Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: upgrade urllib version to fix vulnerability #1472

Merged
merged 2 commits into from
Oct 25, 2023
Merged

fix: upgrade urllib version to fix vulnerability #1472

merged 2 commits into from
Oct 25, 2023

Conversation

AleJo2995
Copy link
Collaborator

Types of changes

  • Hot fix (emergency fix and release)
  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Documentation (change which affects the documentation site)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Release (develop -> main)

Quality assurance (all should be covered).

  • My code follows the code style of this project.
  • Documentation for my change is up to date?
  • My PR meets testing requirements.
  • All new and existing tests passed.
  • All commits are signed-off.

Summary

Closes #1467

Key links:

Before you merge

  • Ensure it is a 'squash commit' if not a release.
  • Ensure CI is currently passing
  • Check sonar. If you are working for a fork a maintainer will reach out, if required.

@AleJo2995
fix: upgrade urllib version to fix vulnerability
f0ce704 
Signed-off-by: Alejandro Jose Leiva Palomo <alejandro.leiva.palomo@ibm.com>
@AleJo2995
fix: correct typo
62c3934 
Signed-off-by: Alejandro Jose Leiva Palomo <alejandro.leiva.palomo@ibm.com>
@AleJo2995
Copy link
Collaborator Author

AleJo2995 commented Oct 25, 2023
edited

@vikas-agarwal76 , @mrgadgil I have done what documentation suggests by pinging urllib3 dependency to 1.26.17 to solve vuln issue stated here and tests are passing completely fine. Now, we need somehow to do some testing against that vulnerability per-sé, but the only way I see is to point any of the repos using trestle right now against this particular branch and run vul scan again. Is there any recommendation here that you can provide so it's not tied up only to that one?

vikas-agarwal76
vikas-agarwal76 approved these changes Oct 25, 2023
View reviewed changes
Copy link
Collaborator

@vikas-agarwal76 vikas-agarwal76 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Please merge after testing.

@AleJo2995
Copy link
Collaborator Author

Done, tested out. Remediation will be addressed with the change
image

@AleJo2995 AleJo2995 merged commit e9d4175 into develop Oct 25, 2023
16 checks passed
@AleJo2995 AleJo2995 deleted the fix/address-vuln branch October 25, 2023 20:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vikas-agarwal76 vikas-agarwal76 vikas-agarwal76 approved these changes

@mrgadgil mrgadgil Awaiting requested review from mrgadgil

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CVE-2023-43804 - Medium Severity Vulnerability
2 participants
@AleJo2995 @vikas-agarwal76