Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove unneeded dependencies #682

Merged
merged 3 commits into from
Oct 4, 2024
Merged

Remove unneeded dependencies #682

merged 3 commits into from
Oct 4, 2024

Conversation

P4sca1
Copy link
Collaborator

@P4sca1 P4sca1 commented Oct 4, 2024

Changes

  • Remove wheel runtime dependency. It is only needed at build time.
  • Dont install pip into venv. It is not needed at runtime. Fixes CVE-2023-5752.
  • Remove setuptools dependency after building. Fixes CVE-2022-40897. Note that setuptools is only a build depdendency, but is still present at runtime, because the geoip2 package references a vulnerable version as a dependency.

Trivy Image scan results

Scanned using trivy image IMAGE --ignore-unfixed

Before

Python (python-pkg)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 2, CRITICAL: 0)

┌───────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│        Library        │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                          Title                           │
├───────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ pip (METADATA)        │ CVE-2023-5752  │ MEDIUM   │ fixed  │ 23.0.1            │ 23.3          │ pip: Mercurial configuration injectable in repo revision │
│                       │                │          │        │                   │               │ when installing via pip                                  │
│                       │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-5752                │
├───────────────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ setuptools (METADATA) │ CVE-2022-40897 │ HIGH     │        │ 65.5.0            │ 65.5.1        │ pypa-setuptools: Regular Expression Denial of Service    │
│                       │                │          │        │                   │               │ (ReDoS) in package_index.py                              │
│                       │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2022-40897               │
│                       ├────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────┤
│                       │ CVE-2024-6345  │          │        │                   │ 70.0.0        │ pypa/setuptools: Remote code execution via download      │
│                       │                │          │        │                   │               │ functions in the package_index module in...              │
│                       │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-6345                │
└───────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘

opt/bitnami/python (bitnami)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬──────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                          Title                           │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼──────────────────────────────────────────────────────────┤
│ python  │ CVE-2023-36632 │ HIGH     │ fixed  │ 3.10.15-4         │ 3.11.4         │ python: RecursionError: maximum recursion depth exceeded │
│         │                │          │        │                   │                │ while calling a Python object                            │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-36632               │
│         ├────────────────┼──────────┤        │                   ├────────────────┼──────────────────────────────────────────────────────────┤
│         │ CVE-2023-27043 │ MEDIUM   │        │                   │ 2.7.18, 3.11.0 │ python: Parsing errors in email/_parseaddr.py lead to    │
│         │                │          │        │                   │                │ incorrect value in email address...                      │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-27043               │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴──────────────────────────────────────────────────────────┘

After

logprep (debian 12.7)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


opt/bitnami/python (bitnami)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬──────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                          Title                           │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼──────────────────────────────────────────────────────────┤
│ python  │ CVE-2023-36632 │ HIGH     │ fixed  │ 3.10.15-4         │ 3.11.4         │ python: RecursionError: maximum recursion depth exceeded │
│         │                │          │        │                   │                │ while calling a Python object                            │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-36632               │
│         ├────────────────┼──────────┤        │                   ├────────────────┼──────────────────────────────────────────────────────────┤
│         │ CVE-2023-27043 │ MEDIUM   │        │                   │ 2.7.18, 3.11.0 │ python: Parsing errors in email/_parseaddr.py lead to    │
│         │                │          │        │                   │                │ incorrect value in email address...                      │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-27043               │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴──────────────────────────────────────────────────────────┘

@P4sca1 P4sca1 mentioned this pull request Oct 4, 2024
Closed
@ekneg54 ekneg54 added the bug Something isn't working label Oct 4, 2024
@ekneg54 ekneg54 self-requested a review October 4, 2024 10:54
ekneg54
ekneg54 approved these changes Oct 4, 2024
View reviewed changes
Copy link
Collaborator

@ekneg54 ekneg54 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you for your first contribution.

@ekneg54 ekneg54 merged commit 72cb7f9 into main Oct 4, 2024
13 checks passed
@ekneg54 ekneg54 deleted the remove-unneeded-deps branch October 4, 2024 10:56
@P4sca1 P4sca1 mentioned this pull request Oct 7, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ekneg54 ekneg54 ekneg54 approved these changes

Assignees

@P4sca1 P4sca1

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@P4sca1 @ekneg54