Skip to content

fix(deps): bump CVE-affected deps [VC-53657, VC-53626] #204

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ndevarapalli-panw wants to merge 3 commits into
base: master
Choose a base branch
from
Open

fix(deps): bump CVE-affected deps [VC-53657, VC-53626] #204

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0c8d6c0
fix(deps): bump CVE-affected deps and replace safety with pip-audit —…
ndevarapalli-panw Jun 23, 2026
6aa6cda
fix(deps): address code review findings — VC-53657
ndevarapalli-panw Jun 23, 2026
21ba194
fix(deps): convert setup.py install_requires to range constraints — V…
ndevarapalli-panw Jun 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,10 @@ FROM python:3.9-slim

WORKDIR /usr/src/app

RUN echo "pip==25.3 --hash=sha256:9655943313a94722b7774661c21049070f6bbb0a1516bf02f7c8d5d9201514cd" \
> /tmp/pip-pin.txt && pip install --no-cache-dir --require-hashes -r /tmp/pip-pin.txt

COPY requirements-build.txt ./
COPY docker-entrypoint.sh ./

@rvelaVenafi rvelaVenafi Jun 24, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how is docker-entrypoint.sh being rung in line 13 if its not being copied to the docker coantainer?

@ndevarapalli-panw ndevarapalli-panw Jun 24, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is being copied, COPY . . on line 11 copies the entire repo root into /usr/src/app, which includes docker-entrypoint.sh. The explicit COPY docker-entrypoint.sh ./ that was in the original Dockerfile was removed because it was a redundant layer COPY . . already covers it.

requirements-build.txt is still copied separately and early (line 8) for Docker layer caching so that the pip install step only re-runs when the lockfile changes, not on every source code change.

RUN pip install --no-cache-dir --require-hashes -r requirements-build.txt

COPY . .
Expand Down
4 changes: 1 addition & 3 deletions docker-entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,6 @@ set -o pipefail

bandit -r vcert/

# ID 40291 is pip, ignore so we can still test python 2.7

@rvelaVenafi rvelaVenafi Jun 24, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My take here is that you guys are no longer supporting python 2?

@ndevarapalli-panw ndevarapalli-panw Jun 24, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes

#Ignoring false-positive issue with pytest. ref: https://github.com/pytest-dev/py/issues/287
safety check -i 40291 -i 51457
pip-audit -r requirements-build.txt

pytest -v --junit-xml=junit.xml --junit-prefix=`python -V | tr ' ' '_'` --cov=vcert --cov=vcert.parser --cov=vcert.policy --cov-report term --cov-report xml
8 changes: 4 additions & 4 deletions requirements-build.in
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
-r requirements.in
pytest==7.4.3
pytest-cov==4.1.0
safety==2.3.5
bandit==1.7.7
pip-audit==2.9.0
pytest==8.4.2
pytest-cov==7.1.0
bandit==1.8.6
329 changes: 235 additions & 94 deletions requirements-build.txt
View file
Open in desktop

Large diffs are not rendered by default.

8 changes: 4 additions & 4 deletions requirements.in
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
requests==2.32.4
python-dateutil==2.8.2
cryptography==45.0.7
python-dateutil==2.9.0.post0
cryptography==48.0.1
six==1.17.0
ruamel.yaml==0.18.13
pynacl==1.5.0
ruamel.yaml==0.18.17
pynacl==1.6.2
147 changes: 89 additions & 58 deletions requirements.txt
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 3 additions & 2 deletions setup.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,9 @@
version='0.19.0',
url="https://github.com/Venafi/vcert-python",
packages=['vcert', 'vcert.parser', 'vcert.policy'],
install_requires=['requests==2.32.4', 'python-dateutil==2.8.2', 'six==1.17.0',
'cryptography==45.0.7', 'ruamel.yaml==0.18.13', 'pynacl==1.5.0'],
install_requires=['requests>=2.32.4', 'python-dateutil>=2.9.0.post0', 'six>=1.17.0',
'cryptography>=48.0.1,<50', 'ruamel.yaml>=0.18.17,<0.19', 'pynacl>=1.6.2'],
python_requires='>=3.9.2,<4',
description='Python client library for CyberArk Certificate Manager, Self-Hosted and CyberArk Certificate Manager, SaaS.',
long_description=long_description,
long_description_content_type="text/markdown",
Expand Down
2 changes: 1 addition & 1 deletion vcert/pem.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,7 @@ def as_pkcs12(self, passphrase=None):
p_key = serialization.load_pem_private_key(data=self.key.encode(), password=b_pass,
backend=default_backend())
except Exception as e:
get_logger().error(msg=f"Error parsing Private Key: {e.message}")
get_logger().error(msg=f"Error parsing Private Key: {str(e)}")
return

name = random_word(10).encode()
Expand Down
Loading