Older version of setup tool and setuptool dist-info getting flagged by S360 and other scans

[ronitshaw1993]

An older version of setup tools is installed in the latest release version of az cli == 2.45.0.

I have noticed that in dev the version is upgraded, but not sure when the release will happen.

### Our deployments are getting flagged. Let us know if there is a way around this before the next release as the setup tools inside the usr/lib/az is getting flagged, so installing an updated version overall is not helping.

[yonzhan]

@bebound for awareness

[jiasli]

Per my understanding, requirements.txt is only used azdev setup. @ronitshaw1993, are you using azdev setup in your pipelines?

[bebound]

We use default setuptools bundled with Python.
Workaround:
/opt/az/bin/python3 -m pip install -U setuptools

[ronitshaw1993]

@jiasli
This is how I'm installing az cli in my mariner python3.9 base image.

[ronitshaw1993]

@bebound I guess that needs to be updated.
As I'm not able to find the python bin specifically installed by az cli.

root [ / ]# find / -name python3.9
/usr/lib/python3.9
/usr/lib/az/lib/python3.9
/usr/bin/python3.9

This is the location /usr/lib/az/lib/python3.9 where S360 and other scans are flagging for vulnerability and an older version of setup tools exist.

Would be happy to go on a quick call as well.

[ronitshaw1993]

[bebound]

PYTHONPATH="/lib64/az/lib/python3.9/site-packages" python3.9 -m pip install -U setuptools

On Mariner, CLI uses the standard python3.9 with a special PYTHONPATH.

[ronitshaw1993]

PYTHONPATH="/lib64/az/lib/python3.9/site-packages" python3.9 -m pip install -U setuptools

On Mariner, CLI uses the standard python3.9 with a special PYTHONPATH.

Sure, thanks for the reply. This is helpful.

Any leads on when the next az cli release is planned for? With maybe the fix?

[bebound]

2.47 will be released on April 4.