Bump cryptography version with snowflake connector newer version

[plotneishestvo]

Describe the bug

A clear and concise description of what the bug is. What command did you run? What happened?

Hi, we are trying to keep our dependencies up to date with security updates and I see that in the docker dependencies dbt has fixed version of cryptography 3.2 but in the snowflake plugin, it is still required cryptography version less than 3. The new snowflake connector library versions starting from 2.3.5 are supporting fixed cryptography version. Can we update those in dbt-snowflake plugin requirements too?

Steps To Reproduce

In as much detail as possible, please provide steps to reproduce the issue. Sample data that triggers the issue, example model code, etc is all very helpful here.

You can try to install with pip dbt with dbt-snowflake plugin along side with new cryptography and snowflake client versions

Expected behavior

A clear and concise description of what you expected to happen.

Pip installs in the same virtual env cryptography version >= 3.2 along side with dbt-snowflake and snowfalke-connector version >= 2.3.5

Screenshots and log output

If applicable, add screenshots or log output to help explain your problem.
log output:

15:59:22  dbt-snowflake 0.17.0 requires cryptography<3,>=2, but you'll have cryptography 3.2 which is incompatible.
15:59:22  dbt-snowflake 0.17.0 requires snowflake-connector-python==2.2.1, but you'll have snowflake-connector-python 2.3.5 which is incompatible.

System information

Which database are you using dbt with?

• postgres
• redshift
• bigquery
• snowflake
• other (specify: ____________)

The output of dbt --version:

installed version: 0.17.0
   latest version: 0.18.1

Your version of dbt is out of date! You can find instructions for upgrading here:
https://docs.getdbt.com/docs/installation

Plugins:
  - bigquery: 0.17.0
  - snowflake: 0.17.0
  - redshift: 0.17.0
  - postgres: 0.17.0

Even though we still use 0.17.0 in the current latest master I still see vulnerable cryptography version

The operating system you're using:
MacOs and Linux

The output of python --version:
Python 3.6.5

Additional context

Add any other context about the problem here.

[plazar]

Hi, bumping the version of cryptography would not only bring the package up-to-date, but avoid known vulnerabilities for versions <3.2. Check out https://snyk.io/vuln/pip:cryptography.

Bumping the version will also help avoid dependency conflicts with libraries that have upgraded cryptography because of the vulnerability.

[jtcohen6]

Thanks for the writeup @plotneishestvo, and for weighing in @plazar!

We had an automated PR (#2858) to bump cryptography in our historical dockerfiles, but it seems to have missed the actual setup requirements:

https://github.com/fishtown-analytics/dbt/blob/c19125bb028c36414aa5532888c8d7f1cf87cff3/plugins/snowflake/setup.py#L48-L56

It sounds like your recommendation is:

• cryptography>=3.2,<4
• snowflake-connector-python[secure-local-storage]==2.3.5, which bumped their cryptography dependency from 2.9.2 to 3.2.1 (Bump cryptography from 2.9.2 to 3.2.1 snowflakedb/snowflake-connector-python#500)

I'd welcome a PR that upgrades both. We're very defensive with version requirements of snowflake-connector-python, because we have previously experienced breaking changes from minor and patch releases.