pinned azure-cli-core has associated vulnerabilities

Question

pinned azure-cli-core has associated vulnerabilities

MallocArray opened this issue 5 months ago · comments

SUMMARY

requirements-azure.txt has azure-cli-core==2.34.0 which was released February 2022 and requires older versions of paramiko that has vulnerabilities resolved in >=3.4.0

ISSUE TYPE

Bug Report

COMPONENT NAME

azure-cli-core

ANSIBLE VERSION

ansible [core 2.16.4]
  config file = /runner/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.11/site-packages/ansible
  ansible collection location = /runner/collections
  executable location = /usr/local/bin/ansible
  python version = 3.11.7 (main, Jan 22 2024, 00:00:00) [GCC 11.4.1 20231218 (Red Hat 11.4.1-3)] (/usr/bin/python3.11)
  jinja version = 3.1.3
  libyaml = True

COLLECTION VERSION

Collection         Version
------------------ -------
azure.azcollection 2.2.0

CONFIGURATION

COLLECTIONS_PATHS(/runner/ansible.cfg) = ['/runner/collections']
CONFIG_FILE() = /runner/ansible.cfg
DEFAULT_FILTER_PLUGIN_PATH(/runner/ansible.cfg) = ['/runner/custom_filters']
DEFAULT_ROLES_PATH(/runner/ansible.cfg) = ['/runner/roles']
DEFAULT_STRATEGY_PLUGIN_PATH(/runner/ansible.cfg) = ['/runner/custom_plugins/mitogen-0.3.4/ansible_mitogen/plugins/strategy']
DEFAULT_TIMEOUT(/runner/ansible.cfg) = 40
HOST_KEY_CHECKING(/runner/ansible.cfg) = False
PARAMIKO_LOOK_FOR_KEYS(/runner/ansible.cfg) = False

OS / ENVIRONMENT

STEPS TO REPRODUCE

Install python modules using requirements-azure.txt
Observe that paramiko 2.12.0 is installed
Attempt to force install a later version of paramiko and get an error
azure-cli-core 2.34.0 requires paramiko<3.0.0,>=2.0.8, but you have paramiko 3.4.0 which is incompatible.

https://avd.aquasec.com/nvd/2023/cve-2023-48795/

EXPECTED RESULTS

Current versions of paramiko and azure-cli are installed that have addressed open security vulnerabilities

ACTUAL RESULTS

`azure-cli-core 2.34.0 requires paramiko<3.0.0,>=2.0.8, but you have paramiko 3.4.0 which is incompatible.`

Fred-sun · Answer 1 · Wed Mar 06 2024 16:10:23 GMT+0800 (China Standard Time)

@MallocArray Yes, now that the bug has been fixed, it should be used for future use as soon as possible. We will arrange to upgrade these related dependencies at the same time. Thank you!

MallocArray · Answer 2 · Wed Mar 06 2024 22:37:59 GMT+0800 (China Standard Time)

#1163 mentions this same dependency and can be closed when the updated dependency is released

MallocArray · Answer 3 · Thu Apr 11 2024 01:40:16 GMT+0800 (China Standard Time)

@Fred-sun
Any update on this? I'm still getting trivy notifications of vulnerabilities related to paramiko and black, both which are running older versions because of pinned versions related to the 2022 release of azure-cli-core pinned in this collection.

Fred-sun · Answer 4 · Thu Apr 11 2024 09:38:45 GMT+0800 (China Standard Time)

@MallocArray Because many packages have interdependent relationships with each other, this is something we are preparing to upgrade. Thank you!