ignore Safety 76752 in setuptools #7539
Conversation
There was a problem hiding this comment.
Thanks. Note that you'll also need to suppress it in https://github.com/freedomofpress/fpf-misc-resources/blob/main/projectfiles/securedrop.json (yes, it's bad that it's duplicated :/)
There was a problem hiding this comment.
That's right: make safety here is used in our CI using the public Safety database, which hasn't picked up this alert yet; https://github.com/freedomofpress/fpf-misc-resources/blob/main/projectfiles/securedrop.json is used in the daily authenticated Safety alerting, which has.
Setuptools has been bumped to the fixed version [1], but that was not possible on Ubuntu Focal due to setuptools 78.1.1 requiring Python >=3.9 and Ubuntu Focal only providing Python 3.8. In fact ealier versions of setuptools required this newer Python version but only this release justified bumping it. Therefore, test-requirements.txt was split [2] into Ubuntu Focal and Noble and the setuptools dependency will have to be kept back on the former. This is minor given that this is a build-time dependency only and there is an ongoing migration of instances to Ubunut Noble. The end conclusion is that this vulnerability will be silenced for the entire repository, since it has already been patched where it could be. [1]: #7506 [2]: #7506 (comment)
|
This was a bit of a footgun. I'm guessing this would be fixed with freedomofpress/securedrop-tooling#14. |
|
@cfm I think you need to dismiss the requested changes for this to be merged. |
|
As of this morning this is still not suppressed. Could it be that there is some propagation delay or would it be expected for the impact to be immediate and thus a need to investigate what is in fact the correct place to update these? |
Status
Ready for review
Description of Changes
Suppresses vulnerability warning.
Setuptools has been bumped to the fixed version 1, but that was not possible on Ubuntu Focal due to setuptools 78.1.1 requiring Python >=3.9 and Ubuntu Focal only providing Python 3.8. In fact ealier versions of setuptools required this newer Python version but only this release justified bumping it.
Therefore, test-requirements.txt was split 2 into Ubuntu Focal and Noble and the setuptools dependency will have to be kept back on the former. This is minor given that this is a build-time dependency only and there is an ongoing migration of instances to Ubunut Noble.
The end conclusion is that this vulnerability will be silenced for the entire repository, since it has already been patched where it could be.