added safety check to python dependencies
#2462
Conversation
heartsucker
force-pushed
the
safety-check
branch
from
ce55a4a to
25db145
Compare
ghost
added
|
I confirm circleci fails as expected https://circleci.com/gh/freedomofpress/securedrop/2960?utm_campaign=vcs-integration-link&utm_medium=referral&utm_source=github-build-link -> ansible, installed 2.2.1, affected <2.3.1, id 34941 ansible before 2.3.1 is vulnerable to CVE-2017-7481 - data for lookup plugins used as variables was not being correctly marked as "unsafe". -- |
|
I marked as PR: pending additional work because it needs to wait on the CVE to be dealt with. I did not know about this way to find CVE, interesting ! |
testinfra/requirements.txt
Outdated
| @@ -4,7 +4,7 @@ | |||
| # | |||
| # pip-compile --output-file requirements.txt requirements.in | |||
| # | |||
| ansible-lint==3.4.13 # via molecule | |||
| ansible-lint==3.4.16 # via molecule | |||
There was a problem hiding this comment.
In the spirit of keeping this PR to the minimum, would you mind stripping out the module upgrades that are unrelated to the safety module ?
There was a problem hiding this comment.
I could, but I was using pip-compile and I don't actually know if there's any weird breakages, so I'm letting that tool do it's magic. This is something one of the ops homies would need to comment on.
There was a problem hiding this comment.
FWIW when I did the same in the past I just manually removed all dependencies that were not strictly related to the module I was adding. I don't think there is a way to ask pip-compile to focus on a single module and leave the others alone.
There was a problem hiding this comment.
Yeah @dachary is correct here ;) Unfortunately the pip-compile story sucks for just updating one dependency. You could temporarily peg all the dependencies in the requirements.in file and then run it ... that's a hacky way around it. Or yeah, do what @dachary said and try to manually edit the commit changes using something like git add -p
heartsucker
force-pushed
the
safety-check
branch
from
25db145 to
e9c13ff
Compare
|
Once #2483 is merged in you can rebase on this and tests should pass ✨ |
|
Pinging for merge now that CI his happy. |
|
CircleCI is happy #!/bin/bash -eo pipefail make safety Checking file ./install_files/ansible-base/requirements.txt safety report checked 15 packages, using default DB --- No known security vulnerabilities found. Checking file ./testinfra/requirements.txt safety report checked 72 packages, using default DB --- No known security vulnerabilities found. Checking file ./securedrop/requirements/develop-requirements.txt safety report checked 61 packages, using default DB --- No known security vulnerabilities found. Checking file ./securedrop/requirements/test-requirements.txt safety report checked 28 packages, using default DB --- No known security vulnerabilities found. Checking file ./securedrop/requirements/securedrop-requirements.txt safety report checked 25 packages, using default DB --- No known security vulnerabilities found. |
ghost
merged commit 
Status
Ready for review
Description of Changes
Fixes #2451
Adds
safety checkto a few scripts andMakefiles as well as CI.Testing
make safetyThis breaks right now as we have a CVE in the code. Once it's removed, we can merge this in.