From 5b44ced026da65714a4e2692b2e34f7a51b53454 Mon Sep 17 00:00:00 2001 From: "Mitch Harding (the weird one)" Date: Tue, 4 Jun 2024 14:34:43 -0400 Subject: [PATCH 1/3] CASMCMS-9019: Bump certifi version to resolve CVE --- CHANGELOG.md | 2 ++ constraints.txt.in | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ab6cffbe..2f3454d1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## [Unreleased] +### Dependencies +- Bumped `certifi` from 2022.12.7 to 2023.7.22 to resolve [SNYK-PYTHON-CERTIFI-5805047 CVE](https://security.snyk.io/vuln/SNYK-PYTHON-CERTIFI-5805047) ## [2.18.2] - 2024-05-31 ### Fixed diff --git a/constraints.txt.in b/constraints.txt.in index 1b2a58d2..dbd6a8e6 100644 --- a/constraints.txt.in +++ b/constraints.txt.in @@ -4,7 +4,7 @@ bos.server==0.0.1 boto3==1.26.165 botocore==1.29.165 cachetools==5.3.3 -certifi==2022.12.7 +certifi==2023.7.22 charset-normalizer==3.1.0 click==8.1.7 clickclick==20.10.2 From 5012b66385857e713a10127566f7f8bfe057cfd6 Mon Sep 17 00:00:00 2001 From: "Mitch Harding (the weird one)" Date: Tue, 4 Jun 2024 16:44:55 -0400 Subject: [PATCH 2/3] CASMCMS-9020: Bump Flask from 2.1.1 to 2.2.5 to resolve CVE --- CHANGELOG.md | 1 + Dockerfile | 6 ++++++ constraints.txt.in | 2 +- 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2f3454d1..8b16521c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] ### Dependencies - Bumped `certifi` from 2022.12.7 to 2023.7.22 to resolve [SNYK-PYTHON-CERTIFI-5805047 CVE](https://security.snyk.io/vuln/SNYK-PYTHON-CERTIFI-5805047) +- Bumped `Flask` from 2.1.1 to 2.2.5 to resolve [SNYK-PYTHON-FLASK-5490129 CVE](https://snyk.io/vuln/SNYK-PYTHON-FLASK-5490129) ## [2.18.2] - 2024-05-31 ### Fixed diff --git a/Dockerfile b/Dockerfile index 3c01c8fb..345689c8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -49,6 +49,12 @@ COPY --from=codegen /app/lib/ /app/lib # additional required libraries necessary for developer authored controller/database # code. RUN mv lib/requirements.txt lib/bos/server/requirements.txt +# The openapi-generator creates a requirements file that specifies exactly Flask==2.1.1 +# However, using Flask 2.2.5 is also compatible, and resolves a CVE. +# Accordingly, we relax their requirements file. +RUN cat lib/bos/server/requirements.txt && \ + sed -i 's/Flask == 2\(.*\)$/Flask >= 2\1\nFlask < 3/' lib/bos/server/requirements.txt && \ + cat lib/bos/server/requirements.txt # Then copy all src into the base image COPY src/bos/ /app/lib/bos/ COPY constraints.txt requirements.txt /app/ diff --git a/constraints.txt.in b/constraints.txt.in index dbd6a8e6..691bda26 100644 --- a/constraints.txt.in +++ b/constraints.txt.in @@ -10,7 +10,7 @@ click==8.1.7 clickclick==20.10.2 connexion==2.14.2 etcd3==0.12.0 -Flask==2.1.1 +Flask==2.2.5 google-auth==2.16.3 grpcio==1.51.3 idna==3.4 From f266c4cbc4c2f708398df1e3154cb3ae534fa451 Mon Sep 17 00:00:00 2001 From: Mitch Harding Date: Wed, 5 Jun 2024 13:42:04 -0400 Subject: [PATCH 3/3] Update CHANGELOG.md Release 2.19.0 for CSM 1.6 --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8b16521c..f11a7f94 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## [Unreleased] + +## [2.19.0] - 2024-06-05 ### Dependencies - Bumped `certifi` from 2022.12.7 to 2023.7.22 to resolve [SNYK-PYTHON-CERTIFI-5805047 CVE](https://security.snyk.io/vuln/SNYK-PYTHON-CERTIFI-5805047) - Bumped `Flask` from 2.1.1 to 2.2.5 to resolve [SNYK-PYTHON-FLASK-5490129 CVE](https://snyk.io/vuln/SNYK-PYTHON-FLASK-5490129)