Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stop ignoring pip-audit vulnerability #213

Draft
wants to merge 3 commits into
base: develop
Choose a base branch
from
Draft

Stop ignoring pip-audit vulnerability #213

wants to merge 3 commits into from

Conversation

jsf9k
Copy link
Member

@jsf9k jsf9k commented Dec 2, 2024
edited
Loading

🗣 Description

This pull request makes the necessary changes so that we can stop ignoring a vulnerability in ansible-core identified by pip-audit:

Note

This pull request pulls in commit cisagov/skeleton-generic@2ea400c from cisagov/skeleton-generic#199.

💭 Motivation and context

Vulnerabilities should not be ignored if they need not be. Resolves #210.

🧪 Testing

All automated tests pass.

✅ Pre-approval checklist

  • This PR has an informative and human-readable title.
  • Changes are limited to a single goal - eschew scope creep!
  • All relevant type-of-change labels have been added.
  • I have read the CONTRIBUTING document.
  • These code changes follow cisagov code standards.
  • All new and existing tests pass.

jsf9k added 3 commits December 2, 2024 17:31
@jsf9k
Bump up ansible-core and ansible pins
902d945 
Version 2.18.1 of ansible-core is required because the pip-audit
pre-commit hook identifies a vulnerability (GHSA-99w6-3xph-cx78) in
ansible-core<=2.18.1.  This necessitates an upgrade to at least
ansible 11.
@jsf9k
Copy upstream changes to pre-commit config over to requirements-test.txt
88c3a96 
The versions of pip packages in both locations must agree.
@jsf9k
Stop ignoring vulnerability detected by pip-audit
9ed50d4 
This is no longer necessary since we have upgraded to
ansible-core>=2.18.1.
@jsf9k jsf9k added improvement This issue or pull request will add or improve functionality, maintainability, or ease of use upstream update This issue or pull request pulls in upstream updates dependencies Pull requests that update a dependency file kraken 🐙 This pull request is ready to merge during the next Lineage Kraken release security This issue or pull request addresses a security issue labels Dec 2, 2024
@jsf9k jsf9k added blocked This issue or pull request is awaiting the outcome of another issue or pull request and removed kraken 🐙 This pull request is ready to merge during the next Lineage Kraken release labels Dec 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dav3r dav3r Awaiting requested review from dav3r dav3r will be requested when the pull request is marked ready for review dav3r is a code owner

@felddy felddy Awaiting requested review from felddy felddy will be requested when the pull request is marked ready for review felddy is a code owner

@mcdonnnj mcdonnnj Awaiting requested review from mcdonnnj mcdonnnj will be requested when the pull request is marked ready for review mcdonnnj is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

@jsf9k jsf9k

@mcdonnnj mcdonnnj

Labels
blocked This issue or pull request is awaiting the outcome of another issue or pull request dependencies Pull requests that update a dependency file improvement This issue or pull request will add or improve functionality, maintainability, or ease of use security This issue or pull request addresses a security issue upstream update This issue or pull request pulls in upstream updates
Projects
Skeleton Maintenance
Status: In progress
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Remove ignored vulnerability in pip-audit pre-commit hook
2 participants
@jsf9k @mcdonnnj