pinned azure-cli-core has associated vulnerabilities
MallocArray opened this issue · comments
SUMMARY
requirements-azure.txt has azure-cli-core==2.34.0
which was released February 2022 and requires older versions of paramiko that has vulnerabilities resolved in >=3.4.0
ISSUE TYPE
- Bug Report
COMPONENT NAME
azure-cli-core
ANSIBLE VERSION
ansible [core 2.16.4]
config file = /runner/ansible.cfg
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/lib/python3.11/site-packages/ansible
ansible collection location = /runner/collections
executable location = /usr/local/bin/ansible
python version = 3.11.7 (main, Jan 22 2024, 00:00:00) [GCC 11.4.1 20231218 (Red Hat 11.4.1-3)] (/usr/bin/python3.11)
jinja version = 3.1.3
libyaml = True
COLLECTION VERSION
Collection Version
------------------ -------
azure.azcollection 2.2.0
CONFIGURATION
COLLECTIONS_PATHS(/runner/ansible.cfg) = ['/runner/collections']
CONFIG_FILE() = /runner/ansible.cfg
DEFAULT_FILTER_PLUGIN_PATH(/runner/ansible.cfg) = ['/runner/custom_filters']
DEFAULT_ROLES_PATH(/runner/ansible.cfg) = ['/runner/roles']
DEFAULT_STRATEGY_PLUGIN_PATH(/runner/ansible.cfg) = ['/runner/custom_plugins/mitogen-0.3.4/ansible_mitogen/plugins/strategy']
DEFAULT_TIMEOUT(/runner/ansible.cfg) = 40
HOST_KEY_CHECKING(/runner/ansible.cfg) = False
PARAMIKO_LOOK_FOR_KEYS(/runner/ansible.cfg) = False
OS / ENVIRONMENT
STEPS TO REPRODUCE
Install python modules using requirements-azure.txt
Observe that paramiko 2.12.0
is installed
Attempt to force install a later version of paramiko and get an error
azure-cli-core 2.34.0 requires paramiko<3.0.0,>=2.0.8, but you have paramiko 3.4.0 which is incompatible.
https://avd.aquasec.com/nvd/2023/cve-2023-48795/
EXPECTED RESULTS
Current versions of paramiko and azure-cli are installed that have addressed open security vulnerabilities
ACTUAL RESULTS
`azure-cli-core 2.34.0 requires paramiko<3.0.0,>=2.0.8, but you have paramiko 3.4.0 which is incompatible.`
@MallocArray Yes, now that the bug has been fixed, it should be used for future use as soon as possible. We will arrange to upgrade these related dependencies at the same time. Thank you!
#1163 mentions this same dependency and can be closed when the updated dependency is released
@Fred-sun
Any update on this? I'm still getting trivy notifications of vulnerabilities related to paramiko
and black
, both which are running older versions because of pinned versions related to the 2022 release of azure-cli-core pinned in this collection.
@MallocArray Because many packages have interdependent relationships with each other, this is something we are preparing to upgrade. Thank you!