[Dependencies] Add cryptography backend for python-jose #311
Conversation
Signed-off-by: Judy Ng <njud@amazon.com>
| @@ -4,10 +4,10 @@ Werkzeug==2.3.8 | |||
| boto3==1.24.30 | |||
| requests==2.31.0 | |||
| urllib3==1.26.18 | |||
| python-jose==3.3.0 | |||
| python-jose[cryptography]==3.3.0 | |||
There was a problem hiding this comment.
Minor: let's add a comment here specifying why we are selecting the specific backend.
Explanation is in the official python-jose page: https://pypi.org/project/python-jose/
There was a problem hiding this comment.
Another potential solution is to move a production maintained package for this as they mention in this issue wazuh/wazuh#21590. I think we should move away from python-jose, since we are likely to run into this issue again with no resolution
There was a problem hiding this comment.
Thanks Ryan for this solution, I think for now we will use this method since it would require more effort and possible appsec reviews to change the library whereas for now we just want to mitigate the CVE. I created a task in the backlog though
|
Installing python-jose with a specific backend was a very good approach to bypass the edcsa CVE. |
Signed-off-by: Judy Ng <njud@amazon.com>
Changes
python-jose[cryptography]instead of justpython-joseto use the cryptography backend instead ofecdsabackendHow Has This Been Tested?
Ran pytest, deployed, created/deleted cluster
In order to increase the likelihood of your contribution being accepted, please make sure you have read both the Contributing Guidelines and the Project Guidelines
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.