Security vulnerabilities in 18.1.0-rc2

[vogelsgesang]

An automated security scan of 18.1.0-rc2 complained about the following dependencies:

• llvm/utils/git/requirements.txt
  • gitpython==3.1.32 CVE-2023-40590 CVE-2023-41040 CVE-2024-22190
  • cryptography==41.0.3 CVE-2023-4807CVE-2023-49083 CVE-2023-50782
  • urllib3==1.26.12 CVE-2023-43804 CVE-2023-45803
  • requests==2.28.1 CVE-2023-32681
• third-party/benchmark/requirements.txt
  • numpy==1.19.4 CVE-2021-34141 CVE-2021-41495 CVE-2021-41496
  • pandas==1.1.5 CVE-2020-13091
  • scipy==1.5.4 CVE-2018-1999024
• mlir/utils/vscode/package-lock.json
  • semver:7.3.7 CVE-2022-25883
  • minimatch Sonatype CWE 1333
• llvm/docs/requirements.txt
  • sphinx-bootstrap-theme==0.8.1 CVE-2019-11358 CVE-2020-11023 CVE-2020-23064 CVE-2020-11022

This is the follow-up from #64417 for the 18.1.0 release

[vogelsgesang]

Tagging potential owners of the requirements files based previous discussions in #64417

@tru re llvm/utils/git/requirements.txt: Afaict, the change https://reviews.llvm.org/D157254 never actually landed. Can we land an updated version of this patch?

@mtrofin re third-party/benchmark/requirements.txt: An update to the latest upstream benchmark library should resolve the issues. There was previously https://reviews.llvm.org/D157101 but the discussion on the review died down.

[StephanTLavavej]

MSVC has similar automated security scanning, which inspects our LLVM submodules - it identified three of the dependencies mentioned above, two for reasons not mentioned above. I'll list them here in case it helps.

• https://github.com/llvm/llvm-project/blob/300425cea51ef566a4d38e57afd9a7ae8024a682/llvm/utils/git/requirements.txt#L17
  • CVE-2024-26130 fixed in version 42.0.4.
• https://github.com/llvm/llvm-project/blob/300425cea51ef566a4d38e57afd9a7ae8024a682/llvm/utils/git/requirements.txt#L23
  • CVE-2023-41040 already mentioned above; our scans say that this was fixed in version 3.1.37.
• https://github.com/llvm/llvm-project/blob/300425cea51ef566a4d38e57afd9a7ae8024a682/third-party/benchmark/requirements.txt#L2
  • CVE-2023-29824 fixed in version 1.8.0.
  • This says "NOTE: the vendor and discoverer indicate that this is not a security issue.", but our scans complain anyways.