Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Safety step fails: vulnerabilities in sqlalchemy 1.3.16 and in starlette 0.19.1 #378

Closed
dlpzx opened this issue Mar 20, 2023 · 0 comments · Fixed by #379
Closed

Safety step fails: vulnerabilities in sqlalchemy 1.3.16 and in starlette 0.19.1 #378

dlpzx opened this issue Mar 20, 2023 · 0 comments · Fixed by #379
Labels
priority: high status: in-progress This issue has been picked and is being implemented type: bug Something isn't working

Comments

@dlpzx
Copy link
Contributor

dlpzx commented Mar 20, 2023

Describe the bug

In the CICD pipeline the SecurityChecks CodeBuild stage fails with the following:
image

Starlette <0.25 is related to DoS vulnerability--> https://security.snyk.io/vuln/SNYK-PYTHON-STARLETTE-3319937
sqlalchemy is ignored and we do not seem to have any urgent vulnerabilities, but it is a good moment to upgrade --> https://security.snyk.io/package/pip/sqlalchemy

How to Reproduce

Run the data.all CICD pipeline (for example by releasing a change).

Expected behavior

No response

Your project

No response

Screenshots

No response

OS

n/a

Python version

n/a

AWS data.all version

v.1.4.1

Additional context

No response
@dlpzx dlpzx added type: bug Something isn't working priority: high status: in-progress This issue has been picked and is being implemented labels Mar 20, 2023
@dlpzx dlpzx mentioned this issue Mar 20, 2023
Merged
@dlpzx dlpzx linked a pull request Mar 20, 2023 that will close this issue
Upgrade sqlalchemy 13.16 -> 1.3.24 and starlette 0.19.1 -> 0.25.0, ariadne 0.13 -> 0.17, fastapi 0.78 -> 0.92 #379
Merged
dlpzx added a commit that referenced this issue Mar 20, 2023
@dlpzx
Upgrade sqlalchemy 13.16 -> 1.3.24 and starlette 0.19.1 -> 0.25.0, ar…
4002963 
…iadne 0.13 -> 0.17, fastapi 0.78 -> 0.92 (#379)

### Feature or Bugfix
- Bugfix

### Detail
- Upgrade starlette version: vulnerability found in starlette <0.25
(https://security.snyk.io/vuln/SNYK-PYTHON-STARLETTE-3319937). It does
not affect data.all as we do not use `python-multipart` but nevertheless
it is better to be in a non-vulnerable version.
- Upgrade sqlalchemy version: the vulnerability is not stopping the CICD
pipeline, but by upgrading we are able to use the latest version of
alembic and we can revert the pinning of the version which happened in
#354
- Upgrade ariadne to version 0.17.0: needed to support starlette 0.25.0
Higher version of ariadne==0.18.0 removes `PLAYGROUND_HTML` constant
that we use in testing (Check
[docs](https://ariadnegraphql.org/docs/0.17/constants-reference))
- Upgrade fastapi version to 0.92.0: needed to support starlette 0.25.0
(Version that supports this particular version of starlette,
[docs](https://fastapi.tiangolo.com/release-notes/#0920))
### Relates
- #378 

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
priority: high status: in-progress This issue has been picked and is being implemented type: bug Something isn't working
Projects
None yet
Milestone
No milestone
1 participant
@dlpzx