Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: vulnerable dependencies and clean up #37

Merged
merged 7 commits into from
Jun 28, 2024
Merged

fix: vulnerable dependencies and clean up #37

merged 7 commits into from
Jun 28, 2024

Conversation

saikumarrs
Copy link
Member

@saikumarrs saikumarrs commented Jun 26, 2024
edited
Loading

Description of the change

https://linear.app/rudderstack/issue/SDK-1907/python-vulnerabilities

I upgraded all the dependencies to the latest to resolve vulnerabilities.

Moreover, since Python versions < 3.8 have reached end-of-life status, we've removed support for those versions.

Other updates:

  • Cleaned up GitHub workflows
  • Added a workflow to clean up stale branches and PRs
  • The direct project dependencies are moved to requirements.in file and clipped to specific versions.
    • To generate requirements.txt from it, run pip-compile requirements.in.
  • Fixed minor issues in setup.py as well.
  • Added setup_env.sh shell script to setup the project environment.

Snyk test results

snyk test --file=requirements.txt --package-manager=pip --python=python3

Before:

Testing /Volumes/Workspace/Repositories/rudder-sdk-python...

Tested 38 dependencies for known issues, found 2 issues, 6 vulnerable paths.


License issues:

  ✗ MPL-2.0 license (new) [Medium Severity][https://snyk.io/vuln/snyk:lic:pip:certifi:MPL-2.0] in [email protected]
    introduced by [email protected] and 4 other path(s)

  ✗ GPL-2.0 license (new) [High Severity][https://snyk.io/vuln/snyk:lic:pip:mercurial:GPL-2.0] in [email protected]
    introduced by [email protected]



Organization:      rudder-integrations
Package manager:   pip
Target file:       requirements.txt
Project name:      rudder-sdk-python
Open source:       no
Project path:      /Volumes/Workspace/Repositories/rudder-sdk-python
Licenses:          enabled

Tip: Try `snyk fix` to address these issues.`snyk fix` is a new CLI command in that aims to automatically apply the recommended updates for supported ecosystems.
See documentation on how to enable this beta feature: https://docs.snyk.io/snyk-cli/fix-vulnerabilities-from-the-cli/automatic-remediation-with-snyk-fix#enabling-snyk-fix

After:

Testing /Volumes/Workspace/Repositories/rudder-sdk-python...

Tested 20 dependencies for known issues, found 1 issue, 2 vulnerable paths.


License issues:

  ✗ MPL-2.0 license (new) [Medium Severity][https://snyk.io/vuln/snyk:lic:pip:certifi:MPL-2.0] in [email protected]
    introduced by [email protected] and 1 other path(s)



Organization:      rudder-integrations
Package manager:   pip
Target file:       requirements.txt
Project name:      rudder-sdk-python
Open source:       no
Project path:      /Volumes/Workspace/Repositories/rudder-sdk-python
Licenses:          enabled

Tip: Try `snyk fix` to address these issues.`snyk fix` is a new CLI command in that aims to automatically apply the recommended updates for supported ecosystems.
See documentation on how to enable this beta feature: https://docs.snyk.io/snyk-cli/fix-vulnerabilities-from-the-cli/automatic-remediation-with-snyk-fix#enabling-snyk-fix

Note that the license issue for certifi cannot be resolved now without replacing the requests package with an alternative. Since it is a medium vulnerability, it has been ignored for now.

Type of change

  • Bug fix (non-breaking change that fixes an issue)
  • New feature (non-breaking change that adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)

Related issues

N/A

Checklists

Development

  • Lint rules pass locally
  • The code changed/added as part of this pull request has been covered with tests
  • All tests related to the changed code pass in development

Code review

  • This pull request has a descriptive title and information useful to a reviewer. There may be a screenshot or screencast attached
  • "Ready for review" label attached to the PR and reviewers mentioned in a comment
  • Changes have been reviewed by at least one other engineer
  • Issue from task tracker has a link to this pull request

@saikumarrs saikumarrs self-assigned this Jun 26, 2024
@saikumarrs saikumarrs marked this pull request as ready for review June 27, 2024 08:52
@itsdebs itsdebs requested review from itsdebs and removed request for debanjan97 June 28, 2024 05:57
@saikumarrs saikumarrs merged commit 0a75dba into master Jun 28, 2024
6 of 8 checks passed
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Jun 28, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@itsdebs itsdebs itsdebs approved these changes

Assignees

@saikumarrs saikumarrs

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@saikumarrs @itsdebs