Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Update Azure identity services (1.1.1 -> 1.11.1) and pygments (2.15.0 -> 2.15.1) #19576

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

fix: Update Azure identity services (1.1.1 -> 1.11.1) and pygments (2.15.0 -> 2.15.1) #19576

wants to merge 2 commits into from

Conversation

harshitasao
Copy link
Contributor

Fixed the 2 vulnerabilities which are reported by the scorecard report.

  1. https://osv.dev/PYSEC-2023-117
  2. https://osv.dev/GHSA-m5vv-6r4h-3vj9

Part of #18921

Checklist:

  • Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
  • The title of the PR states what changed and the related issues number (used for the release note).
  • The title of the PR conforms to the Toolchain Guide
  • I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
  • I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
  • Does this PR require documentation updates?
  • I've updated documentation as required by this PR.
  • I have signed off all my commits as required by DCO
  • I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
  • My build is green (troubleshooting builds).
  • My new feature complies with the feature status guidelines.
  • I have added a brief description of why this PR is necessary and/or what this PR solves.
  • Optional. My organization is added to USERS.md.
  • Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

@harshitasao harshitasao requested review from a team as code owners August 17, 2024 14:55
@bunnyshell Bunnyshell
Copy link

bunnyshell bot commented Aug 17, 2024
edited
Loading

❗ Preview Environment deployment failed on Bunnyshell

See: Environment Details | Pipeline Logs

Available commands (reply to this comment):

  • 🚀 /bns:deploy to redeploy the environment
  • /bns:delete to remove the environment

@bunnyshell Bunnyshell
Copy link

bunnyshell bot commented Aug 17, 2024

✅ Preview Environment created on Bunnyshell but will not be auto-deployed

See: Environment Details

Available commands (reply to this comment):

  • 🚀 /bns:deploy to deploy the environment

@harshitasao harshitasao mentioned this pull request Aug 17, 2024
Open
3 tasks
@harshitasao harshitasao changed the title Fixed the vulnerabilities as shown in the scorecard report fix: Fixed the vulnerabilities as shown in the scorecard report Aug 17, 2024
todaywasawesome
todaywasawesome requested changes Aug 17, 2024
View reviewed changes
Copy link
Contributor

@todaywasawesome todaywasawesome left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like tests are failing on change. These are pretty big version changes. Is there a version change that's closer and closes cves?

@jannfis
Copy link
Member

jannfis commented Aug 17, 2024
edited
Loading

https://osv.dev/vulnerability/GHSA-m5vv-6r4h-3vj9 states that for the Go Azure SDK, the flaw was fixed in v1.6.0, while this PR pulls in 1.11 (which is probably the latest stable release).

However, I think it might be worthwhile to fix the compatibility issue.

EDIT: It seems the vulnerability is in the azidentity package, which is upgraded to 1.7 with this PR (and the fix is in 1.6).

@wanghong230
Copy link
Member

Better has an Azure environment to do a validation.

@harshitasao
fixed the vulnerabilities as shown in the scorecard report
03c8baf 
Signed-off-by: harshitasao <harshitasao@gmail.com>
@harshitasao
vulnerability fix
9f4b57a 
Signed-off-by: harshitasao <harshitasao@gmail.com>
@todaywasawesome todaywasawesome changed the title fix: Fixed the vulnerabilities as shown in the scorecard report fix: Update Azure identity services (1.1.1 -> 1.11.1) and pygments (2.15.0 -> 2.15.1) Sep 4, 2024
@todaywasawesome todaywasawesome mentioned this pull request Sep 4, 2024
Merged
14 tasks
@todaywasawesome
Copy link
Contributor

We got pyments done in #19784 - this azure change is significant though and needs real testing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@todaywasawesome todaywasawesome todaywasawesome requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@harshitasao @jannfis @wanghong230 @todaywasawesome