Increasing Lemur Dependency Versions to Address Vulnerabilities (#160)

TrevorCMorton · web-flow · commit 1277a89eda29 · 2024-01-19T14:13:23.000-05:00
* Increasing Lemur Dependency Versions to Address Vulnerabilities

* Reverting jinja2 and werkzeug due to incompatibility with old flask version
diff --git a/requirements-docs.in b/requirements-docs.in
@@ -11,7 +11,7 @@ celery[redis]
 certbot
 certsrv
 CloudFlare
-cryptography >= 41.0.4 # Required to avoid vulnerability in previous version (VULN-4474)
+cryptography >= 41.0.6 # Required to avoid vulnerability in previous version (VULN-5135)
 dnspython3
 dyn
 Flask <= 1.1.2 # similar to Flask-Migrate
@@ -33,8 +33,9 @@ logmatic-python
 marshmallow-sqlalchemy == 0.23.1 #related to the marshmallow issue (to avoid conflicts, as newer versions require marshmallow>=3.0.0)
 sqlalchemy < 1.4.0 # ImportError: cannot import name '_ColumnEntity' https://github.com/sqlalchemy/sqlalchemy/issues/6226
 marshmallow<2.21.1 #schema duplicate issues https://github.com/marshmallow-code/marshmallow-sqlalchemy/issues/121
-paramiko  # required for the SFTP destination plugin
+paramiko >= 3.4.0 # required for the SFTP destination plugin
 pem
+pycryptodomex >= 3.19.1 # Required to address vulnerability in older version (VULN-5325)
 pyjks >= 19 # pyjks < 19 depends on pycryptodome, which conflicts with dyn's usage of pycrypto
 pyjwt
 pyOpenSSL
diff --git a/requirements-docs.txt b/requirements-docs.txt
@@ -129,7 +129,7 @@ configobj==5.0.8
     #   certbot
 coverage==7.3.2
     # via -r requirements-tests.txt
-cryptography==41.0.4
+cryptography==41.0.7
     # via
     #   -r requirements-docs.in
     #   -r requirements-tests.txt
@@ -336,9 +336,7 @@ mdurl==0.1.2
     #   -r requirements-tests.txt
     #   markdown-it-py
 moto[all]==4.2.6
-    # via
-    #   -r requirements-tests.txt
-    #   moto
+    # via -r requirements-tests.txt
 mpmath==1.3.0
     # via
     #   -r requirements-tests.txt
@@ -373,7 +371,7 @@ packaging==23.2
     #   gunicorn
     #   pytest
     #   sphinx
-paramiko==3.3.1
+paramiko==3.4.0
     # via -r requirements-docs.in
 parsedatetime==2.6
     # via
@@ -418,8 +416,10 @@ pycparser==2.21
     # via
     #   -r requirements-tests.txt
     #   cffi
-pycryptodomex==3.19.0
-    # via pyjks
+pycryptodomex==3.20.0
+    # via
+    #   -r requirements-docs.in
+    #   pyjks
 pydantic==2.4.2
     # via
     #   -r requirements-tests.txt
@@ -481,7 +481,6 @@ python-jose[cryptography]==3.3.0
     # via
     #   -r requirements-tests.txt
     #   moto
-    #   python-jose
 python-json-logger==2.0.7
     # via logmatic-python
 pytz==2023.3.post1
diff --git a/requirements-tests.in b/requirements-tests.in
@@ -3,7 +3,7 @@ bandit
 black
 coverage
 certbot
-cryptography >= 41.0.4 # Required to avoid vulnerability in previous version (VULN-4474)
+cryptography >= 41.0.6 # Required to avoid vulnerability in previous version (VULN-5135)
 factory-boy
 Faker
 fakeredis
@@ -26,4 +26,4 @@ requests-mock
 sqlalchemy < 1.4.0 # ImportError: cannot import name '_ColumnEntity' https://github.com/sqlalchemy/sqlalchemy/issues/6226
 urllib3 == 1.26.18 # urllib3 is used by 'requests' package. Version restriction is required to avoid vulnerability in previous version (VULN-4806)
 pyyaml>=4.2b1
-werkzeug < 2.1.0 # requires a newer version of Flask
+werkzeug < 2.1.0 # requires a newer version of Flask
diff --git a/requirements-tests.txt b/requirements-tests.txt
@@ -55,7 +55,7 @@ configobj==5.0.8
     # via certbot
 coverage==7.3.2
     # via -r requirements-tests.in
-cryptography==41.0.4
+cryptography==41.0.7
     # via
     #   -r requirements-tests.in
     #   acme
@@ -161,9 +161,7 @@ marshmallow-sqlalchemy==0.23.1
 mdurl==0.1.2
     # via markdown-it-py
 moto[all]==4.2.6
-    # via
-    #   -r requirements-tests.in
-    #   moto
+    # via -r requirements-tests.in
 mpmath==1.3.0
     # via sympy
 multipart==0.2.4
@@ -240,9 +238,7 @@ python-dateutil==2.8.2
     #   freezegun
     #   moto
 python-jose[cryptography]==3.3.0
-    # via
-    #   moto
-    #   python-jose
+    # via moto
 pytz==2023.3.post1
     # via
     #   acme
diff --git a/requirements.in b/requirements.in
@@ -19,7 +19,7 @@ cert_manager
 certsrv
 https://binaries.ddbuild.io/dd-source/python/cert_orchestration_adapter-0.1.5-py3-none-any.whl
 CloudFlare
-cryptography >= 41.0.4 # Required to avoid vulnerability in previous version (VULN-4474)
+cryptography >= 41.0.6 # Required to avoid vulnerability in previous version (VULN-5135)
 deprecated
 dnspython3
 ddtrace == 0.53.0 # Required for cert orchestration adapter.
@@ -49,10 +49,11 @@ logmatic-python
 marshmallow-sqlalchemy == 0.23.1 #related to the marshmallow issue (to avoid conflicts)
 marshmallow<2.21.1 #schema duplicate issues https://github.com/marshmallow-code/marshmallow-sqlalchemy/issues/121
 ndg-httpsclient
-paramiko  # required for the SFTP destination plugin
+paramiko >= 3.4.0 # required for the SFTP destination plugin
 pem
 protobuf == 3.20.2 # Required for cert orchestration adapter.
 psycopg2
+pycryptodomex >= 3.19.1 # Required to address vulnerability in older version (VULN-5325)
 pyjks >= 19 # pyjks < 19 depends on pycryptodome, which conflicts with dyn's usage of pycrypto
 pyjwt
 pyOpenSSL
diff --git a/requirements.txt b/requirements.txt
@@ -130,7 +130,7 @@ configargparse==1.7
     # via certbot
 configobj==5.0.8
     # via certbot
-cryptography==41.0.4
+cryptography==41.0.7
     # via
     #   -r requirements.in
     #   acme
@@ -287,7 +287,7 @@ packaging==23.2
     # via
     #   ddtrace
     #   gunicorn
-paramiko==3.3.1
+paramiko==3.4.0
     # via -r requirements.in
 parsedatetime==2.6
     # via certbot
@@ -325,8 +325,10 @@ pyasn1-modules==0.3.0
     #   python-ldap
 pycparser==2.21
     # via cffi
-pycryptodomex==3.19.0
-    # via pyjks
+pycryptodomex==3.20.0
+    # via
+    #   -r requirements.in
+    #   pyjks
 pyjks==20.0.0
     # via -r requirements.in
 pyjwt[crypto]==2.8.0
