From b611291c2ebe5d29bce3c8737ce3e8ab95308c80 Mon Sep 17 00:00:00 2001 From: Rajiv Bakulesh Shah Date: Fri, 5 Jul 2024 23:06:56 -0700 Subject: [PATCH] Upgrade requirements (#744) * Upgrade requirements * Allow redis-py 5.x * Upgrade requirements * Upgrade requirements * Upgrade requirements * Pin docutils to support Python 3.8 * Upgrade requirements * Upgrade requirements * Upgrade requirements * Upgrade requirements * Upgrade requirements * Migrate from Safety CLI 2.x to 3.x * Ignore Jinja2 vulnerability 70612 We don't render Jinja templates. Plus, "The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing." For more info: https://data.safetycli.com/vulnerabilities/CVE-2019-8341/70612/ --- .github/workflows/python-package.yml | 7 ++- .safety-policy.yml | 42 ++++++++++++++++ Makefile | 2 +- requirements-to-freeze.txt | 4 ++ requirements.txt | 72 ++++++++++++++-------------- setup.py | 6 +-- 6 files changed, 92 insertions(+), 41 deletions(-) create mode 100644 .safety-policy.yml diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml index 7003a331..e94aeda8 100644 --- a/.github/workflows/python-package.yml +++ b/.github/workflows/python-package.yml @@ -45,7 +45,10 @@ jobs: run: | flake8 *\.py pottery/*\.py tests/*\.py --count --max-complexity=10 --statistics isort *\.py pottery/*\.py tests/*\.py --check-only --diff - - name: Check for security vulnerabilities with Bandit and Safety + - name: Check for security vulnerabilities with Bandit run: | bandit --recursive pottery - safety check --file requirements.txt + - name: Check for security vulnerabilities with Safety + uses: pyupio/safety-action@v1 + with: + api-key: ${{ secrets.SAFETY_API_KEY }} diff --git a/.safety-policy.yml b/.safety-policy.yml new file mode 100644 index 00000000..6a64c688 --- /dev/null +++ b/.safety-policy.yml @@ -0,0 +1,42 @@ +version: '3.0' + +scanning-settings: + max-depth: 6 + exclude: [] + include-files: [] + system: + targets: [] + + +report: + dependency-vulnerabilities: + enabled: true + auto-ignore-in-report: + python: + environment-results: true + unpinned-requirements: true + cvss-severity: [] + vulnerabilities: + 70612: + reason: "We don't render Jinja templates" + expires: '2024-12-31' + + +fail-scan-with-exit-code: + dependency-vulnerabilities: + enabled: true + fail-on-any-of: + cvss-severity: + - high + - critical + - medium + exploitability: + - high + - critical + - medium + +security-updates: + dependency-vulnerabilities: + auto-security-updates-limit: + - patch + diff --git a/Makefile b/Makefile index 586fd0a8..62504bf5 100644 --- a/Makefile +++ b/Makefile @@ -81,7 +81,7 @@ test: echo Running isort on $($@_SOURCE_FILES) && \ isort $($@_SOURCE_FILES) --check-only --diff && \ bandit --recursive pottery && \ - safety check + safety scan .PHONY: release diff --git a/requirements-to-freeze.txt b/requirements-to-freeze.txt index 7f36df94..52a0e86d 100644 --- a/requirements-to-freeze.txt +++ b/requirements-to-freeze.txt @@ -54,3 +54,7 @@ requests>=2.20.0 # https://nvd.nist.gov/vuln/detail/CVE-2018-20060 # https://nvd.nist.gov/vuln/detail/CVE-2019-11324 urllib3>=1.24.2 + +# We don't need docutils at the top-level. However, it's pulled in from +# something else, and recent docutils doesn't support Python 3.8. +docutils==0.20.1 diff --git a/requirements.txt b/requirements.txt index 113c5cf3..4112ac92 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,69 +1,71 @@ -annotated-types==0.6.0 -async-timeout==4.0.3 -Authlib==1.3.0 -bandit==1.7.8 -certifi==2024.2.2 +annotated-types==0.7.0 +Authlib==1.3.1 +bandit==1.7.9 +certifi==2024.7.4 cffi==1.16.0 charset-normalizer==3.3.2 click==8.1.7 -coverage==7.4.4 -cryptography==42.0.5 +coverage==7.5.4 +cryptography==42.0.8 docutils==0.20.1 dparse==0.6.4b0 -flake8==7.0.0 +filelock==3.12.4 +flake8==7.1.0 hiredis==2.3.2 -idna==3.6 -importlib_metadata==7.1.0 +idna==3.7 +importlib_metadata==8.0.0 iniconfig==2.0.0 isort==5.13.2 jaraco.classes==3.4.0 jaraco.context==5.3.0 -jaraco.functools==4.0.0 -Jinja2==3.1.3 -keyring==25.1.0 +jaraco.functools==4.0.1 +Jinja2==3.1.4 +keyring==25.2.1 markdown-it-py==3.0.0 MarkupSafe==2.1.5 -marshmallow==3.21.1 +marshmallow==3.21.3 mccabe==0.7.0 mdurl==0.1.2 mmh3==4.1.0 -more-itertools==10.2.0 -mypy==1.9.0 +more-itertools==10.3.0 +mypy==1.10.1 mypy-extensions==1.0.0 nh3==0.2.17 -packaging==24.0 +packaging==24.1 pbr==6.0.0 pkginfo==1.10.0 -pluggy==1.4.0 -pycodestyle==2.11.1 +pluggy==1.5.0 +pycodestyle==2.12.0 pycparser==2.22 -pydantic==2.6.4 -pydantic_core==2.16.3 +pydantic==2.8.2 +pydantic_core==2.20.1 pyflakes==3.2.0 -Pygments==2.17.2 -pytest==8.1.1 -pytest-asyncio==0.23.6 +Pygments==2.18.0 +pytest==8.2.2 +pytest-asyncio==0.23.7 pytest-cov==5.0.0 PyYAML==6.0.1 readme_renderer==43.0 -redis==5.1.0b4 -requests==2.31.0 +redis==5.1.0b7 +requests==2.32.3 requests-toolbelt==1.0.0 rfc3986==2.0.0 rich==13.7.1 ruamel.yaml==0.18.6 ruamel.yaml.clib==0.2.8 -safety==3.1.0 +safety==3.2.4 safety-schemas==0.0.2 -setuptools==69.2.0 +setuptools==70.2.0 shellingham==1.5.4 stevedore==5.2.0 -twine==5.0.0 -typer==0.12.1 -types-pyOpenSSL==24.0.0.20240311 -types-redis==4.6.0.20240311 -typing_extensions==4.11.0 -urllib3==2.2.1 +twine==5.1.1 +typer==0.12.3 +types-cffi==1.16.0.20240331 +types-pyOpenSSL==24.1.0.20240425 +types-redis==4.6.0.20240425 +types-setuptools==70.2.0.20240704 +typing_extensions==4.12.2 +urllib3==2.2.2 uvloop==0.19.0 wheel==0.43.0 -zipp==3.18.1 +zipp==3.19.2 diff --git a/setup.py b/setup.py index c95b712a..a4c6b3ee 100644 --- a/setup.py +++ b/setup.py @@ -57,10 +57,10 @@ ], keywords=pottery.__keywords__, python_requires='>=3.8, <4', - install_requires=('redis>=4.2.0rc1, <5', 'mmh3', 'typing_extensions'), + install_requires=('redis>=4.2.0rc1', 'mmh3', 'typing_extensions'), extras_require={}, packages=find_packages(exclude=('contrib', 'docs', 'tests*')), - package_data={'pottery': ('py.typed',)}, - data_files=tuple(), + package_data={'pottery': ['py.typed']}, + data_files=[], entry_points={}, )