Compliance updates (Jan 2024) (#408)

* Bump Java versions for OWASP compliance notices * Bump web API versions for compliance * Bump Python dependencies to address compliance issues * Try to prevent Python safety check detecting an old version of PIP * False positive for the Azure CLI (not a Java library) * Security exclusion for SSH protocol error (currently no fix available, issue raised with Apache SSHD) * Fix for removal of experimental API in gRPC minor version update * Fix for removal of experimental API in gRPC minor version update * Fix for change in module structure of Google API common protos * Go back to v4.1 for license-checker - the latest version uses a recent glob which pulls in non-standard licenses (we will need to vet those licenses, since glob is used by many things) * Get info on pip version during compliance build * Get info on pip version during compliance build * Try changing the pip upgrade step * Ignore vulnerabilities in an older version of pip (it is not shipped with the runtime package) * Use safety ID instead of CVE for safety ignore flag
finos · Jan 14, 2024 · ff14343 · ff14343
1 parent 2a4e897
commit ff14343
Show file tree

Hide file tree

Showing 12 changed files with 146 additions and 113 deletions.
diff --git a/.github/workflows/compliance.yml b/.github/workflows/compliance.yml
@@ -100,12 +100,16 @@ jobs:
           pip install -r requirements.txt
           pip install -r requirements_plugins.txt
 
+      # CVE-2023-5752 (safety id: 62044) is a vulnerability in pip itself, fixed in the most recent version (23.3)
+      # Although pip is updated, safety check detects the old version (perhaps because pip is part of the base package)
+      # Anyway pip is not a dependency of the tracdap-runtime package, clients will get pip from their Python install
+      # Once the base Python used in CI bumps up to include a later pip, the --ignore flag can be removed
       - name: Safety check
         run: |
           mkdir -p build/compliance/python-runtime-safety
           cd tracdap-runtime/python
-          safety check --output text > ../../build/compliance/python-runtime-safety/python-runtime-safety-report.txt
-          safety check --output json > ../../build/compliance/python-runtime-safety/python-runtime-safety-report.json
+          safety check --ignore 62044 --output text > ../../build/compliance/python-runtime-safety/python-runtime-safety-report.txt
+          safety check --ignore 62044 --output json > ../../build/compliance/python-runtime-safety/python-runtime-safety-report.json
 
       - name: License check
         run: |

diff --git a/dev/codegen/protoc-ctrl.py b/dev/codegen/protoc-ctrl.py
@@ -21,7 +21,7 @@
 import tempfile
 
 import protoc
-import google.api  # noqa
+import google.api.http_pb2 as gapi_http_module
 
 
 SCRIPT_NAME = pathlib.Path(__file__).stem
@@ -85,7 +85,7 @@ def __enter__(self):
         _copytree(protoc_inc_src, protoc_inc_dst)
 
         # Google API protos for annotating web services
-        gapi_src = pathlib.Path(google.api.__file__).parent
+        gapi_src = pathlib.Path(gapi_http_module.__file__).parent
         gapi_dst = pathlib.Path(self.temp_dir_name).joinpath("google/api")
 
         _log.info(f"Copying {gapi_src} -> {gapi_dst}")

diff --git a/dev/compliance/owasp-false-positives.xml b/dev/compliance/owasp-false-positives.xml
@@ -167,6 +167,13 @@
         <vulnerabilityName>CVE-2023-36415</vulnerabilityName>
     </suppress>
 
+    <!-- This one is a vulnerability in the Azure CLI using REST commands -->
+    <!-- It should not apply to Java libraries at all -->
+    <suppress>
+        <packageUrl regex="true">^pkg:maven/com\.azure/azure\-.*@.*$</packageUrl>
+        <cve>CVE-2023-36052</cve>
+    </suppress>
+
 
     <!-- ================== -->
     <!-- Special exceptions -->
@@ -246,4 +253,14 @@
         <vulnerabilityName>CVE-2023-4586</vulnerabilityName>
     </suppress>
 
+    <!-- This is a vulnerability that has been discovered in the SSH protocol and affects many SSH implementations -->
+    <!-- It only applies when certain extensions are enabled, for TRAC this applies to the execution node config -->
+    <!-- Currently there is no fix available, I have raised a ticket with Apache SSHD -->
+    <!-- https://github.com/apache/mina-sshd/issues/453 -->
+
+    <suppress>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.sshd/sshd\-.*@.*$</packageUrl>
+        <cve>CVE-2023-48795</cve>
+    </suppress>
+
 </suppressions>
diff --git a/dev/requirements.txt b/dev/requirements.txt
@@ -3,7 +3,7 @@
 # Protoc is required for the codegen scripts which work off the API proto files
 protobuf ~= 4.23.0
 protoc-wheel-0 >= 21, < 22
-googleapis-common-protos >= 1.56, < 2.0
+googleapis-common-protos >= 1.62, < 2.0
 
 # Doc generation
 sphinx ~= 7.2.0

diff --git a/gradle/versions.gradle b/gradle/versions.gradle
@@ -28,7 +28,7 @@ ext {
     netty_version = '4.1.100.Final'
     guava_version = '32.1.3-jre'
     proto_version = '3.23.2'
-    grpc_version = '1.59.0'
+    grpc_version = '1.61.0'
     gapi_version = '2.20.0'
 
     // Data technologies
@@ -68,13 +68,13 @@ ext {
 
     aws_sdk_version = '2.21.11'
     gcp_sdk_version = '26.26.0'
-    azure_sdk_version = '1.2.18'
+    azure_sdk_version = '1.2.19'
 
     // AWS SDK uses Reactive Streams
     // Only the latest version has a good license (MIT-0, prior versions were Creative Commons)
     reactive_streams_version = '1.0.4'
 
-    apache_sshd_version = "2.10.0"
+    apache_sshd_version = "2.11.0"
 
 
     // Test dependencies