Merge pull request #517 from baobabsoluciones/release/v1.0.10

Release/v1.0.10

cornflow-server/Dockerfile

@@ -1,4 +1,4 @@
-# VERSION 1.0.8
+# VERSION 1.0.10
 # AUTHOR: [email protected]
 
 FROM python:3.10-slim-buster
@@ -9,7 +9,7 @@ ENV DEBIAN_FRONTEND noninteractive
 ENV TERM linux
 
 # CORNFLOW vars
-ARG CORNFLOW_VERSION=1.0.9
+ARG CORNFLOW_VERSION=1.0.10
 
 # install linux pkg
 RUN apt update -y && apt-get install -y --no-install-recommends \

cornflow-server/airflow_config/Dockerfile

@@ -1,7 +1,7 @@
-# VERSION 2.7.1
+# AIRFLOW VERSION 2.9.0
 # AUTHOR: [email protected]
-# DESCRIPTION: Airflow 2.7.1 image personalized for use with Cornflow (from baobabsoluciones/pysolver image)
-# baobab code version is 1.0.8
+# DESCRIPTION: Airflow 2.9.0 image personalized for use with Cornflow (from baobabsoluciones/pysolver image)
+# baobab code version is 1.0.10
 
 FROM baobabsoluciones/pysolver:1.0
 LABEL maintainer="cornflow@baobabsoluciones"
@@ -11,14 +11,16 @@ ENV DEBIAN_FRONTEND noninteractive
 ENV TERM linux
 
 # Airflow vars
-ARG AIRFLOW_VERSION=2.7.1
+ARG AIRFLOW_VERSION=2.9.0
 ARG AIRFLOW_USER_HOME=/usr/local/airflow
 ARG CONSTRAINT_URL="https://raw.githubusercontent.com/apache/airflow/constraints-${AIRFLOW_VERSION}/constraints-3.10.txt"
 ARG AIRFLOW__CORE__LOAD_EXAMPLES=False
 ENV AIRFLOW_HOME=${AIRFLOW_USER_HOME}
 
 # install Airflow and extras: celery,postgres and redis
 RUN pip install "apache-airflow[celery,google,postgres,redis,sendgrid]==${AIRFLOW_VERSION}" --constraint "${CONSTRAINT_URL}"
+# We add these overruns due to security reasons as suggested here: https://airflow.apache.org/docs/apache-airflow/stable/installation/installing-from-pypi.html#upgrading-and-installing-dependencies-including-providers
+RUN pip install "apache-airflow[celery,google,postgres,redis,sendgrid]==${AIRFLOW_VERSION}" "cryptography==42.0.5" "gunicorn==22.0.0" "requests==2.31.0" "Werkzeug==2.3.8"
 
 # copy init script and config to container
 COPY scripts ${AIRFLOW_HOME}/scripts

cornflow-server/changelog.rst

@@ -1,3 +1,14 @@
+version 1.0.10
+---------------
+
+- released: 2024-04-17
+- description: changed libraries versions due to discovered vulnerabilities
+- changelog:
+    - Upgraded cryptography version to 42.0.5
+    - Upgraded gunicorn version to 22.0.0
+    - Upgraded requests version to 2.31.0
+    - Upgraded Werkzeug version to 2.3.8
+
 version 1.0.9
 --------------
 

cornflow-server/cornflow/shared/licenses.py

@@ -65,6 +65,7 @@ def get_licenses_summary():
     :return: a list of dicts with library, license, version, author, description, home page and license text.
     """
     license_list = []
+    # TODO: pkg_resources.working_set is deprecated, find a better way to get the list of packages
     for pkg in sorted(pkg_resources.working_set, key=lambda x: str(x).lower()):
         license_list += [
             {

cornflow-server/cornflow/tests/unit/test_licenses.py

@@ -11,9 +11,9 @@ def read_requirements():
             requirements = content.split("\n")
 
         requirements = [
-            r.split("=")[0].split(">")[0].split("<")[0].lower()
+            r.split("=")[0].split(">")[0].split("<")[0].split("@")[0].lower()
             for r in requirements
-            if r != ""
+            if r != "" and not r.startswith("#")
         ]
         return requirements
 

cornflow-server/requirements.txt

@@ -2,7 +2,7 @@ alembic==1.9.2
 apispec<=6.2.0
 click<=8.1.3
 cornflow-client<=1.0.16
-cryptography<=39.0.2
+cryptography<=42.0.5
 disposable-email-domains>=0.0.86
 Flask==2.3.2
 flask-apispec<=0.11.4
@@ -16,15 +16,15 @@ Flask-SQLAlchemy==2.5.1
 gevent==23.9.1
 greenlet<=2.0.2;python_version<"3.11"
 greenlet==3.0.0;python_version>="3.11"
-gunicorn<=20.1.0
+gunicorn<=22.0.0
 jsonpatch<=1.32
 ldap3<=2.9.1
 marshmallow<=3.19.0
 PuLP<=2.7.0
 psycopg2<=2.95
 PyJWT<=2.6.0
 pytups>=0.86.2
-requests<=2.29.0
+requests<=2.31.0
 SQLAlchemy==1.3.21
 webargs<=8.2.0
-Werkzeug<=2.3.3
+Werkzeug<=2.3.8

cornflow-server/setup.py

@@ -9,7 +9,7 @@
 
 setuptools.setup(
     name="cornflow",
-    version="1.0.9",
+    version="1.0.10",
     author="baobab soluciones",
     author_email="[email protected]",
     description="Cornflow is an open source multi-solver optimization server with a REST API built using flask.",