fix some security issues reported by scorecard by trz42 · Pull Request #349 · EESSI/eessi-bot-software-layer

trz42 · 2025-11-06T15:02:30Z

GHSA-3ww4-gg4f-jr7f fixed with cryptography >= 42.0.0, see https://osv.dev/vulnerability/GHSA-3ww4-gg4f-jr7f
GHSA-9v9h-cgj8-h64p fixed with cryptography >= 42.0.2, see https://osv.dev/vulnerability/GHSA-9v9h-cgj8-h64p
PYSEC-2021-62 / GHSA-hggm-jpg3-v476 fixed with either of the above changes
PYSEC-2017-8 / GHSA-q3cj-2r34-2cwc fixed with either of the above changes
GHSA-3f84-rpwh-47g6 fixed with waitress >= 3.0.1, see https://osv.dev/vulnerability/GHSA-3f84-rpwh-47g6
GHSA-4f7p-27jc-3c36 fixed with the above
GHSA-j7j6-7hfx-5522 fixed with the above
GHSA-968f-66r5-5v74 fixed with the above
GHSA-g2xc-35jw-c63p fixed with the above
GHSA-m5ff-3wj3-8ph4 fixed with the above
GHSA-pg36-wpm5-g57p fixed with the above
PYSEC-2020-155 fixed with the above
pinning versions of pytest and pytest-cov for tests CI
- this also required pinning dependencies and creating a requirements-lock.txt file in the workflow directory

ocaisa

LGTM

trz42 · 2025-11-06T15:43:30Z

LGTM

Sorry, still working on it.

…not be satisfied for all Python versions

trz42 · 2025-11-06T18:31:16Z

Now, this should be ready for review. May not solve all issues, but should be a step forward.

ocaisa

Ha, smells like a workaround!

require newer version of Python cryptography library

6c11d10

trz42 added the enhancement label Nov 6, 2025

truib added 5 commits November 6, 2025 16:05

run tests on Python 3.7 and 3.8

0b36563

attempt to run tests for Python 3.7 and more

e57ddc1

bump cryptography to 42.0.2

5c36bcd

bump Waitress to 3.0.1

230ba06

Python 3.8 or older not supported with Waitress >= 3.0.1

2813688

ocaisa approved these changes Nov 6, 2025

View reviewed changes

trz42 marked this pull request as draft November 6, 2025 15:43

pin pytest and pytest-cov to specific versions and add hash

966d4ef

github-advanced-security AI found potential problems Nov 6, 2025

View reviewed changes

Comment thread .github/workflows/tests.yaml Fixed

Comment thread .github/workflows/tests.yaml Fixed

try to pin versions of needed Python packages

cc0ea64

github-advanced-security AI found potential problems Nov 6, 2025

View reviewed changes

Comment thread .github/workflows/tests.yaml Fixed

truib added 3 commits November 6, 2025 17:20

also pin exceptiongroup in packages required for CI

e942e4f

also pin iniconfig in packages required for CI

2ab4faa

pin versions but don't use hash as it may create constraints that can…

3e71e8e

…not be satisfied for all Python versions

github-advanced-security AI found potential problems Nov 6, 2025

View reviewed changes

Comment thread .github/workflows/tests.yaml Fixed

Comment thread .github/workflows/tests.yaml Fixed

also pin pip and flake8

4fe5728

github-advanced-security AI found potential problems Nov 6, 2025

View reviewed changes

Comment thread .github/workflows/tests.yaml Fixed

Comment thread .github/workflows/tests.yaml Fixed

Comment thread .github/workflows/tests.yaml Fixed

another attempt at pinning pip installs with hashes

c097611

github-advanced-security AI found potential problems Nov 6, 2025

View reviewed changes

Comment thread .github/workflows/tests.yaml Fixed

truib added 8 commits November 6, 2025 17:52

fix syntax issue in requirements file

8c9b1cb

pin different versions for iniconfig

2dc2ded

pin versions for packaging and typing-extensions

a29e6d5

pin pluggy and use different version for iniconfig with Python 3.9

653bb27

pin pygments

820bcd9

pin tomli

b826165

pin coverage

e59ed2d

pin mccabe

9a5943b

truib added 4 commits November 6, 2025 18:17

pin pycodestyle

973fe41

pin pyflakes

f29bc3f

also install packages needed by code to be tested

918db56

try fixing requirements file pinning issue

e0753df

github-advanced-security AI found potential problems Nov 6, 2025

View reviewed changes

Comment thread .github/workflows/tests.yaml Fixed

rename requirements file for tests

65a341d

github-advanced-security AI found potential problems Nov 6, 2025

View reviewed changes

Comment thread .github/workflows/tests.yaml Fixed

truib added 3 commits November 6, 2025 19:14

rename requirements file for tests

449bc0c

move requirements file for tests to workflow directory

922b154

fix small typo

1fe8b71

trz42 marked this pull request as ready for review November 6, 2025 18:30

trz42 requested a review from ocaisa November 6, 2025 18:31

trz42 changed the title ~~fix security issues reported by scorecard~~ fix some security issues reported by scorecard Nov 6, 2025

ocaisa approved these changes Nov 6, 2025

View reviewed changes

ocaisa merged commit 030c450 into EESSI:develop Nov 6, 2025
9 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix some security issues reported by scorecard#349

fix some security issues reported by scorecard#349
ocaisa merged 29 commits into
EESSI:developfrom
trz42:fix_security_issues

trz42 commented Nov 6, 2025 •

edited

Loading

Uh oh!

ocaisa left a comment

Uh oh!

trz42 commented Nov 6, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

trz42 commented Nov 6, 2025

Uh oh!

ocaisa left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

trz42 commented Nov 6, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

ocaisa left a comment

Choose a reason for hiding this comment

Uh oh!

trz42 commented Nov 6, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

trz42 commented Nov 6, 2025

Uh oh!

ocaisa left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

trz42 commented Nov 6, 2025 •

edited

Loading