Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Delete python-keyczar==0.716 #6078

Open
wants to merge 8 commits into
base: master
Choose a base branch
from
Open

Delete python-keyczar==0.716 #6078

wants to merge 8 commits into from

Conversation

philipphomberger
Copy link

Keyczar is deprecated.
See:
https://github.com/google/keyczar

Critical Vunability:
https://www.cve.org/CVERecord?id=CVE-2013-7459

I checkout the codebase and not find this libary is still in use.
In the requirements-pants.txt i find that information:

was in fixed-requirements.txt, but not in requirements-pants.txt

keyczar is used by a python2-only test.

#python-keyczar

So because Python 2 is not in use I think this can be remove.
Please let me know if I am wrong. I am happy to learn.

@pull-request-size pull-request-size bot added the size/XS PR that changes 0-9 lines. Quick fix/merge. label Dec 1, 2023
@philipphomberger philipphomberger marked this pull request as ready for review December 1, 2023 08:02
@pull-request-size pull-request-size bot added size/S PR that changes 10-29 lines. Very easy to review. and removed size/XS PR that changes 0-9 lines. Quick fix/merge. labels Dec 1, 2023
@pull-request-size pull-request-size bot added size/XS PR that changes 0-9 lines. Quick fix/merge. and removed size/S PR that changes 10-29 lines. Very easy to review. labels Dec 1, 2023
arm4b
arm4b reviewed Dec 1, 2023
View reviewed changes
CHANGELOG.rst
@@ -82,6 +82,9 @@ Changed
* Remove `distutils` dependencies across the project. #5992
Contributed by @AndroxxTraxxon

* Remove deprecated not use dependencie `python-keyczar`. #6078
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like there's a typo here

arm4b
arm4b reviewed Dec 1, 2023
View reviewed changes
Copy link
Member

@arm4b arm4b left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was indeed deprecated a while ago when we moved from keyczar to cryptography in 2018: #4165

Looks like there is a leftover in fixed-requirements.txt, which is not getting into requirements.txt and not being installed as part of stackstorm dependencies.

Still a good find and should be removed 👍

@arm4b arm4b added this to the 3.9.0 milestone Dec 1, 2023
snyk-bot and others added 2 commits December 8, 2023 16:10
@snyk-bot
fix: st2common/requirements.txt to reduce vulnerabilities
0c0bb01 
The following vulnerabilities are fixed by pinning transitive dependencies:
- https://snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-5663682
- https://snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-5777683
- https://snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-5813745
- https://snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-5813746
- https://snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-5813750
- https://snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-5914629
- https://snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-6036192
- https://snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-6092044
- https://snyk.io/vuln/SNYK-PYTHON-REDIS-5291195
- https://snyk.io/vuln/SNYK-PYTHON-REQUESTS-5595532
- https://snyk.io/vuln/SNYK-PYTHON-SETUPTOOLS-3180412
Merge pull request #2 from philipphomberger/snyk-fix-f401534cad621dd6…
88394ac 
…8df105fca856a48d

[Snyk] Fix for 11 vulnerabilities
@pull-request-size pull-request-size bot added size/S PR that changes 10-29 lines. Very easy to review. and removed size/XS PR that changes 0-9 lines. Quick fix/merge. labels Dec 8, 2023
@CLAassistant
Copy link

CLAassistant commented Dec 8, 2023
edited
Loading

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
0 out of 2 committers have signed the CLA.

❌ Philipp Homberger
❌ snyk-bot

Philipp Homberger seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You have signed the CLA already but the status is still pending? Let us recheck it.

@pull-request-size pull-request-size bot added size/L PR that changes 100-499 lines. Requires some effort to review. and removed size/S PR that changes 10-29 lines. Very easy to review. labels Feb 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cognifloyd cognifloyd cognifloyd left review comments

@arm4b arm4b arm4b left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
size/L PR that changes 100-499 lines. Requires some effort to review.
Projects
StackStorm v3.9.0
Status: Todo
Milestone
3.9.0
Development

Successfully merging this pull request may close these issues.
5 participants
@philipphomberger @CLAassistant @arm4b @cognifloyd @snyk-bot