Vulnerable dependency (pip CVE-2018-20225)

[anche71]

Hello,

I wonder is any resolution is being worked on. Pip is required by the dependency pip_system_certs, and the pip vulnerability in question (CVE-2018-20225) is considered to be the intended behavior, and thus will not be fixed.

The need to have pip installed makes it impossible to use mcp-clickhouse in a Docker image, when image vulnerability scanning is applied (which is a standard approach).

Could you please comment on this?

Thanks in advance.

[joe-clickhouse]

Hi @anche71, thanks for bringing this up. I do understand how this is a friction point between stringent scanners and pip. Our dependence on pip_system_certs here is only to auto-enable system trust stores. We can likely remove that by depending on truststore (no transitive deps; reqs Python >=3.10) and calling truststore.inject_into_ssl() as early as possible (e.g. in cp_clickhouse/__init__.py). This preserves system-CA behavior and removes pip from the runtime image. I'll explore this and, if feasible, put up a PR.

[joe-clickhouse]

Hi @anche71, I was able to get this working easily. Here's the PR: #91