Closed linglp closed 2 months ago
@linglp This seems to have failed
@tschaffter I looked at the security issues raised by trivy, and here's a summary of how I plan to address them:
python-cryptography
: this has to be addressed by turning pyopenssl package optional in schematic. See PR here: https://github.com/Sage-Bionetworks/schematic/pull/1413 because cryptography is a dependency of pyopenssl. This means that we could update cryptography and pyopenssl after another release of schematic
flask: updating flask to a later version requires updating connexion. The latest version of connexion is 3.0.6 but the current version that we are using is 2.14.1. I tried updating connexion to the latest but got an error message::
Thus, connexion (>=3.0.6,<4.0.0) requires MarkupSafe (>=2.1.1).
And because schematicpy (24.2.1) depends on MarkupSafe (2.1.0), connexion (>=3.0.6,<4.0.0) is incompatible with schematicpy (24.2.1).
So, because schematic-api depends on both schematicpy (24.2.1) and connexion (^3.0.6), version solving failed.
I then double checked schematicpy version 24.2.1 and found out that in the lock file, MarkupSafe version is indeed 2.1.0. But the current schematic in develop branch is already using MarkupSafe 2.1.5. This means that we could update connexion and flask after another release of schematic
updating werkzeug This is a package related to flask. I think after updating flask to a newer version, this error should go away.
Note: How about making MarkupSafe optional?
I did a poetry show markupsafe
in schematic repo, and I could see:
required by
And nbconvert is required by jupyter-server.. which means that to turn it optional, we have to turn jupyter-server optional.. that’s possible, but should be its own PR and ticket.
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
No data about Coverage
No data about Duplication
Problem
Related to https://sagebionetworks.jira.com/browse/FDS-1942 Got an error message when trying to build docker image:
and also:
The cause is because our project is using python version 3.10.13 but 3.10.14 is required.
The docker file that we are using is using
FROM tiangolo/uwsgi-nginx-flask:python3.10
. When I looked into the base image of that docker file, I saw:FROM tiangolo/uwsgi-nginx:python3.10
. And in this docker file, I saw:FROM python:3.10-bullseye
. I then checked the docker file related topython:3.10-bulleye
here and saw thatENV PYTHON_VERSION 3.10.14
.I also checked the commit history of
python:3.10-bulleye
docker file and found that two weeks ago, they updated the image to use Python 3.10.14 instead of Python 3.10.13. (See commit here)Temporary solution
Updated our project to use python 3.10.14
FDS-1942