Update version and removed unused curations for security issues (#70)

* Update version and removed unused curations for security issues * Fix NOTICE_3rd... * Perform self review * Increased version of SDK to prepare release
eclipse-velocitas · Apr 6, 2023 · 73433fa · 73433fa
1 parent cd811be
commit 73433fa
Show file tree

Hide file tree

Showing 4 changed files with 103 additions and 119 deletions.
diff --git a/.ort.yml b/.ort.yml
@@ -54,37 +54,3 @@ curations:
     curations:
       comment: "Bosch maintained component"
       concluded_license: "Apache-2.0"
-
-
-resolutions:
-  vulnerabilities:
-  - id: "CVE-2022-42969"
-    reason: "INEFFECTIVE_VULNERABILITY"
-    comment: "Vulnerability only applicable for SVN projects. Requires a change to be made by a third party https://github.com/pytest-dev/py/issues/287"
-  - id: "CVE-2018-20225"
-    reason: "MITIGATED_VULNERABILITY"
-    comment: "Mitigating control: avoiding use of the --extra-index-url parameter for pip"
-  - id: "CVE-2019-20907"
-    reason: "INVALID_MATCH_VULNERABILITY"
-    comment: "Only applicable for python version <=3.8.3 or <3.9.0-b5 python 3.10 in use"
-  - id: "CVE-2019-20916"
-    reason: "INVALID_MATCH_VULNERABILITY"
-    comment: "pip < 19.2 is affected pip in use 22.3.1"
-  - id: "sonatype-2012-0071"
-    reason: "INVALID_MATCH_VULNERABILITY"
-    comment: "only relevan for python 2.7 python 3.10 in use"
-  - id: "sonatype-2022-6046"
-    reason: "INVALID_MATCH_VULNERABILITY"
-    comment: "affected wheel < 0.38.4 wheel = 0.38.4 in use"
-  - id: "	CVE-2022-33124"
-    reason: "CANT_FIX_VULNERABILITY"
-    comment: "aiohttp consider this vulnerability as false possitive. No prove that issue leads to DoS attack. Requires a change to be made by a third party"
-  - id: "CVE-2020-11023"
-    reason: "INEFFECTIVE_VULNERABILITY"
-    comment: "No evidences that pkg:pypi/deprecation@2.1.0 is affected. mainly jquery package is affected"
-  - id: "CVE-2022-24439"
-    reason: "INEFFECTIVE_VULNERABILITY"
-    comment: "bandit has dependency on gitpython but not using affected functinality. No usage of gitpython directly"
-  - id: "CVE-2022-23491"
-    reason:  "INVALID_MATCH_VULNERABILITY"
-    comment: "certifi is not used by our components directly or indirectly"
diff --git a/NOTICE-3RD-PARTY-CONTENT.md b/NOTICE-3RD-PARTY-CONTENT.md
@@ -5,39 +5,44 @@
 |:-----------|:-------:|--------:|
 |aiohttp|3.8.3|Apache 2.0|
 |aiosignal|1.3.1|Apache 2.0|
-|APScheduler|3.9.1.post1|MIT|
+|APScheduler|3.10.1|MIT|
 |async-timeout|4.0.2|Apache 2.0|
 |attrs|22.1.0|MIT|
-|bandit|1.7.4|Apache 2.0|
-|black|22.10.0|MIT|
-|build|0.9.0|MIT|
+|bandit|1.7.5|Apache 2.0|
+|black|23.3.0|MIT|
+|build|0.10.0|MIT|
+|cachetools|5.3.0|MIT|
 |cfgv|3.3.1|MIT|
+|chardet|5.1.0|LGPL|
 |charset-normalizer|2.1.1|MIT|
 |click|8.1.3|New BSD|
-|cloudevents|1.7.1|Apache 2.0|
-|coverage|6.5.0|Apache 2.0|
+|cloudevents|1.9.0|Apache 2.0|
+|colorama|0.4.6|BSD|
+|coverage|7.2.2|Apache 2.0|
 |dapr|1.8.3|Apache 2.0|
 |Deprecated|1.2.13|MIT|
 |deprecation|2.1.0|Apache 2.0|
 |distlib|0.3.6|Python Software Foundation License|
-|exceptiongroup|1.0.4|MIT|
-|filelock|3.8.2|The Unlicense (Unlicense)|
+|exceptiongroup|1.1.1|MIT|
+|filelock|3.10.7|The Unlicense (Unlicense)|
 |flake8|6.0.0|MIT|
-|flake8-bugbear|22.12.6|MIT|
+|flake8-bugbear|23.3.23|MIT|
 |frozenlist|1.3.3|Apache 2.0|
 |gitdb|4.0.10|BSD|
-|GitPython|3.1.29|BSD|
-|grpc-stubs|1.24.11|MIT|
+|GitPython|3.1.31|BSD|
+|grpc-stubs|1.24.12.1|MIT|
 |grpcio|1.48.2|Apache 2.0|
 |grpcio-tools|1.48.2|Apache 2.0|
-|identify|2.5.9|MIT|
+|identify|2.5.22|MIT|
 |idna|3.4|BSD|
-|iniconfig|1.1.1|MIT|
-|isort|5.10.1|MIT|
+|iniconfig|2.0.0|MIT|
+|isort|5.12.0|MIT|
+|markdown-it-py|2.2.0|MIT|
 |mccabe|0.7.0|MIT|
+|mdurl|0.1.2|MIT|
 |multidict|6.0.3|Apache 2.0|
-|mypy|0.991|MIT|
-|mypy-extensions|0.4.3|MIT|
+|mypy|1.1.1|MIT|
+|mypy-extensions|1.0.0|MIT|
 |mypy-protobuf|3.3.0|Apache 2.0|
 |nodeenv|1.7.0|BSD|
 |opentelemetry-api|1.14.0|Apache 2.0|
@@ -46,45 +51,45 @@
 |opentelemetry-instrumentation-logging|0.35b0|Apache 2.0|
 |opentelemetry-sdk|1.14.0|Apache 2.0|
 |opentelemetry-semantic-conventions|0.35b0|Apache 2.0|
-|packaging|21.3|Apache 2.0<br/>Simplified BSD|
+|packaging|23.0|Apache 2.0<br/>BSD|
 |paho-mqtt|1.6.1|OSI Approved|
-|pathspec|0.10.2|Mozilla Public License 2.0 (MPL 2.0)|
-|pbr|5.11.0|Apache 2.0|
-|pep517|0.13.0|MIT|
+|pathspec|0.11.1|Mozilla Public License 2.0 (MPL 2.0)|
+|pbr|5.11.1|Apache 2.0|
 |pip|23.0.1|MIT|
-|pip-tools|6.11.0|BSD|
-|platformdirs|2.6.0|MIT|
+|pip-tools|6.12.3|BSD|
+|platformdirs|3.2.0|MIT|
 |pluggy|1.0.0|MIT|
-|pre-commit|2.20.0|MIT|
+|pre-commit|3.2.2|MIT|
 |protobuf|3.20.3|Google License|
-|py|1.11.0|MIT|
 |pycodestyle|2.10.0|MIT|
-|pydocstyle|6.1.1|MIT|
+|pydocstyle|6.3.0|MIT|
 |pyflakes|3.0.1|MIT|
-|pyparsing|3.0.9|MIT|
-|pytest|7.2.0|MIT|
-|pytest-asyncio|0.20.2|Apache 2.0|
+|Pygments|2.14.0|Simplified BSD|
+|pyproject-api|1.5.1|MIT|
+|pyproject-hooks|1.0.0|MIT|
+|pytest|7.2.2|MIT|
+|pytest-asyncio|0.21.0|Apache 2.0|
 |pytest-cov|4.0.0|MIT|
 |python-dateutil|2.8.2|Apache 2.0<br/>BSD|
-|pytz|2022.6|MIT|
+|pytz|2023.3|MIT|
 |pytz-deprecation-shim|0.1.0.post0|Apache 2.0|
 |PyYAML|6.0|MIT|
+|rich|13.3.3|MIT|
 |setuptools|58.1.0|MIT|
 |six|1.16.0|MIT|
 |smmap|5.0.0|BSD|
 |snowballstemmer|2.2.0|New BSD|
-|stevedore|4.1.1|Apache 2.0|
-|toml|0.10.2|MIT|
+|stevedore|5.0.0|Apache 2.0|
 |tomli|2.0.1|MIT|
-|tox|3.27.1|MIT|
-|types-Deprecated|1.2.9|Apache 2.0|
-|types-mock|4.0.15.2|Apache 2.0|
-|types-protobuf|4.21.0.2|Apache 2.0|
+|tox|4.4.11|MIT|
+|types-Deprecated|1.2.9.2|Apache 2.0|
+|types-mock|5.0.0.6|Apache 2.0|
+|types-protobuf|4.22.0.2|Apache 2.0|
 |typing-extensions|4.4.0|Python Software Foundation License|
-|tzdata|2022.7|Apache 2.0|
-|tzlocal|4.2|MIT|
-|virtualenv|20.17.1|MIT|
-|wheel|0.38.4|MIT|
+|tzdata|2023.3|Apache 2.0|
+|tzlocal|4.3|MIT|
+|virtualenv|20.21.0|MIT|
+|wheel|0.40.0|MIT|
 |wrapt|1.14.1|BSD|
 |yarl|1.8.2|Apache 2.0|
 ## Workflows