fugue / credstash

A little utility for managing credentials in the cloud
Apache License 2.0
2.06k stars 214 forks source link

Project dependencies have API risk issues #308

Open PyDeps opened 2 years ago

PyDeps commented 2 years ago

Hi, In credstash, inappropriate dependency versioning constraints can cause risks.

Below are the dependencies and version constraints that the project is using

cryptography>=2.1
boto3>=1.1.1

The version constraint == will introduce the risk of dependency conflicts because the scope of dependencies is too strict. The version constraint No Upper Bound and * will introduce the risk of the missing API Error because the latest version of the dependencies may remove some APIs.

After further analysis, in this project, The version constraint of dependency cryptography can be changed to >=0.1,<=0.4. The version constraint of dependency cryptography can be changed to >=3.0,<=37.0.2.

The above modification suggestions can reduce the dependency conflicts as much as possible, and introduce the latest version as much as possible without calling Error in the projects.

The invocation of the current project includes all the following methods.

The calling methods from the cryptography
constant_time.bytes_eq
The calling methods from the all methods
dict
self.kms.generate_data_key
getSecretAction
output_func
dotenv_buffer.read
handler.setFormatter
sts_client.assume_role
client.describe_table
max
functools.wraps
func
dynamodb.Table
sys.stdout.write
json.loads
range
parsers.parse_args
putSecret
loadConfig
str
boto3.client
get_session
main
action.parsers.set_defaults
setup_logging
putAllSecretsAction
createDdbTable
KmsError
logger.addHandler
getHighestVersion
data.update
min
json.load
cred.get
val.lower
listSecrets
Attr.not_exists
sys.exit
os.path.expanduser
codecs.encode
argparse.ArgumentParser
zip
getpass
material.get
decryptor.update
sys.stderr.write
key_service.decrypt
dotenv_buffer.seek
constant_time.bytes_eq
get_parser
ciphertext.b64encode.decode
keys_to_update.append
hasattr
open
options.get
operator.itemgetter
role_parse.add_argument
expand_wildcard
getKmsRegion
json.dump
secrets.delete_item
paddedInt
boto3.dynamodb.conditions.Key
secrets.query
pool.close
len
dynamodb.tables.all
client.get_waiter.wait
encoded_key.b64encode.decode
deleteSecrets
HMAC
print
ValueError
fatal
action.parsers.add_argument
setKmsRegion
os.environ.get
Attr
printStdErr
output.append
csv.writer
sorted
b64decode
_open_aes_ctr
b64encode
setup
getAllAction
resource
string.split
digest._hash_classes
table.scan
key.upper
secrets.put_item
items.extend
self.kms.decrypt
StringIO
_halve_key
get_digest
KeyService
key_service.generate_key_data
re.compile
Cipher
logging.FileHandler
open_aes_ctr_legacy
get_assumerole_credentials
parsers.print_help
encryptor.update
Popen
subparsers.add_parser
modes.CTR
argparse.ArgumentTypeError
plaintext.encode
parsers.add_mutually_exclusive_group
logger.setLevel
p.communicate
secrets.get_item
string.replace
pool.join
dotenv_buffer.write
default_backend.nonce.modes.CTR.data_key.algorithms.AES.Cipher.decryptor
prog.search
hmac.finalize
logging.Formatter
client.tag_resource
csvwriter.writerow
codecs.decode
_seal_aes_ctr
ThreadPool
decryptor.finalize
ItemNotFound
format
hmac.update
dynamodb.create_table
dynamodb_resource.Table
putSecretAction
tagset.append
int
encryptor.finalize
seal_aes_ctr_legacy
session.client
defaultdict
setattr
list_credential_keys
boto3.Session
response.get
keys.items
algorithms.AES
_get_hmac
secrets.scan
csvfile.getvalue
IntegrityError
logger.removeHandler
parsers.add_argument
credentials.items
parsers.add_subparsers
logging.getLogger
set
pool.map
default_backend
client.get_waiter
digest_method.hmac.ciphertext.LEGACY_NONCE.key._open_aes_ctr.decode
getSecret
input
logger.exception
list_credentials
boto3.dynamodb.conditions.Key.eq
session.resource
sys.stdin.read
_hash_classes.keys
getAllSecrets
default_backend.nonce.modes.CTR.data_key.algorithms.AES.Cipher.encryptor
vars
get_session_params
writeConfig
f.read

@nelhage Could please help me check this issue? May I pull a request to fix it? Thank you very much.