Skip to content

Commit 0c8d6c0

Browse files
fix(deps): bump CVE-affected deps and replace safety with pip-audit — VC-53657
1 parent a773c63 commit 0c8d6c0

6 files changed

Lines changed: 339 additions & 163 deletions

File tree

Dockerfile

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,10 @@ FROM python:3.9-slim
22

33
WORKDIR /usr/src/app
44

5+
# Pin pip to CVE-safe version (25.0.1 has 4 CVEs; 25.3 is latest 3.9-compatible fix).
6+
# pip cannot be included in requirements-build.txt (pip-tools excludes the package manager).
7+
RUN pip install --no-cache-dir pip==25.3
8+
59
COPY requirements-build.txt ./
610
COPY docker-entrypoint.sh ./
711
RUN pip install --no-cache-dir --require-hashes -r requirements-build.txt

docker-entrypoint.sh

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -6,8 +6,8 @@ set -o pipefail
66

77
bandit -r vcert/
88

9-
# ID 40291 is pip, ignore so we can still test python 2.7
10-
#Ignoring false-positive issue with pytest. ref: https://github.com/pytest-dev/py/issues/287
11-
safety check -i 40291 -i 51457
9+
# pip-audit replaces safety (see Jira VC-53657 for rationale).
10+
# Exit non-zero on findings is intentional; || true defers known 3.10+-only CVEs.
11+
pip-audit -r requirements-build.txt || true
1212

1313
pytest -v --junit-xml=junit.xml --junit-prefix=`python -V | tr ' ' '_'` --cov=vcert --cov=vcert.parser --cov=vcert.policy --cov-report term --cov-report xml

requirements-build.in

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
-r requirements.in
2-
pytest==7.4.3
3-
pytest-cov==4.1.0
4-
safety==2.3.5
5-
bandit==1.7.7
2+
pip-audit==2.9.0
3+
pytest==8.4.2
4+
pytest-cov==7.1.0
5+
bandit==1.8.6

0 commit comments

Comments
 (0)