6 +104,10 @@ advisories:
             componentType: python
             componentLocation: /usr/lib/python3.10/site-packages/ipython-7.12.0.dist-info/METADATA, /usr/lib/python3.10/site-packages/ipython-7.12.0.dist-info/RECORD, /usr/lib/python3.10/site-packages/ipython-7.12.0.dist-info/top_level.txt
             scanner: grype
+      - timestamp: 2024-02-21T00:38:03Z
+        type: pending-upstream-fix
+        data:
+          note: 'Bumping the dependency to 7.16.3+ is not possible, the application fails with the error: ImportError: cannot import name ''soft_unicode'' from ''markupsafe'''
 
   - id: CVE-2023-25577
     aliases:
@@ -105,6 +125,10 @@ advisories:
             componentType: python
             componentLocation: /usr/lib/python3.10/site-packages/Werkzeug-2.1.2.dist-info/METADATA, /usr/lib/python3.10/site-packages/Werkzeug-2.1.2.dist-info/RECORD, /usr/lib/python3.10/site-packages/Werkzeug-2.1.2.dist-info/top_level.txt
             scanner: grype
+      - timestamp: 2024-02-21T00:36:31Z
+        type: pending-upstream-fix
+        data:
+          note: 'Bumping the dependency to 2.2.3 is not possible, the application fails with the error: ImportError: cannot import name ''soft_unicode'' from ''markupsafe'''
 
   - id: CVE-2023-39968
     aliases:
@@ -122,6 +146,10 @@ advisories:
             componentType: python
             componentLocation: /usr/lib/python3.10/site-packages/jupyter_server-1.15.6.dist-info/METADATA, /usr/lib/python3.10/site-packages/jupyter_server-1.15.6.dist-info/RECORD, /usr/lib/python3.10/site-packages/jupyter_server-1.15.6.dist-info/top_level.txt
             scanner: grype
+      - timestamp: 2024-02-21T00:43:25Z
+        type: pending-upstream-fix
+        data:
+          note: 'Bumping the dependency to 2.7.2 is not possible, the application fails with the error: tensorflow-model-analysis 0.45.0 requires attrs<22,>=19.3.0, but you have attrs 23.2.0 which is incompatible.'
 
   - id: CVE-2023-40170
     aliases:
@@ -139,6 +167,10 @@ advisories:
             componentType: python
             componentLocation: /usr/lib/python3.10/site-packages/jupyter_server-1.15.6.dist-info/METADATA, /usr/lib/python3.10/site-packages/jupyter_server-1.15.6.dist-info/RECORD, /usr/lib/python3.10/site-packages/jupyter_server-1.15.6.dist-info/top_level.txt
             scanner: grype
+      - timestamp: 2024-02-21T00:40:47Z
+        type: pending-upstream-fix
+        data:
+          note: 'Bumping the dependency to 2.7.2 is not possible, the application fails with the error: tensorflow-model-analysis 0.45.0 requires attrs<22,>=19.3.0, but you have attrs 23.2.0 which is incompatible.'
 
   - id: CVE-2023-46136
     aliases:
@@ -156,6 +188,10 @@ advisories:
             componentType: python
             componentLocation: /usr/lib/python3.10/site-packages/Werkzeug-2.1.2.dist-info/METADATA, /usr/lib/python3.10/site-packages/Werkzeug-2.1.2.dist-info/RECORD, /usr/lib/python3.10/site-packages/Werkzeug-2.1.2.dist-info/top_level.txt
             scanner: grype
+      - timestamp: 2024-02-21T00:35:26Z
+        type: pending-upstream-fix
+        data:
+          note: 'Bumping the dependency to 2.2.3 is not possible, the application fails with the error: ImportError: cannot import name ''soft_unicode'' from ''markupsafe'''
 
   - id: CVE-2023-47248
     aliases:
@@ -195,6 +231,10 @@ advisories:
             componentType: python
             componentLocation: /usr/lib/python3.10/site-packages/jupyter_server-1.15.6.dist-info/METADATA, /usr/lib/python3.10/site-packages/jupyter_server-1.15.6.dist-info/RECORD, /usr/lib/python3.10/site-packages/jupyter_server-1.15.6.dist-info/top_level.txt
             scanner: grype
+      - timestamp: 2024-02-21T00:41:34Z
+        type: pending-upstream-fix
+        data:
+          note: 'Bumping the dependency to 2.11.2 is not possible, the application fails with the error: tensorflow-model-analysis 0.45.0 requires attrs<22,>=19.3.0, but you have attrs 23.2.0 which is incompatible.'
 
   - id: CVE-2023-50447
     aliases:
@@ -229,3 +269,7 @@ advisories:
             componentType: python
             componentLocation: /usr/lib/python3.10/site-packages/Jinja2-2.11.3.dist-info/METADATA, /usr/lib/python3.10/site-packages/Jinja2-2.11.3.dist-info/RECORD, /usr/lib/python3.10/site-packages/Jinja2-2.11.3.dist-info/top_level.txt
             scanner: grype
+      - timestamp: 2024-02-21T00:13:23Z
+        type: pending-upstream-fix
+        data:
+          note: 'The application runs into segmentation faults when attempting to upgrade Jinja2 to version 3.1.3 '