From 83b22536780b9312d82bef27afd0b78e4599c072 Mon Sep 17 00:00:00 2001 From: Tessa Alexander Date: Tue, 10 Sep 2024 11:01:46 +0100 Subject: [PATCH] TMMA-509: Improve security of Python packaging tool; Update Python packaging tool --- CHANGELOG | 3 +++ deploy/Dockerfile | 8 ++++---- deploy/fabfile.py | 4 ++-- requirements/dev.txt | 12 ++++++------ requirements/requirements.txt | 6 +++--- requirements/test.txt | 6 +++--- 6 files changed, 21 insertions(+), 18 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 755d904..54e2693 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,6 @@ +9.8.1 TMMA-509: Improve security of Python packaging tool + Update Python packaging tool + 9.8.0 Updated Django to 4.2.16 and updated other libraries Removed old Bitbucket IPs Update deployments for RHEL8 and apachectl compatibility diff --git a/deploy/Dockerfile b/deploy/Dockerfile index 5553cc7..ebff3a1 100644 --- a/deploy/Dockerfile +++ b/deploy/Dockerfile @@ -1,12 +1,12 @@ -FROM python:3.8.19-slim +FROM python:3.8.20-slim ENV PYTHONDONTWRITEBYTECODE=1 ENV PYTHONUNBUFFERED=1 ENV PIP_VERSION='24.2' -ENV SETUPTOOLS_VERSION='72.2.0' +ENV SETUPTOOLS_VERSION='74.1.2' ENV PIP_TOOLS_VERSION='7.4.1' # NB: Version 15.1.0 is installed on RHEL -ENV VE_VERSION='20.26.3' +ENV VE_VERSION='20.26.4' # Update system packages and install dependencies RUN apt update -y && \ @@ -49,6 +49,6 @@ VOLUME [ "/srv" ] ARG REQUIREMENTS_FILE='requirements.txt' COPY requirements/$REQUIREMENTS_FILE /srv -RUN pip install --no-deps -r /srv/$REQUIREMENTS_FILE +RUN pip install --no-deps --require-hashes -r /srv/$REQUIREMENTS_FILE CMD [ "pip", "check" ] \ No newline at end of file diff --git a/deploy/fabfile.py b/deploy/fabfile.py index e2810c0..6005cbe 100644 --- a/deploy/fabfile.py +++ b/deploy/fabfile.py @@ -19,7 +19,7 @@ # Tools not handled by pip-tools and/or requirements installs using pip # Also update pip version in tests/build-test-env.sh and Dockerfile PIP_VERSION = '24.2' -SETUPTOOLS_VERSION = '72.2.0' +SETUPTOOLS_VERSION = '74.1.2' PIP_TOOLS_VERSION = '7.4.1' @@ -112,7 +112,7 @@ def make_virtualenv(env="dev", configure_apache=False, clone_repo=False, branch= caller('./bin/pip3 install -U setuptools==%s' % SETUPTOOLS_VERSION) caller('./bin/pip3 install pip-tools==%s' % PIP_TOOLS_VERSION) # Fix TMMA-456 - Resolve issue on Debian systems where dependencies loosely pinned upstream but correctly pinned overall in our requirements file causes builds to fail - caller('./bin/pip3 install --no-deps -r src/temmpo/requirements/%s.txt' % requirements) + caller('./bin/pip3 install --no-deps --require-hashes -r src/temmpo/requirements/%s.txt' % requirements) caller('./bin/pip3 freeze') # # Regenerate all pyc files diff --git a/requirements/dev.txt b/requirements/dev.txt index ba97386..cf1adab 100644 --- a/requirements/dev.txt +++ b/requirements/dev.txt @@ -332,9 +332,9 @@ django-rq==2.10.2 \ --hash=sha256:5fe340e071c141a23ea0859df73c48b0a3df33a851835b2a8f8c4fca7a8b1849 \ --hash=sha256:d1690b6a409934a0ea23c208ccb00d69477899f8edc61106ce5395c19dcdfb1e # via -r requirements/test.txt -django-upgrade==1.20.0 \ - --hash=sha256:47aa2133972b600a8d935bab8d58d69b2e426bfc985d4c4f4c2fefecd754dd88 \ - --hash=sha256:938afa1a531399a12904eb71ffacad0c997ddbe0c45ec38bc0883a1cdcfd99ef +django-upgrade==1.21.0 \ + --hash=sha256:a0a7b11d5108fb2d3038cea2382c1332c9be4ff5059a38357fbd28116ebf3803 \ + --hash=sha256:e65021029e7d18b407bd128a8ccb31e5e06685068b37b6b1eaf2f77aa3d3df98 # via -r requirements/dev.in easyprocess==1.1 \ --hash=sha256:82eed523a0a5eb12a81fa4eacd9f342caeb3f900eb4b798740e6696ad07e63f9 \ @@ -626,9 +626,9 @@ matplotlib-inline==0.1.7 \ --hash=sha256:8423b23ec666be3d16e16b60bdd8ac4e86e840ebd1dd11a30b9f117f2fa0ab90 \ --hash=sha256:df192d39a4ff8f21b1895d72e6a13f5fcc5099f00fa84384e0ea28c2cc0653ca # via ipython -more-itertools==10.4.0 \ - --hash=sha256:0f7d9f83a0a8dcfa8a2694a770590d98a67ea943e3d9f5298309a484758c4e27 \ - --hash=sha256:fe0e63c4ab068eac62410ab05cccca2dc71ec44ba8ef29916a0090df061cf923 +more-itertools==10.5.0 \ + --hash=sha256:037b0d3203ce90cca8ab1defbbdac29d5f993fc20131f3664dc8d6acfa872aef \ + --hash=sha256:5482bfef7849c25dc3c6dd53a6173ae4795da2a41a80faea6700d9f5846c5da6 # via -r requirements/test.txt mss==9.0.2 \ --hash=sha256:685fa442cc96d8d88b4eb7aadbcccca7b858e789c9259b603e1ef0e435b60425 \ diff --git a/requirements/requirements.txt b/requirements/requirements.txt index d2813b2..152b5a8 100644 --- a/requirements/requirements.txt +++ b/requirements/requirements.txt @@ -356,9 +356,9 @@ lxml==5.3.0 \ --hash=sha256:f914c03e6a31deb632e2daa881fe198461f4d06e57ac3d0e05bbcab8eae01945 \ --hash=sha256:fb66442c2546446944437df74379e9cf9e9db353e61301d1a0e26482f43f0dd8 # via -r requirements/requirements.in -more-itertools==10.4.0 \ - --hash=sha256:0f7d9f83a0a8dcfa8a2694a770590d98a67ea943e3d9f5298309a484758c4e27 \ - --hash=sha256:fe0e63c4ab068eac62410ab05cccca2dc71ec44ba8ef29916a0090df061cf923 +more-itertools==10.5.0 \ + --hash=sha256:037b0d3203ce90cca8ab1defbbdac29d5f993fc20131f3664dc8d6acfa872aef \ + --hash=sha256:5482bfef7849c25dc3c6dd53a6173ae4795da2a41a80faea6700d9f5846c5da6 # via -r requirements/requirements.in mysql-connector-python==8.4.0 \ --hash=sha256:085024bf12d15f9b428938fdbeb50bd9b15dda9c4d3a474e6df061cb08713e6a \ diff --git a/requirements/test.txt b/requirements/test.txt index 5c8d1fc..44d6a24 100644 --- a/requirements/test.txt +++ b/requirements/test.txt @@ -575,9 +575,9 @@ lxml==5.3.0 \ --hash=sha256:f914c03e6a31deb632e2daa881fe198461f4d06e57ac3d0e05bbcab8eae01945 \ --hash=sha256:fb66442c2546446944437df74379e9cf9e9db353e61301d1a0e26482f43f0dd8 # via -r requirements/requirements.txt -more-itertools==10.4.0 \ - --hash=sha256:0f7d9f83a0a8dcfa8a2694a770590d98a67ea943e3d9f5298309a484758c4e27 \ - --hash=sha256:fe0e63c4ab068eac62410ab05cccca2dc71ec44ba8ef29916a0090df061cf923 +more-itertools==10.5.0 \ + --hash=sha256:037b0d3203ce90cca8ab1defbbdac29d5f993fc20131f3664dc8d6acfa872aef \ + --hash=sha256:5482bfef7849c25dc3c6dd53a6173ae4795da2a41a80faea6700d9f5846c5da6 # via -r requirements/requirements.txt mss==9.0.2 \ --hash=sha256:685fa442cc96d8d88b4eb7aadbcccca7b858e789c9259b603e1ef0e435b60425 \