search

fecgov / fecfile-web-api

Back-end API for FECfile application
Other
8 stars 2 forks source link

[High] Update `sqlparse` to 0.5.0 #935

Closed lbeaufort closed 2 months ago

lbeaufort commented 3 months ago

Business Reason

[High] Update sqlparse to 0.5.0

https://security.snyk.io/vuln/SNYK-PYTHON-SQLPARSE-6615674?_gl=1%2a5f3q2n%2a_ga%2aNjAwMDk0MzU0LjE3MDY1NjU5MzA.%2a_ga_X9SH3KP7B4%2aMTcxOTI3MjUyMi4yMS4xLjE3MTkyNzI5MTQuNjAuMC4w

As a [role], I will be able to [blank] so that I can [business reason]

Acceptance Criteria

If [precedent] When [action] Then [result]

QA Notes

null

DEV Notes

null

Design

null

FECFILE-1442

sasha-dresden commented 3 months ago

@lbeaufort Are we using sqlparse anywhere? The only reference I found to it in our repos was in an archived repo.

lbeaufort commented 3 months ago

@sasha-dresden I might need to add you to Snyk to see this: https://app.snyk.io/org/fecfile/project/e7c50dce-96a9-4313-818b-069a631aa5bc#issue-SNYK-PYTHON-SQLPARSE-6615674

Detailed paths and remediation
Introduced through: project@0.0.0 › django@3.2.25 › sqlparse@0.4.4
Fix: Pin sqlparse to version 0.5.0 
Introduced through: project@0.0.0 › dj-database-url@1.3.0 › django@3.2.25 › sqlparse@0.4.4
Fix: Pin sqlparse to version 0.5.0 
Introduced through: project@0.0.0 › django-cors-headers@3.13.0 › django@3.2.25 › sqlparse@0.4.4
Fix: Pin sqlparse to version 0.5.0 
Introduced through: project@0.0.0 › django-otp@1.1.4 › django@3.2.25 › sqlparse@0.4.4
Fix: Pin sqlparse to version 0.5.0 
Introduced through: project@0.0.0 › django-storages@1.13.1 › django@3.2.25 › sqlparse@0.4.4
Fix: Pin sqlparse to version 0.5.0 
Introduced through: project@0.0.0 › djangorestframework@3.14.0 › django@3.2.25 › sqlparse@0.4.4
Fix: Pin sqlparse to version 0.5.0

You can see sqlparse being installed here: https://app.circleci.com/pipelines/github/fecgov/fecfile-web-api/3854/workflows/9c1e5c2e-0476-42bd-b665-9c96c482e3e5/jobs/11616

exalate-issue-sync[bot] commented 2 months ago

Matt Travers commented: Passes CR. Sending to QA.

Screenshot of configuration file setting sqlparse package to version 0.5.0

!image-20240710-163508.png|width=730,height=343,alt="image-20240710-163508.png"!

Passes unit tests:

[https://app.circleci.com/pipelines/github/fecgov/fecfile-web-api/3909/workflows/688f274e-93cd-4346-8dda-df86848a26ba/jobs/11783|https://app.circleci.com/pipelines/github/fecgov/fecfile-web-api/3909/workflows/688f274e-93cd-4346-8dda-df86848a26ba/jobs/11783]

!image-20240710-164656.png|width=1601,height=535,alt="image-20240710-164656.png"!

exalate-issue-sync[bot] commented 2 months ago

Shelly Wise commented: QA review verified per visual inspection the screenshot of the configuration file setting sqlparse package to version 0.5.0 provided by DEV successfully passes for this ticket. (See screenshot below)

QA Review Completed. Moved to Stage Ready.

exalate-issue-sync[bot] commented 2 months ago

akhorsand commented: Accepted by Paul Clark at 7/30/24 sprint review.