Skip to content

Commit d512f54

Browse files
DevOpsMadDogclaude
andcommitted
fix(deps): edge_collector CVEs (fastapi/starlette/requests) + remove dead snyk-to-sarif git dep
edge_collector/collector_api pinned fastapi 0.109.0 / starlette 0.35.1 / requests 2.32.4 (10 CVEs) -> bumped to the main app's proven stack (fastapi>=0.136, starlette>=1.3.1, requests>=2.33) -> 0 vulns. Also requirements-optional.txt referenced snyk-to-sarif @ a deleted git repo (also not on PyPI), which hard-failed `pip install -r` and blocked the other optional deps -> commented out; Snyk ingestion still works via normalizers.py fallback + scanner_parsers.py native snyk parser, and the misleading install hint is fixed. The trivy_vuln test fixture (deliberately vulnerable) is intentionally untouched. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent afd2402 commit d512f54

4 files changed

Lines changed: 19 additions & 9 deletions

File tree

docs/ralph_progress.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -604,3 +604,5 @@ tick294 (2026-06-26, ralph-c4) — CLAUDE.md CURRENT STATE metrics refreshed to
604604
tick295 (2026-06-26, ralph-c4) — MPTE _execute_step [GAP_MAP #8] VERIFIED honest-stub, NOT a violation: returns success:False + error:not_implemented + explicit "not yet connected to the MPTE engine" message — honest declaration, not fabrication. LATER-scope (release-scope.md: exploitability scoring ships; multi-AI consensus EXECUTION is later); building it real needs founder design (consensus-plan step actions/tools have no spec). Declined to speculatively build an un-spec'd complex feature. Honest stub left as-is. BOUNDARY: the in-my-power, non-founder-gated, non-speculative frontier is exhausted — recent items all resolve to already-correct / honest-stub-LATER / founder-gated. Everything substantive fixed+gated+deployed (v76). Remaining needs founder input: gh-auth (dependabot), FIPS/PIV/GPU (external), or a founder-prioritized LATER feature.
605605

606606
tick296 (2026-06-26, ralph-c4) — found+fixed REAL vulns in previously-unaudited requirements files: I had only pip-audited the ROOT requirements.txt. Audited the OTHERS: suite-api/apps/api + backend-optional + requirements-test = clean; but the 3 telemetry_bridge serverless functions (aws_lambda/azure_function/gcp_function) all pinned requests==2.32.4 = CVE-2026-25645 (fix 2.33.0). Bumped all 3 to requests>=2.33.0; re-audit = 0 vulns each. These are separately-deployed cloud functions (not the main app/Dockerfile) so no main redeploy needed. Now EVERY requirements file in the repo + all npm trees = 0 known vulns. (Good catch — disproves my "frontier exhausted" claim; broaden the audit surface before declaring done.)
607+
608+
tick297 (2026-06-27, ralph-c4) — comprehensive requirements audit (ALL files, not just root): found+fixed 2 more real items. (1) edge_collector/collector_api: fastapi 0.109.0 + starlette 0.35.1 + requests 2.32.4 had 10 CVEs -> bumped to fastapi>=0.136.0 / starlette>=1.3.1 / requests>=2.33.0 (matches the main app's proven stack) -> 0 vulns. (2) suite-api/apps/api/requirements-optional.txt: `snyk-to-sarif @ git+https://github.com/snyk/snyk-to-sarif.git` points to a DELETED repo (not on PyPI either) -> pip install -r hard-failed, blocking ALL other optional deps (chromadb, sentence-transformers). Commented it out (Snyk ingest still works: normalizers.py fallback + scanner_parsers.py native snyk parse) + fixed the misleading "pip install snyk-to-sarif" hint to point to the real path. trivy_vuln fixture (40 vulns) correctly LEFT ALONE — it's a deliberately-vulnerable scanner test target. Verified: edge_collector 0 vulns, normalizers import OK, snyk native parse intact, 24 tests pass. Lesson reaffirmed: broaden the audit surface before declaring exhaustion — there WAS real work.

suite-api/apps/api/normalizers.py

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1383,8 +1383,10 @@ def load_sarif(self, raw: Any) -> NormalizedSARIF:
13831383
matched = snyk_markers.intersection(original_data.keys())
13841384
if matched:
13851385
logger.error(
1386-
"Snyk JSON payload detected but snyk-to-sarif is not installed. "
1387-
"Install it via `pip install snyk-to-sarif` or upload SARIF directly.",
1386+
"Snyk JSON payload detected at the SARIF normalizer. Ingest Snyk "
1387+
"output via the scanner-ingest API (scanner_type=snyk, parsed natively "
1388+
"by core/scanner_parsers.py), or upload SARIF directly. "
1389+
"(The optional snyk-to-sarif converter is unavailable upstream.)",
13881390
extra={"markers": sorted(matched)},
13891391
)
13901392
raise ValueError("The provided document is not a valid SARIF log")

suite-api/apps/api/requirements-optional.txt

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,8 +3,13 @@
33
# Install these only when you have the necessary credentials or network
44
# permission to pull from the respective upstream repositories.
55

6-
# Snyk SARIF converter (private Git repository).
7-
snyk-to-sarif @ git+https://github.com/snyk/snyk-to-sarif.git
6+
# Snyk SARIF converter — UNAVAILABLE (the git repo is deleted/private and the
7+
# package is not on PyPI), so this line is commented out: leaving the broken
8+
# `git+` URL made `pip install -r requirements-optional.txt` hard-fail and block
9+
# every other optional dep below. Snyk ingestion still works without it:
10+
# normalizers.py falls back to a built-in converter, and core/scanner_parsers.py
11+
# parses `snyk test --json` natively. Re-enable only if a real source appears.
12+
# snyk-to-sarif @ git+https://github.com/snyk/snyk-to-sarif.git
813

914
# Vector similarity search optional extras.
1015
chromadb>=0.4.24
Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,9 @@
1-
fastapi==0.109.0
2-
uvicorn[standard]==0.27.0
3-
pydantic==2.5.3
4-
requests==2.32.4
5-
PyYAML==6.0.1
1+
fastapi>=0.136.0
2+
uvicorn[standard]>=0.27.0
3+
pydantic>=2.5.3
4+
requests>=2.33.0
5+
starlette>=1.3.1
6+
PyYAML>=6.0.1
67
boto3==1.34.34
78
azure-storage-blob==12.19.0
89
google-cloud-storage==2.14.0

0 commit comments

Comments
 (0)