search

aws-powertools / powertools-lambda-python

A developer toolkit to implement Serverless best practices and increase developer velocity.
https://docs.powertools.aws.dev/lambda/python/latest/
MIT No Attribution
2.91k stars 401 forks source link

Maintenance: pyproject.toml and poetry.lock dependency versions appear at odds #5437

Closed availity-droo closed 1 month ago

availity-droo commented 1 month ago

Why is this needed?

In the process of developing and deploying a solution utilizing aws-lambda-powertools, we discovered our SCA scanner was noticing pydantic CVE-2024-3772 due to version 2.0.3 being installed when using conda. I noticed the poetry.lock file references 2.9.1 of pydantic, however, and was curious if that discrepancy was intentional.

I am aware the vulnerable method validate_email is not being called from the CVE, but it is always nicer to have a clean vulnerability scan and avoid creating waivers/mitigations for findings.

Which area does this relate to?

Other

Solution

Update the pyproject.toml dependency list to reflect those currently locked via poetry.

Acknowledgment

boring-cyborg[bot] commented 1 month ago

Thanks for opening your first issue here! We'll come back to you as soon as we can. In the meantime, check out the #python channel on our Powertools for AWS Lambda Discord: Invite link

leandrodamascena commented 1 month ago

Hi @availity-droo! Thanks for opening this issue! I need a bit more information about the reported problem. I know Pydantic had some CVEs in v2, not just the one you mentioned, but others, but we're not pinning the version 2.0.3. The version specification for pydantic is "^2.0.3" and uses the caret (^) operator, which means "compatible with version 2.0.3 and any later minor or patch versions, but not major versions".

Also, checking the poetry instalation, everything looks ok.

➜  aws-lambda-powertools-v3 git:(develop) ✗ poetry lock --check
poetry lock --check is deprecated, use `poetry check --lock` instead.
poetry.lock is consistent with pyproject.toml.
➜  aws-lambda-powertools-v3 git:(develop) ✗ 
➜  aws-lambda-powertools-v3 git:(develop) ✗ poetry show --all | grep pydantic
pydantic                                    2.9.1          
pydantic-core                               2.23.3         
➜  aws-lambda-powertools-v3 git:(develop) ✗

We also have some security checks and we don't have alert in any of them.

Maybe it's because your SCA scanner is looking for this line as 2.0.3 and not allowing 2.0.3+? Or maybe an issue related to how conda doesn't install all dependencies?

Please let me know your thoughts.

sthulb commented 1 month ago

Hi @availity-droo, can you tell us which tools you're using for scanning? I'd like to replicate your environment so I can reproduce.

Thanks!

leandrodamascena commented 1 month ago

Hi @availity-droo I think it makes sense to bump the Pydantic version in project.toml to at least 2.4.0 and prevent customers from installing any version with CVE. I mean, we don't install versions with CVE because when someone uses our layers or install aws-lambda-powertools[all/tracer] we install the latest Pydantic version, but that doesn't prevent someone from installing a version with CVE and SAST tools complaining. I'm changing the version to 2.4.0 minimum.

github-actions[bot] commented 1 month ago

⚠️COMMENT VISIBILITY WARNING⚠️

This issue is now closed. Please be mindful that future comments are hard for our team to see.

If you need more assistance, please either tag a team member or open a new issue that references this one.

If you wish to keep having a conversation with other community members under this issue feel free to do so.

github-actions[bot] commented 2 weeks ago

This is now released under 3.3.0 version!