Skip to content

Commit ea553e9

Browse files
ckunkickunki
authored
#216: Updated dependencies to fix vulnerabilities and refactorings (#217)
* #216: Updated dependencies to fix vulnerabilities * Updated dependencies and URL for centos 7 docker image * Removed test for CentOs7 * Removed version spec for dependency requests in test/resources/test_container/full/build/deps/requirements.txt * Updated URLS to drivers JDBC and ODBC and ExaPlus from Exasol website * Updated file dependencies.md * Updated tar command for extracting downloaded drivers and exaplus * Updated path to ODBC driver * Updated version of github actions/checkout * Update documentation * refactored test_run_db_test_builtin_languages.py * Updated test-container OS to ubuntu:22.04 * Update pip in Docker TestContainer * Use latest version of exasol-python-test-framework from pypi * Added file error_code_config.yml * Removed file release_config.yml
1 parent 90261c0 commit ea553e9

File tree

19 files changed

+386
-488
lines changed

19 files changed

+386
-488
lines changed

.github/workflows/check_version.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ jobs:
1111

1212
runs-on: ubuntu-latest
1313
steps:
14-
- uses: actions/checkout@v3
14+
- uses: actions/checkout@v4
1515
with:
1616
fetch-depth: 0
1717
- uses: ./.github/actions/prepare_poetry_env

.github/workflows/env_test.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ jobs:
77
prep-testbed:
88
runs-on: ubuntu-latest
99
steps:
10-
- uses: actions/checkout@v3
10+
- uses: actions/checkout@v4
1111
- id: set-matrix
1212
run: |
1313
sudo apt-get install jq
@@ -23,7 +23,7 @@ jobs:
2323
test-path: ${{fromJson(needs.prep-testbed.outputs.matrix)}}
2424
runs-on: ubuntu-latest
2525
steps:
26-
- uses: actions/checkout@v3
26+
- uses: actions/checkout@v4
2727

2828
- name: Run all env tests
2929
run: ./scripts/test/ci_tests/run_ci_test.sh ${{ matrix.test-path }}

.github/workflows/main.yml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -7,15 +7,15 @@ jobs:
77
test-docker-starter:
88
runs-on: ubuntu-latest
99
steps:
10-
- uses: actions/checkout@v3
10+
- uses: actions/checkout@v4
1111

1212
- name: Test ./exaslct
1313
run: ./exaslct --help
1414

1515
prep-testbed:
1616
runs-on: ubuntu-latest
1717
steps:
18-
- uses: actions/checkout@v3
18+
- uses: actions/checkout@v4
1919
- id: set-matrix
2020
run: |
2121
sudo apt-get install jq
@@ -37,7 +37,7 @@ jobs:
3737
runs-on: ubuntu-latest
3838
name: ${{ matrix.test-path.name }}
3939
steps:
40-
- uses: actions/checkout@v3
40+
- uses: actions/checkout@v4
4141

4242
- uses: ./.github/actions/prepare_poetry_env
4343

@@ -55,7 +55,7 @@ jobs:
5555
runs-on: ubuntu-latest
5656
environment: publish
5757
steps:
58-
- uses: actions/checkout@v3
58+
- uses: actions/checkout@v4
5959
- name: Build new Docker image
6060
run: "bash scripts/build/build_docker_runner_image.sh"
6161
- name: Docker login
@@ -64,4 +64,4 @@ jobs:
6464
SECRET_DOCKER_USER_NAME: ${{ secrets.DOCKER_USER_NAME }}
6565
SECRET_DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
6666
- name: Push new Docker image
67-
run: "bash scripts/build/push_docker_runner_image.sh main"
67+
run: "bash scripts/build/push_docker_runner_image.sh main"

.github/workflows/release.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ jobs:
1313
steps:
1414

1515
- name: SCM Checkout
16-
uses: actions/checkout@v3
16+
uses: actions/checkout@v4
1717

1818
- name: Setup Python & Poetry Environment
1919
uses: ./.github/actions/prepare_poetry_env

.github/workflows/shellcheck.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,6 @@ jobs:
77
shellcheck:
88
runs-on: ubuntu-latest
99
steps:
10-
- uses: actions/checkout@v3
10+
- uses: actions/checkout@v4
1111
- name: Run shellcheck
1212
run: ./scripts/build/shellcheck.sh

.gitignore

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -140,3 +140,5 @@ dmypy.json
140140
# Project
141141
.build_output/
142142

143+
# Emacs
144+
TAGS

doc/changes/changelog.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
# Changes
22

3+
* [0.20.0](changes_0.20.0.md)
34
* [0.19.0](changes_0.19.0.md)
45
* [0.18.3](changes_0.18.3.md)
56
* [0.18.2](changes_0.18.2.md)

doc/changes/changes_0.20.0.md

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
# Script-Languages-Container-Tool 0.20.0, released 2024-07-09
2+
3+
Code name: Fix vulnerabilities
4+
5+
## Summary
6+
7+
This release fixes the following vulnerabilities by updating dependencies:
8+
* CVE-2024-35195 in dependency `requests` in versions < `2.32.0` caused by requests `Session` object not verifying requests after making first request with `verify=False`
9+
* CVE-2024-37891 in transitive dependency via `boto3` to `urllib3` in versions < `2.2.2` caused by proxy-authorization request header not to be stripped during cross-origin redirects as no update of notebook-connector is available, yet.
10+
* GHSA-w235-7p84-xx57 in transitive dependency via `luigi` to `tornado` in versions < `6.4.1` enabling CRLF injection in `CurlAsyncHTTPClient` headers.
11+
* GHSA-753j-mpmx-qq6g in transitive dependency via `luigi` to `tornado` in versions < `6.4.1` due to inconsistent interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
12+
13+
However, the release ignores the following vulnerabilities
14+
* GHSA-753j-mpmx-qq6g in dependency `configobj` in versions &le; `5.0.8` being ReDoS exploitable by developers using values in a server-side configuration file as SLCT is used only client side and a patched version is not available, yet.
15+
16+
## Security Issues
17+
18+
* #216: Updated dependencies to fix vulnerabilities

doc/dependencies.md

Lines changed: 66 additions & 44 deletions
Original file line numberDiff line numberDiff line change
@@ -1,51 +1,73 @@
11
<!-- @formatter:off -->
22
# Dependencies
3-
3+
44
## Compile Dependencies
55

6-
|Package| Version |
7-
|---|---------|
8-
|poetry| 1.1.11 |
6+
| Package | Version |
7+
|---------|---------|
8+
| poetry | 1.1.11 |
99

1010
## Runtime Dependencies
1111

12-
| Package | Version |
13-
|---------------------------------------------------------------------------------------------------------------------------|-----------|
14-
| Python | >=3.8 |
15-
| certifi | 2020.12.5 |
16-
| chardet | 4.0.0 |
17-
| click | 7.1.2 |
18-
| decorator | 4.4.2 |
19-
| docker | 5.0.0 |
20-
| docutils | 0.17.1 |
21-
| exasol-integration-test-docker-environment @ git+https://github.com/exasol/[email protected] |
22-
| gitdb | 4.0.7 |
23-
| gitpython | 3.1.15 |
24-
| humanfriendly | 9.1 |
25-
| idna | 2.10 |
26-
| importlib-metadata | 4.0.1 |
27-
| importlib-resources | 5.1.2 |
28-
| jinja2 | 2.11.3 |
29-
| jsonpickle | 2.0.0 |
30-
| lockfile | 0.12.2 |
31-
| luigi | 3.0.3 |
32-
| markupsafe | 1.1.1 |
33-
| netaddr | 0.8.0 |
34-
| networkx | 2.5.1 |
35-
| pydot | 1.4.2 |
36-
| pyparsing | 2.4.7 |
37-
| pyreadline | 2.1 |
38-
| python-daemon | 2.3.0 |
39-
| python-dateutil | 2.8.1 |
40-
| pywin32 | 227 |
41-
| requests | 2.25.1 |
42-
| simplejson | 3.17.2 |
43-
| six | 1.15.0 |
44-
| smmap | 4.0.0 |
45-
| stopwatch.py | 1.0.1 |
46-
| tenacity | 6.3.1 |
47-
| tornado | 6.1 |
48-
| typing-extensions | 3.7.4.3 |
49-
| urllib3 | 1.22 |
50-
| websocket-client | 0.58.0 |
51-
| zipp | 3.4.1 |
12+
| Package | Version | Description |
13+
|--------------------------------------------|-----------------|------------------------------------------------------------------------------------------------|
14+
| anyio | 4.4.0 | High level compatibility layer for multiple asynchronous event loop implementations |
15+
| attrs | 23.2.0 | Classes Without Boilerplate |
16+
| bcrypt | 4.1.3 | Modern password hashing for your software and your servers |
17+
| certifi | 2024.7.4 | Python package for providing Mozilla's CA Bundle. |
18+
| cffi | 1.16.0 | Foreign Function Interface for Python calling C code. |
19+
| charset-normalizer | 3.3.2 | The Real First Universal Charset Detector. Open, modern and actively maintained alternative... |
20+
| click | 8.1.7 | Composable command line interface toolkit |
21+
| configobj | 5.0.8 | Config file reading, writing and validation. |
22+
| cryptography | 42.0.8 | cryptography is a package which provides cryptographic recipes and primitives to Python dev... |
23+
| decorator | 5.1.1 | Decorators for Humans |
24+
| deprecated | 1.2.14 | Python @deprecated decorator to deprecate old python classes, functions or methods. |
25+
| docker | 7.1.0 | A Python library for the Docker Engine API. |
26+
| docutils | 0.20.1 | Docutils -- Python Documentation Utilities |
27+
| exasol-bucketfs | 0.11.0 | BucketFS utilities for the Python programming language |
28+
| exasol-error-reporting | 0.4.0 | Exasol Python Error Reporting |
29+
| exasol-integration-test-docker-environment | 3.1.0 | Integration Test Docker Environment for Exasol |
30+
| exasol-saas-api | 0.7.0 | API enabling Python applications connecting to Exasol database SaaS instances and using the... |
31+
| fabric | 3.2.2 | High level SSH command execution |
32+
| gitdb | 4.0.11 | Git Object Database |
33+
| gitpython | 3.1.43 | GitPython is a Python library used to interact with Git repositories |
34+
| h11 | 0.14.0 | A pure-Python, bring-your-own-I/O implementation of HTTP/1.1 |
35+
| httpcore | 1.0.5 | A minimal low-level HTTP client. |
36+
| httpx | 0.27.0 | The next generation HTTP client. |
37+
| humanfriendly | 10.0 | Human friendly output for text interfaces using Python |
38+
| idna | 3.7 | Internationalized Domain Names in Applications (IDNA) |
39+
| ifaddr | 0.2.0 | Cross-platform network interface and IP address enumeration library |
40+
| importlib-metadata | 8.0.0 | Read metadata from Python packages |
41+
| importlib-resources | 6.4.0 | Read resources from Python packages |
42+
| invoke | 2.2.0 | Pythonic task execution |
43+
| jinja2 | 3.1.4 | A very fast and expressive template engine. |
44+
| joblib | 1.4.2 | Lightweight pipelining with Python functions |
45+
| jsonpickle | 3.2.2 | Python library for serializing arbitrary object graphs into JSON |
46+
| lockfile | 0.12.2 | Platform-independent file locking module |
47+
| luigi | 3.5.1 | Workflow mgmgt + task scheduling + dependency resolution. |
48+
| markupsafe | 2.1.5 | Safely add untrusted strings to HTML/XML markup. |
49+
| netaddr | 1.3.0 | A network address manipulation library for Python |
50+
| networkx | 2.8.8 | Python package for creating and manipulating graphs and networks |
51+
| paramiko | 3.4.0 | SSH2 protocol library |
52+
| portalocker | 2.10.0 | Wraps the portalocker recipe for easy usage |
53+
| pycparser | 2.22 | C parser in Python |
54+
| pydot | 2.0.0 | Python interface to Graphviz's Dot |
55+
| pynacl | 1.5.0 | Python binding to the Networking and Cryptography (NaCl) library |
56+
| pyparsing | 3.1.2 | pyparsing module - Classes and methods to define and execute parsing grammars |
57+
| python-daemon | 3.0.1 | Library to implement a well-behaved Unix daemon process. |
58+
| python-dateutil | 2.9.0.post0 | Extensions to the standard Python datetime module |
59+
| requests | 2.32.3 | Python HTTP for Humans. |
60+
| setuptools | 70.2.0 | Easily download, build, install, upgrade, and uninstall Python packages |
61+
| simplejson | 3.19.2 | Simple, fast, extensible JSON encoder/decoder for Python |
62+
| six | 1.16.0 | Python 2 and 3 compatibility utilities |
63+
| smmap | 5.0.1 | A pure Python implementation of a sliding window memory map manager |
64+
| sniffio | 1.3.1 | Sniff out which async library your code is running under |
65+
| stopwatch-py | 2.0.1 | A simple stopwatch for python |
66+
| tenacity | 8.4.2 | Retry code until it succeeds |
67+
| toml | 0.10.2 | Python Library for Tom's Obvious, Minimal Language |
68+
| tornado | 6.4.1 | Tornado is a Python web framework and asynchronous networking library, originally developed... |
69+
| typeguard | 4.0.0 | Run-time type checker for Python |
70+
| types-requests | 2.32.0.20240622 | Typing stubs for requests |
71+
| urllib3 | 2.2.2 | HTTP library with thread-safe connection pooling, file post, and more. |
72+
| wrapt | 1.16.0 | Module for decorators, wrappers and monkey patching. |
73+
| zipp | 3.19.2 | Backport of pathlib-compatible object wrapper for zip files |

0 commit comments

Comments
 (0)