As part of the CURA-8400 and CURA-8403 tickets, several dependencies needed to be updated in order to avoid the latest vulnerabilities that were found:
OpenSSL to v1.1.1l
pywin32 to version 301
networkx to version 2.6.2
urllib3 to 1.26.6
Furthermore, an integrity check on all the python packages has been introduced. We now use the base_requirements.txt and requirements.txt files to install all of Cura's dependencies, where we also specify the accepted sha256 hashes for each dependency and sometimes even the platform it needs to be downloaded for.
This led to adding also the hashes for the dependencies of each of our required dependencies. For instance, when installing twisted, pip automatic downloads several dependencies such as constantly, hyperlink, etc, for which we also have to provide accepted hashes in the requirements file.
Finally, some extra platform-specific commands needed to be added for installing OpenSSL on Windows, as the Python build directory would by default download and install v1.1.1k.
As part of the CURA-8400 and CURA-8403 tickets, several dependencies needed to be updated in order to avoid the latest vulnerabilities that were found:
base_requirements.txt
andrequirements.txt
files to install all of Cura's dependencies, where we also specify the acceptedsha256
hashes for each dependency and sometimes even the platform it needs to be downloaded for. This led to adding also the hashes for the dependencies of each of our required dependencies. For instance, when installingtwisted
, pip automatic downloads several dependencies such asconstantly
,hyperlink
, etc, for which we also have to provide accepted hashes in the requirements file. Finally, some extra platform-specific commands needed to be added for installing OpenSSL on Windows, as the Python build directory would by default download and install v1.1.1k.This PR contributes to CURA-8400 and CURA-8403 and needs to be reviewed and checked together with https://github.com/Ultimaker/cura-build/pull/265