chore: update redis to >= 4.6.0

[nigzak]

SUMMARY

redis has a fixable high finding in version 4.x
CVE-2023-31655 (7.5)

Depending this webpage version 4.6.0 should not be affected https://scout.docker.com/vulnerabilities/id/CVE-2023-31655?s=pypa&n=redis&t=pypi&vr=%3D4.5.4

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

TESTING INSTRUCTIONS

redis 4.6.0 is installed after this change

ADDITIONAL INFORMATION

Hint: CVE-2023-28859⁠ (6.5) is NOT part of this pull request as it is only fixable with redis V5.x.x which is outcluded in setup.py at the moment (<5.0)
Info is based on this page: https://scout.docker.com/vulnerabilities/id/CVE-2023-28859?s=pypa&n=redis&t=pypi&vr=%3C5.0.0b1 (fixed in V5.x)

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration (follow approval process in SIP-59)
  • Migration is atomic, supports rollback & is backwards-compatible
  • Confirm DB migration upgrade and downgrade tested
  • Runtime estimates and downtime expectations provided
• Introduces new feature or API
• Removes existing feature or API

[nigzak]

Hint: checked also other pages with CVE informations.
A few say it should be fixed with 4.6.0 - some not ... I am not sure ...
If it is less critical to update it might be good to update in any case - if there is a bad impact it might be also good to wait for 5.x updates? I am unsure here ... :/

[dpgaspar]

This should not have any impact but I don't see https://nvd.nist.gov/vuln/detail/CVE-2023-31655#match-9248899 impacting 4.X. The vulnerability is related with redis server itself

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 69.57%. Comparing base (1d571ec) to head (559c471).
Report is 1498 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #27250      +/-   ##
==========================================
- Coverage   69.69%   69.57%   -0.12%     
==========================================
  Files        1908     1908              
  Lines       74530    74530              
  Branches     8309     8309              
==========================================
- Hits        51942    51855      -87     
- Misses      20535    20622      +87     
  Partials     2053     2053              

Flag	Coverage Δ
hive	?
mysql	78.00% <ø> (ø)
postgres	78.10% <ø> (ø)
presto	?
python	82.88% <ø> (-0.25%)	⬇️
sqlite	77.61% <ø> (ø)
unit	56.51% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[nigzak]

@dpgaspar I am also confused more and more while reading the CVE documentations ... shall I close this pull request, what do you think? I still don't know if it is "redis direct" why the scans show this as bad dependency (refer up the screenshot from docker scout with the docker-scout link) ...

[nigzak]

I checked in multiple repository scans now (JFROG, Harbor, Amazon ECR), seems only docker scout is marking this as "bad" - could also be an issue with docker-scout analyser itself (?)

for testing purpose I made a dirty upgrade in the 3.1.1 to use redis 4.6.0 to see if scout is still marking it as bad

from apache/superset:3.1.1

USER root:root

RUN pip uninstall redis --yes
RUN pip install redis==4.6.0

USER superset:superset

=> it is gone in scout then

If the update to 4.6.0 is not bad it might still be good to switch to it (even if it might not be a CVE inside) to avoid false-positive findings (if this is a false positive, still this is confusing ...)