Skip to content

[universal] Address GHSA-jm77-qphf-c4w8 and GHSA-r9hx-vwmv-q579 vulnerabilities #753

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Sep 14, 2023
Merged

[universal] Address GHSA-jm77-qphf-c4w8 and GHSA-r9hx-vwmv-q579 vulnerabilities #753

merged 7 commits into from
Sep 14, 2023

Conversation

@alexander-smolyakov
Copy link
Contributor

@alexander-smolyakov alexander-smolyakov commented Sep 13, 2023

Devcontainer name:

  • universal

Description:

This PR patches the following vulnerabilities:

  • GHSA-jm77-qphf-c4w8 - related to the cryptography package;
  • GHSA-r9hx-vwmv-q579 - related to the setuptools package. The vulnerability was patched a while ago, but the site-packages folder contained an older version of the related package, which triggers security scanners;

Changelog:

patch-conda feature:

patch-python feature:

  • Removed the --user option from the pip install command. To make sure that the site-packages folder doesn't contain older versions of patched packages.

Tests:

  • Updated test to verify cryptography minimum version (Minimum package version set to 41.0.3 which fixes GHSA-jm77-qphf-c4w8);

  • Updated tests to use different environments when installing packages from the conda-forge channel;

  • Conda tests were renamed to make names more explicit;

Checklist:

  • Checked that applied changes work as expected

@alexander-smolyakov
Patch GHSA-jm77-qphf-c4w8
eb093ec
@alexander-smolyakov
Patch GHSA-r9hx-vwmv-q579
c91be66
@alexander-smolyakov
Update tests
3fc0108 
- Update check for `cryptography` package;
- Rename tests to make them more explicit;
- Update tests to use a separate conda's environment;
@alexander-smolyakov alexander-smolyakov requested a review from a team as a code owner September 13, 2023 15:15
@samruddhikhandale samruddhikhandale merged commit 98e7904 into devcontainers:main Sep 14, 2023
@samruddhikhandale samruddhikhandale mentioned this pull request Sep 29, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@samruddhikhandale samruddhikhandale samruddhikhandale approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alexander-smolyakov @samruddhikhandale