Skip to content

Stop ignoring pip-audit vulnerability #410

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 3 commits into
base: develop
Choose a base branch
from
Draft

Stop ignoring pip-audit vulnerability #410

wants to merge 3 commits into from

Conversation

jsf9k
Copy link
Member

@jsf9k jsf9k commented Apr 7, 2025
edited
Loading

🗣 Description

This pull request makes the necessary changes so that we can stop ignoring a vulnerability in ansible-core identified by pip-audit:

Note

This pull request pulls in commit cisagov/skeleton-generic@5f0190c from cisagov/skeleton-generic#199.

💭 Motivation and context

Vulnerabilities should not be ignored if they need not be. Resolves #380.

🧪 Testing

All automated tests pass.

✅ Pre-approval checklist

  • This PR has an informative and human-readable title.
  • Changes are limited to a single goal - eschew scope creep!
  • All relevant type-of-change labels have been added.
  • I have read the CONTRIBUTING document.
  • These code changes follow cisagov code standards.
  • All new and existing tests pass.

@jsf9k jsf9k added blocked This issue or pull request is awaiting the outcome of another issue or pull request improvement This issue or pull request will add or improve functionality, maintainability, or ease of use upstream update This issue or pull request pulls in upstream updates dependencies Pull requests that update a dependency file security This issue or pull request addresses a security issue labels Apr 7, 2025
@jsf9k jsf9k self-assigned this Apr 7, 2025
@jsf9k jsf9k force-pushed the improvement/stop-ignoring-pip-audit-vulnerability branch from 49daa27 to 8cc6fd3 Compare April 7, 2025 17:32
jsf9k added 3 commits April 7, 2025 13:33
@jsf9k
Copy upstream changes to pre-commit config over to requirements.txt
2a81f92 
The versions of pip packages in both locations must agree.
@jsf9k
Bump up ansible-core and ansible pins
cde6ba5 
Version 2.18.1 of ansible-core is required because the pip-audit
pre-commit hook identifies a vulnerability (GHSA-99w6-3xph-cx78) in
ansible-core<=2.18.1.  This necessitates an upgrade to at least
ansible 11.
@jsf9k
Stop ignoring vulnerability detected by pip-audit
602d2ff 
This is no longer necessary since we have upgraded to
ansible-core>=2.18.1.
@jsf9k jsf9k force-pushed the improvement/stop-ignoring-pip-audit-vulnerability branch from 8cc6fd3 to 602d2ff Compare April 7, 2025 17:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dav3r dav3r Awaiting requested review from dav3r dav3r will be requested when the pull request is marked ready for review dav3r is a code owner

@felddy felddy Awaiting requested review from felddy felddy will be requested when the pull request is marked ready for review felddy is a code owner

@mcdonnnj mcdonnnj Awaiting requested review from mcdonnnj mcdonnnj will be requested when the pull request is marked ready for review mcdonnnj is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

@jsf9k jsf9k

Labels
blocked This issue or pull request is awaiting the outcome of another issue or pull request dependencies Pull requests that update a dependency file improvement This issue or pull request will add or improve functionality, maintainability, or ease of use security This issue or pull request addresses a security issue upstream update This issue or pull request pulls in upstream updates
Projects
Skeleton Maintenance
Status: In progress
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Remove ignored vulnerability in pip-audit pre-commit hook
1 participant
@jsf9k