From 9db0516b73a17879ffc71897ffd777de59b13974 Mon Sep 17 00:00:00 2001 From: Erik Jaegervall Date: Wed, 20 Nov 2024 13:10:24 +0100 Subject: [PATCH] Fix aiohttp vulnerability --- .project-creation/.skeleton/requirements.in | 2 +- .project-creation/.skeleton/requirements.txt | 20 ++++--- NOTICE-3RD-PARTY-CONTENT.md | 59 ++++++++++--------- README.md | 59 +++++++++++++++++++ examples/seat-adjuster/requirements.in | 2 +- examples/seat-adjuster/requirements.txt | 18 +++--- requirements-links.txt | 1 - requirements.txt | 62 +++++++++++--------- setup.py | 2 +- 9 files changed, 148 insertions(+), 77 deletions(-) diff --git a/.project-creation/.skeleton/requirements.in b/.project-creation/.skeleton/requirements.in index 3fe25684..e6fedc25 100644 --- a/.project-creation/.skeleton/requirements.in +++ b/.project-creation/.skeleton/requirements.in @@ -15,4 +15,4 @@ grpcio==1.64.1 protobuf==5.27.2 cloudevents==1.11.0 -aiohttp==3.10.5 +aiohttp==3.10.11 diff --git a/.project-creation/.skeleton/requirements.txt b/.project-creation/.skeleton/requirements.txt index 1ac04dd8..3a564d8c 100644 --- a/.project-creation/.skeleton/requirements.txt +++ b/.project-creation/.skeleton/requirements.txt @@ -4,13 +4,13 @@ # # pip-compile # -aiohappyeyeballs==2.4.0 +aiohappyeyeballs==2.4.3 # via aiohttp -aiohttp==3.10.5 +aiohttp==3.10.11 # via -r requirements.in aiosignal==1.3.1 # via aiohttp -async-timeout==4.0.3 +async-timeout==5.0.1 # via aiohttp attrs==24.2.0 # via aiohttp @@ -18,21 +18,25 @@ cloudevents==1.11.0 # via -r requirements.in deprecation==2.1.0 # via cloudevents -frozenlist==1.4.1 +frozenlist==1.5.0 # via # aiohttp # aiosignal grpcio==1.64.1 # via -r requirements.in -idna==3.8 +idna==3.10 # via yarl -multidict==6.0.5 +multidict==6.1.0 # via # aiohttp # yarl -packaging==24.1 +packaging==24.2 # via deprecation +propcache==0.2.0 + # via yarl protobuf==5.27.2 # via -r requirements.in -yarl==1.9.7 +typing-extensions==4.12.2 + # via multidict +yarl==1.17.2 # via aiohttp diff --git a/NOTICE-3RD-PARTY-CONTENT.md b/NOTICE-3RD-PARTY-CONTENT.md index ae284afe..75745eb5 100644 --- a/NOTICE-3RD-PARTY-CONTENT.md +++ b/NOTICE-3RD-PARTY-CONTENT.md @@ -3,35 +3,35 @@ ## Python | Dependency | Version | License | |:-----------|:-------:|--------:| -|aiohappyeyeballs|2.4.0|Other/Proprietary License
Python Software Foundation License| -|aiohttp|3.10.5|Apache 2.0| +|aiohappyeyeballs|2.4.3|Python Software Foundation License| +|aiohttp|3.10.11|Apache 2.0| |aiosignal|1.3.1|Apache 2.0| |APScheduler|3.10.4|MIT| -|async-timeout|4.0.3|Apache 2.0| +|async-timeout|5.0.1|Apache 2.0| |attrs|24.2.0|MIT| -|build|1.2.1|MIT| +|build|1.2.2.post1|MIT| |cachetools|5.5.0|MIT| |cfgv|3.4.0|MIT| |chardet|5.2.0|LGPL| |click|8.1.7|New BSD| |cloudevents|1.11.0|Apache 2.0| |colorama|0.4.6|BSD| -|coverage|7.6.1|Apache 2.0| -|Deprecated|1.2.14|MIT| +|coverage|7.6.7|Apache 2.0| +|Deprecated|1.2.15|MIT| |deprecation|2.1.0|Apache 2.0| -|distlib|0.3.8|Python Software Foundation License| +|distlib|0.3.9|Python Software Foundation License| |exceptiongroup|1.2.2|MIT| -|filelock|3.15.4|The Unlicense (Unlicense)| -|frozenlist|1.4.1|Apache 2.0| +|filelock|3.16.1|The Unlicense (Unlicense)| +|frozenlist|1.5.0|Apache 2.0| |grpc-stubs|1.53.0.5|MIT| |grpcio|1.64.1|Apache 2.0| |grpcio-tools|1.64.1|Apache 2.0| -|identify|2.6.0|MIT| -|idna|3.8|BSD| +|identify|2.6.2|MIT| +|idna|3.10|BSD| |importlib-metadata|7.1.0|Apache 2.0| |iniconfig|2.0.0|MIT| -|multidict|6.0.5|Apache 2.0| -|mypy|1.11.2|MIT| +|multidict|6.1.0|Apache 2.0| +|mypy|1.13.0|MIT| |mypy-extensions|1.0.0|MIT| |mypy-protobuf|3.6.0|Apache 2.0| |nodeenv|1.9.1|BSD| @@ -41,35 +41,36 @@ |opentelemetry-instrumentation-logging|0.46b0|Apache 2.0| |opentelemetry-sdk|1.25.0|Apache 2.0| |opentelemetry-semantic-conventions|0.46b0|Apache 2.0| -|packaging|24.1|Apache 2.0
BSD| +|packaging|24.2|Apache 2.0
BSD| |paho-mqtt|2.1.0|OSI Approved| |pip|23.0.1|MIT| |pip-tools|7.4.1|BSD| -|platformdirs|4.2.2|MIT| +|platformdirs|4.3.6|MIT| |pluggy|1.5.0|MIT| -|pre-commit|3.8.0|MIT| +|pre-commit|4.0.1|MIT| +|propcache|0.2.0|Apache 2.0| |protobuf|5.27.2|Google License| -|pyproject-api|1.7.1|MIT| -|pyproject-hooks|1.1.0|MIT| -|pytest|8.3.2|MIT| +|pyproject-api|1.8.0|MIT| +|pyproject-hooks|1.2.0|MIT| +|pytest|8.3.3|MIT| |pytest-asyncio|0.24.0|Apache 2.0| -|pytest-cov|5.0.0|MIT| -|pytz|2024.1|MIT| +|pytest-cov|6.0.0|MIT| +|pytz|2024.2|MIT| |PyYAML|6.0.2|MIT| |setuptools|65.5.1|MIT| |six|1.16.0|MIT| -|tomli|2.0.1|MIT| -|tox|4.18.0|MIT| -|types-Deprecated|1.2.9.20240311|Apache 2.0| +|tomli|2.1.0|MIT| +|tox|4.23.2|MIT| +|types-Deprecated|1.2.15.20241117|Apache 2.0| |types-mock|5.1.0.20240425|Apache 2.0| -|types-protobuf|5.27.0.20240626|Apache 2.0| +|types-protobuf|5.28.3.20241030|Apache 2.0| |typing-extensions|4.12.2|Python Software Foundation License| |tzlocal|5.2|MIT| -|virtualenv|20.26.3|MIT| -|wheel|0.44.0|MIT| +|virtualenv|20.27.1|MIT| +|wheel|0.45.0|MIT| |wrapt|1.16.0|BSD| -|yarl|1.9.7|Apache 2.0| -|zipp|3.20.1|MIT| +|yarl|1.17.2|Apache 2.0| +|zipp|3.21.0|MIT| ## Workflows | Dependency | Version | License | |:-----------|:-------:|--------:| diff --git a/README.md b/README.md index c8926b80..f97d1c01 100644 --- a/README.md +++ b/README.md @@ -63,3 +63,62 @@ By default the examples are started using the native middleware. Dapr middleware - [GitHub Issues](https://github.com/eclipse-velocitas/vehicle-app-python-sdk/issues) - [Mailing List](https://accounts.eclipse.org/mailing-list/velocitas-dev) - [Contribution](./CONTRIBUTING.md/) + +### Creating a new release + +1. Tag the commit and upload to GitHub + +Create a tag of the form `vX.Y.X` and upload to the repository. +That will trigger the [release](https://github.com/eclipse-velocitas/vehicle-app-python-sdk/actions/workflows/release.yaml) workflow. +If the action is successfully executed a new [GitHub release](https://github.com/eclipse-velocitas/vehicle-app-python-sdk/releases) shall have been created as well as as +a new version of `velocitas-lib` published in [PyPI](https://pypi.org/project/velocitas-sdk/). + +2. Update examples + +This repository contain some requirement files that reference itself. +We cannot update the version numbers in those files until we have created a [PyPI](https://pypi.org/project/velocitas-sdk/) release, as Continuous Integration then will fail. +But that also means that a released version like `1.2.3` will contain references to an older version. + +For now the best approach is to update them on `main` branch after we have created the release. +Update `velocitas-sdk` version number in the following files + +* `.project-creation/.skeleton/requirements-velocitas.txt` +* `examples/seat-adjuster/requirements-velocitas.txt` + +Use the version number used for the release. + +2. Create a Pull Request and merge the updated version numbers + +### Updating Dependencies + +This repository specify exact Python versions in `setup.py` and other files. +If a version needs to be updated, for example if a vulnerability is detected, the following approach needs to be followed + +1. Update version in `setup.py` if needed +2. Update generated requirement files. + +```bash +pip-compile -U --extra=dev +``` + +3. Update version in `examples/seat-adjuster/requirements.in` if needed +4. Update generated file for Seat Adjuster + +```bash +cd examples/seat-adjuster +pip-compile -U +``` + +5. Update version in `.project-creation/.skeleton/requirements.in` if needed +6. Update generated file for Skeleton + +```bash +cd .project-creation/.skeleton/ +pip-compile -U +``` + +7. Update `NOTICE-3RD-PARTY-CONTENT.md` + +The easiest way to do it is to create a Pull Request. +Then the [check license workflow](https://github.com/eclipse-velocitas/vehicle-app-python-sdk/actions/workflows/check-licenses.yml) will fail as versions used no longer match versions stated in the file. +Copy output from the workflow to the `NOTICE-3RD-PARTY-CONTENT.md` file and update the Pull Request. diff --git a/examples/seat-adjuster/requirements.in b/examples/seat-adjuster/requirements.in index 76c99468..0c76c698 100644 --- a/examples/seat-adjuster/requirements.in +++ b/examples/seat-adjuster/requirements.in @@ -15,5 +15,5 @@ grpcio==1.64.1 protobuf==5.27.2 cloudevents==1.11.0 -aiohttp==3.10.5 +aiohttp==3.10.11 packaging==24.1 diff --git a/examples/seat-adjuster/requirements.txt b/examples/seat-adjuster/requirements.txt index 6f5422a4..922f0694 100644 --- a/examples/seat-adjuster/requirements.txt +++ b/examples/seat-adjuster/requirements.txt @@ -4,13 +4,13 @@ # # pip-compile # -aiohappyeyeballs==2.4.0 +aiohappyeyeballs==2.4.3 # via aiohttp -aiohttp==3.10.5 +aiohttp==3.10.11 # via -r requirements.in aiosignal==1.3.1 # via aiohttp -async-timeout==4.0.3 +async-timeout==5.0.1 # via aiohttp attrs==24.2.0 # via aiohttp @@ -18,15 +18,15 @@ cloudevents==1.11.0 # via -r requirements.in deprecation==2.1.0 # via cloudevents -frozenlist==1.4.1 +frozenlist==1.5.0 # via # aiohttp # aiosignal grpcio==1.64.1 # via -r requirements.in -idna==3.8 +idna==3.10 # via yarl -multidict==6.0.5 +multidict==6.1.0 # via # aiohttp # yarl @@ -34,7 +34,11 @@ packaging==24.1 # via # -r requirements.in # deprecation +propcache==0.2.0 + # via yarl protobuf==5.27.2 # via -r requirements.in -yarl==1.9.7 +typing-extensions==4.12.2 + # via multidict +yarl==1.17.2 # via aiohttp diff --git a/requirements-links.txt b/requirements-links.txt index 3cc17303..e69de29b 100644 --- a/requirements-links.txt +++ b/requirements-links.txt @@ -1 +0,0 @@ -git+https://github.com/eclipse-velocitas/vehicle-model-python.git@v0.3.0 diff --git a/requirements.txt b/requirements.txt index 0a599439..2047047b 100755 --- a/requirements.txt +++ b/requirements.txt @@ -4,19 +4,19 @@ # # pip-compile --extra=dev # -aiohappyeyeballs==2.4.0 +aiohappyeyeballs==2.4.3 # via aiohttp -aiohttp==3.10.5 +aiohttp==3.10.11 # via velocitas_sdk (setup.py) aiosignal==1.3.1 # via aiohttp apscheduler==3.10.4 # via velocitas_sdk (setup.py) -async-timeout==4.0.3 +async-timeout==5.0.1 # via aiohttp attrs==24.2.0 # via aiohttp -build==1.2.1 +build==1.2.2.post1 # via pip-tools cachetools==5.5.0 # via tox @@ -30,23 +30,23 @@ cloudevents==1.11.0 # via velocitas_sdk (setup.py) colorama==0.4.6 # via tox -coverage[toml]==7.6.1 +coverage[toml]==7.6.7 # via pytest-cov -deprecated==1.2.14 +deprecated==1.2.15 # via # opentelemetry-api # velocitas_sdk (setup.py) deprecation==2.1.0 # via cloudevents -distlib==0.3.8 +distlib==0.3.9 # via virtualenv exceptiongroup==1.2.2 # via pytest -filelock==3.15.4 +filelock==3.16.1 # via # tox # virtualenv -frozenlist==1.4.1 +frozenlist==1.5.0 # via # aiohttp # aiosignal @@ -59,19 +59,19 @@ grpcio==1.64.1 # velocitas_sdk (setup.py) grpcio-tools==1.64.1 # via velocitas_sdk (setup.py) -identify==2.6.0 +identify==2.6.2 # via pre-commit -idna==3.8 +idna==3.10 # via yarl importlib-metadata==7.1.0 # via opentelemetry-api iniconfig==2.0.0 # via pytest -multidict==6.0.5 +multidict==6.1.0 # via # aiohttp # yarl -mypy==1.11.2 +mypy==1.13.0 # via velocitas_sdk (setup.py) mypy-extensions==1.0.0 # via mypy @@ -101,7 +101,7 @@ opentelemetry-sdk==1.25.0 # velocitas_sdk (setup.py) opentelemetry-semantic-conventions==0.46b0 # via opentelemetry-sdk -packaging==24.1 +packaging==24.2 # via # build # deprecation @@ -112,7 +112,7 @@ paho-mqtt==2.1.0 # via velocitas_sdk (setup.py) pip-tools==7.4.1 # via velocitas_sdk (setup.py) -platformdirs==4.2.2 +platformdirs==4.3.6 # via # tox # virtualenv @@ -120,35 +120,37 @@ pluggy==1.5.0 # via # pytest # tox -pre-commit==3.8.0 +pre-commit==4.0.1 # via velocitas_sdk (setup.py) +propcache==0.2.0 + # via yarl protobuf==5.27.2 # via # grpcio-tools # mypy-protobuf # velocitas_sdk (setup.py) -pyproject-api==1.7.1 +pyproject-api==1.8.0 # via tox -pyproject-hooks==1.1.0 +pyproject-hooks==1.2.0 # via # build # pip-tools -pytest==8.3.2 +pytest==8.3.3 # via # pytest-asyncio # pytest-cov # velocitas_sdk (setup.py) pytest-asyncio==0.24.0 # via velocitas_sdk (setup.py) -pytest-cov==5.0.0 +pytest-cov==6.0.0 # via velocitas_sdk (setup.py) -pytz==2024.1 +pytz==2024.2 # via apscheduler pyyaml==6.0.2 # via pre-commit six==1.16.0 # via apscheduler -tomli==2.0.1 +tomli==2.1.0 # via # build # coverage @@ -157,33 +159,35 @@ tomli==2.0.1 # pyproject-api # pytest # tox -tox==4.18.0 +tox==4.23.2 # via velocitas_sdk (setup.py) -types-deprecated==1.2.9.20240311 +types-deprecated==1.2.15.20241117 # via velocitas_sdk (setup.py) types-mock==5.1.0.20240425 # via velocitas_sdk (setup.py) -types-protobuf==5.27.0.20240626 +types-protobuf==5.28.3.20241030 # via mypy-protobuf typing-extensions==4.12.2 # via + # multidict # mypy # opentelemetry-sdk + # tox tzlocal==5.2 # via apscheduler -virtualenv==20.26.3 +virtualenv==20.27.1 # via # pre-commit # tox -wheel==0.44.0 +wheel==0.45.0 # via pip-tools wrapt==1.16.0 # via # deprecated # opentelemetry-instrumentation -yarl==1.9.7 +yarl==1.17.2 # via aiohttp -zipp==3.20.1 +zipp==3.21.0 # via importlib-metadata # The following packages are considered to be unsafe in a requirements file: diff --git a/setup.py b/setup.py index 70afb78f..386757d9 100644 --- a/setup.py +++ b/setup.py @@ -18,7 +18,7 @@ "grpcio==1.64.1", "protobuf==5.27.2", "cloudevents==1.11.0", - "aiohttp==3.10.5", + "aiohttp==3.10.11", "paho-mqtt==2.1.0", "opentelemetry-distro==0.46b0", "opentelemetry-instrumentation-logging==0.46b0",