adding pinning to python/ansible dependencies that are used during te…

…sting, also adding an ignore to CVE-2019-8341(70612) in saftey scanning, since this is a transient dependency in the builder container

Signed-off-by: Adam D. Cornett <adc@redhat.com>

hack/generate/samples/ansible/memcached.go

@@ -73,12 +73,3 @@ func addingAnsibleTask(dir string, gvk schema.GroupVersionKind) {
 		"# TODO(user): Add fields here", "size: 1")
 	pkg.CheckError("updating sample CR", err)
 }
-
-// replaceKustomizeVersion will replace the kustomize version used in the
-// Makefile to the version specified
-func replaceKustomizeVersion(dir string, version string) {
-	err := kbutil.ReplaceInFile(filepath.Join(dir, "Makefile"),
-		"curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v5.1.1/kustomize_v5.1.1_$(OS)_$(ARCH).tar.gz | \\",
-		fmt.Sprintf("curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/%s/kustomize_%s_$(OS)_$(ARCH).tar.gz | \\", version, version))
-	pkg.CheckError(fmt.Sprintf("replacing kustomize version to %s", version), err)
-}

hack/tests/e2e-ansible-molecule.sh

@@ -30,9 +30,10 @@ pip3 install pyasn1==0.4.7 pyasn1-modules==0.2.6 idna==2.8 ipaddress==1.0.23
 pip3 install cryptography molecule==5.1.0
 pip3 install ansible-lint yamllint
 pip3 install docker kubernetes jmespath
+pip3 install requests==2.32.2
 ansible-galaxy collection install 'kubernetes.core:==2.4.0'
 ansible-galaxy collection install 'operator_sdk.util:==0.4.0'
-ansible-galaxy collection install 'community.docker:==3.4.0'
+ansible-galaxy collection install 'community.docker:==3.10.3'
 
 header_text "Copying molecule testdata scenarios"
 ROOTDIR="$(pwd)"

images/ansible-operator/Dockerfile

@@ -25,7 +25,12 @@ RUN set -e && yum clean all && rm -rf /var/cache/yum/* \
   && pip3 install --upgrade pip~=23.3.2 \
   && pip3 install pipenv==2023.11.15 \
   && pipenv install --deploy \
-  && pipenv check \
+  # NOTE: This ignored vulnerability (70612) was detected in jinja2, \
+  # but the vulnerability is disputed and may never be fixed. See: \
+  #  - https://github.com/advisories/GHSA-f6pv-j8mr-w6rr \
+  #  - https://github.com/dbt-labs/dbt-core/issues/10250 \
+  #  - https://data.safetycli.com/v/70612/97c/ \
+  && pipenv check --ignore 70612 \
   && yum remove -y gcc libffi-devel openssl-devel python39-devel \
   && yum clean all \
   && rm -rf /var/cache/yum

images/ansible-operator/pipfile.Dockerfile

@@ -21,7 +21,12 @@ RUN set -e && yum clean all && rm -rf /var/cache/yum/* \
   && pip3 install --upgrade pip~=23.3.2 \
   && pip3 install pipenv==2023.11.15 \
   && pipenv lock \
-  && pipenv check \
+  # NOTE: This ignored vulnerability (70612) was detected in jinja2, \
+  # but the vulnerability is disputed and may never be fixed. See: \
+  #  - https://github.com/advisories/GHSA-f6pv-j8mr-w6rr \
+  #  - https://github.com/dbt-labs/dbt-core/issues/10250 \
+  #  - https://data.safetycli.com/v/70612/97c/ \
+  && pipenv check --ignore 70612 \
   && yum remove -y gcc libffi-devel openssl-devel python39-devel \
   && yum clean all \
   && rm -rf /var/cache/yum

pkg/plugins/ansible/v1/scaffolds/internal/templates/requirements.go

@@ -42,5 +42,5 @@ collections:
   - name: cloud.common
     version: "2.1.1"
   - name: community.docker
-    version: "3.4.5"
+    version: "3.10.3"
 `

testdata/memcached-molecule-operator/requirements.yml

@@ -7,4 +7,4 @@ collections:
   - name: cloud.common
     version: "2.1.1"
   - name: community.docker
-    version: "3.4.5"
+    version: "3.10.3"