-
Notifications
You must be signed in to change notification settings - Fork 400
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Python] - Fix for security vulnerability GHSA-r9hx-vwmv-q579 for set…
…uptools-65.5.0 lib on python using python image (#815) * [Python] - Fix for security vulnerability GHSA-r9hx-vwmv-q579 for setuptools-65.5.0 lib on python using python image * [Python] - Added one more test * [Python] - Fix for security vulnerability GHSA-r9hx-vwmv-q579 for setuptools-65.5.0 lib on python using python image * [Python] - Added one more test * Changes as suggested by comments * removed second line (L465) that removed a non existent dirrectory * bump patch version & change code to pass failing tests
- Loading branch information
1 parent
6d6fb2b
commit 08fb370
Showing
5 changed files
with
208 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,89 @@ | ||
#!/bin/bash | ||
set -e | ||
|
||
# Optional: Import test library | ||
source dev-container-features-test-lib | ||
|
||
FAILED=() | ||
|
||
echoStderr() | ||
{ | ||
echo "$@" 1>&2 | ||
} | ||
|
||
check-version-ge() { | ||
LABEL=$1 | ||
CURRENT_VERSION=$2 | ||
REQUIRED_VERSION=$3 | ||
shift | ||
echo -e "\n🧪 Testing $LABEL: '$CURRENT_VERSION' is >= '$REQUIRED_VERSION'" | ||
local GREATER_VERSION=$((echo ${CURRENT_VERSION}; echo ${REQUIRED_VERSION}) | sort -V | tail -1) | ||
if [ "${CURRENT_VERSION}" == "${GREATER_VERSION}" ]; then | ||
echo "✅ Passed!" | ||
return 0 | ||
else | ||
echoStderr "❌ $LABEL check failed." | ||
FAILED+=("$LABEL") | ||
return 1 | ||
fi | ||
} | ||
checkPythonPackageVersion() | ||
{ | ||
PACKAGE=$1 | ||
REQUIRED_VERSION=$2 | ||
current_version=$(python -c "import importlib.metadata; print(importlib.metadata.version('${PACKAGE}'))") | ||
check-version-ge "${PACKAGE}-requirement" "${current_version}" "${REQUIRED_VERSION}" | ||
} | ||
checkPythonPackageVersion "setuptools" "65.5.1" | ||
# Check that tools can execute - make sure something didn't get messed up in this scenario | ||
check "autopep8" autopep8 --version | ||
check "black" black --version | ||
check "yapf" yapf --version | ||
check "bandit" bandit --version | ||
check "flake8" flake8 --version | ||
check "mypy" mypy --version | ||
check "pycodestyle" pycodestyle --version | ||
check "pydocstyle" pydocstyle --version | ||
check "pylint" pylint --version | ||
check "pytest" pytest --version | ||
check "setuptools" pip list | grep setuptools | ||
# Check paths in settings | ||
check "which autopep8" bash -c "which autopep8 | grep /usr/local/py-utils/bin/autopep8" | ||
check "which black" bash -c "which black | grep /usr/local/py-utils/bin/black" | ||
check "which yapf" bash -c "which yapf | grep /usr/local/py-utils/bin/yapf" | ||
check "which bandit" bash -c "which bandit | grep /usr/local/py-utils/bin/bandit" | ||
check "which flake8" bash -c "which flake8 | grep /usr/local/py-utils/bin/flake8" | ||
check "which mypy" bash -c "which mypy | grep /usr/local/py-utils/bin/mypy" | ||
check "which pycodestyle" bash -c "which pycodestyle | grep /usr/local/py-utils/bin/pycodestyle" | ||
check "which pydocstyle" bash -c "which pydocstyle | grep /usr/local/py-utils/bin/pydocstyle" | ||
check "which pylint" bash -c "which pylint | grep /usr/local/py-utils/bin/pylint" | ||
check "which pytest" bash -c "which pytest | grep /usr/local/py-utils/bin/pytest" | ||
checkVulnerableDir() | ||
{ | ||
DIRECTORY=$1 | ||
VERSION=$2 | ||
if [[ -d $DIRECTORY ]] ; then | ||
echoStderr "❌ check for vulnerable setuptools version failed for python ${VERSION}." | ||
return 1 | ||
else | ||
echo "✅ Passed! Either the container does not have vulnerable version or vulnerable version specific directory got removed." | ||
return 0 | ||
fi | ||
} | ||
bash -c "echo -e -n '\n'"; | ||
bash -c "echo -e 'Files/Folders related to setuptools :-'"; | ||
bash -c "find / -name \"*setuptools*\";" | ||
# only for 3.10 | ||
checkVulnerableDir "/usr/local/py-utils/shared/lib/python3.10/site-packages/setuptools-65.5.0.dist-info" "3.10" | ||
# Report result | ||
reportResults |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,90 @@ | ||
#!/bin/bash | ||
|
||
set -e | ||
|
||
# Optional: Import test library | ||
source dev-container-features-test-lib | ||
|
||
FAILED=() | ||
|
||
echoStderr() | ||
{ | ||
echo "$@" 1>&2 | ||
} | ||
|
||
check-version-ge() { | ||
LABEL=$1 | ||
CURRENT_VERSION=$2 | ||
REQUIRED_VERSION=$3 | ||
shift | ||
echo -e "\n🧪 Testing $LABEL: '$CURRENT_VERSION' is >= '$REQUIRED_VERSION'" | ||
local GREATER_VERSION=$((echo ${CURRENT_VERSION}; echo ${REQUIRED_VERSION}) | sort -V | tail -1) | ||
if [ "${CURRENT_VERSION}" == "${GREATER_VERSION}" ]; then | ||
echo "✅ Passed!" | ||
return 0 | ||
else | ||
echoStderr "❌ $LABEL check failed." | ||
FAILED+=("$LABEL") | ||
return 1 | ||
fi | ||
} | ||
checkPythonPackageVersion() | ||
{ | ||
PACKAGE=$1 | ||
REQUIRED_VERSION=$2 | ||
current_version=$(python -c "import importlib.metadata; print(importlib.metadata.version('${PACKAGE}'))") | ||
check-version-ge "${PACKAGE}-requirement" "${current_version}" "${REQUIRED_VERSION}" | ||
} | ||
checkPythonPackageVersion "setuptools" "65.5.1" | ||
# Check that tools can execute - make sure something didn't get messed up in this scenario | ||
check "autopep8" autopep8 --version | ||
check "black" black --version | ||
check "yapf" yapf --version | ||
check "bandit" bandit --version | ||
check "flake8" flake8 --version | ||
check "mypy" mypy --version | ||
check "pycodestyle" pycodestyle --version | ||
check "pydocstyle" pydocstyle --version | ||
check "pylint" pylint --version | ||
check "pytest" pytest --version | ||
check "setuptools" pip list | grep setuptools | ||
# Check paths in settings | ||
check "which autopep8" bash -c "which autopep8 | grep /usr/local/py-utils/bin/autopep8" | ||
check "which black" bash -c "which black | grep /usr/local/py-utils/bin/black" | ||
check "which yapf" bash -c "which yapf | grep /usr/local/py-utils/bin/yapf" | ||
check "which bandit" bash -c "which bandit | grep /usr/local/py-utils/bin/bandit" | ||
check "which flake8" bash -c "which flake8 | grep /usr/local/py-utils/bin/flake8" | ||
check "which mypy" bash -c "which mypy | grep /usr/local/py-utils/bin/mypy" | ||
check "which pycodestyle" bash -c "which pycodestyle | grep /usr/local/py-utils/bin/pycodestyle" | ||
check "which pydocstyle" bash -c "which pydocstyle | grep /usr/local/py-utils/bin/pydocstyle" | ||
check "which pylint" bash -c "which pylint | grep /usr/local/py-utils/bin/pylint" | ||
check "which pytest" bash -c "which pytest | grep /usr/local/py-utils/bin/pytest" | ||
checkVulnerableDir() | ||
{ | ||
DIRECTORY=$1 | ||
VERSION=$2 | ||
if [[ -d $DIRECTORY ]] ; then | ||
echoStderr "❌ check for vulnerable setuptools version failed for python ${VERSION}." | ||
return 1 | ||
else | ||
echo "✅ Passed! Either the container does not have vulnerable version or vulnerable version specific directory got removed." | ||
return 0 | ||
fi | ||
} | ||
bash -c "echo -e -n '\n'"; | ||
bash -c "echo -e 'Files/Folders related to setuptools :-'"; | ||
bash -c "find / -name \"*setuptools*\";" | ||
# only for 3.11 | ||
checkVulnerableDir "/usr/local/py-utils/shared/lib/python3.11/site-packages/setuptools-65.5.0.dist-info" "3.11" | ||
# Report result | ||
reportResults |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters