Comments (7)
lvaylet
commented on June 2, 2024
1
Thanks @mrtergl for investigating. I will dedicate some time to this issue and your PR tomorrow afternoon.
from slo-generator.
lvaylet
commented on June 2, 2024
This only happens for Python 3.11. Other versions install pip v23.3, as requested by setup.cfg.
dev =
pip >=23.3 # avoid known vulnerabilities in pip <23.3 (reported by `safety check`)
Not sure why Python 3.11 is ignoring these requirements.
from slo-generator.
mrtergl
commented on June 2, 2024
Actually, python tries to get 23.3 or above while installing dependencies in Python 3.11 but it says Requirement already satisfied in that path:
Requirement already satisfied: pip>=23.3 in /opt/hostedtoolcache/Python/3.11.7/x64/lib/python3.11/site-packages (from slo-generator==2.5.2) (23.3.2)
Then safety check command runs:
Safety v2.3.4 is scanning for Vulnerabilities...
Scanning dependencies in your environment:-> /opt/hostedtoolcache/Python/3.11.7/x64/lib/python3.11/site-packages
it is scanning exactly the same path v23.3 supposed to be but however it scans v23.2.1 and vuln come up.
Vulnerability found in pip version 23.2.1
Vulnerability ID: 62044
Affected spec: <23.3
ADVISORY: Pip 23.3 includes a fix for CVE-2023-5752: When installing
Note: I've tried with v2.3.5 for safety as well (in a point while installing dependencies, it downgrades safety) but no change occurred.
I've tried to pass lint test for Python 3.11 in related PR : #413
@lvaylet
from slo-generator.
lvaylet
commented on June 2, 2024
safety completes successfully within make docker_test when the base image is set to Python 3.11 instead of 3.9 currently (with FROM python:3.11-slim, resulting in Python 3.11.7 being installed, same version as in the CI pipeline). So Python 3.11 might not be the issue here.
from slo-generator.
lvaylet
commented on June 2, 2024
The Dockerfile runs pip install -U setuptools before installing the remaining packages:
FROM python:3.11-slim
[...]
RUN pip install -U setuptools
RUN pip install ."[api, datadog, dynatrace, prometheus, elasticsearch, opensearch, splunk, pubsub, cloud_monitoring, cloud_service_monitoring, cloud_storage, bigquery, cloudevent, dev]"Would it make sense to include pip install -U setuptools at the beginning of make install too?
from slo-generator.
lvaylet
commented on June 2, 2024
I tried forcing an update of setuptools and pip in #424 before installing the other packages but safety still reports a CVE with pip 23.2.1 while 23.3.2 is actually installed (as confirmed by running pip --version just before safety check).
More details: https://github.com/google/slo-generator/actions/runs/7640294745/job/20815118754#step:5:92
from slo-generator.
lvaylet
commented on June 2, 2024
The issue disappeared on the latest PRs. For example, every check in #422 completes just fine.
from slo-generator.
Related Issues (20)
- 🐛 [BUG] - SLO Generator Cloud Run service in test project crashes continuously
- 💡 [REQUEST] - Document everything going on in GCP project `slo-generator-ci-a2b4`
- 💡 [REQUEST] - Automate dependency updates with `renovate-bot` HOT 1
- 💡 [REQUEST] - Investigate the results of the Scorecards GitHub Action
- 💡 [REQUEST] - Add a "Why?" section to `README.md` HOT 1
- 💡 [REQUEST] - Multiwindow, multi-burn-rate alerts HOT 2
- 🐛 [BUG] - CI is unable to deploy new images to Cloud Run
- 🐛 [BUG] - Warnings in GitHub Actions workflows
- 🐛 [BUG] - Similar GitHub Actions workflows have different triggers
- 💡 [REQUEST] - Make the Docker image smaller HOT 4
- 💡 [REQUEST] - Prometheus SLO Recording Rule examples HOT 1
- 🐛 [BUG] - `safety check` fails during CI HOT 2
- 🐛 [BUG] - latest releases aren't pushed into the GCR HOT 10
- 🐛 [BUG] - `safety` reports CVE in `pip <23.3` HOT 1
- 🐛 [BUG] - Unit tests are failing with all versions of Python HOT 2
- 🐛 [BUG] - Image not available from gcr HOT 3
- 🐛 [BUG] - Failed to release `v2.6.0` HOT 13
- 🐛 [BUG] - Synthetic Probes show a high number a 504 errors HOT 7
- 💡 [REQUEST] - Collect Cloud Trace data to troubleshoot latency issues and timeouts HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from slo-generator.