Packages updated to fix vulnerabilities.

scalyr / scalyr-agent-2

The source code for Scalyr Agent 2, the daemon process Scalyr customers run on their servers to collect metrics and logs.

Apache License 2.0

70 stars 60 forks source link

Packages updated to fix vulnerabilities. #1173

Closed alesnovak-s1 closed 1 year ago

alesnovak-s1 commented 1 year ago

https://sentinelone.atlassian.net/browse/DTIN-2974

requests==2.31.0 - in order to get certifi==2023.7.22 docker==6.1.3 - version compatible with the new requests pysnmp==4.4.12 - to in order to fix the pycrypto vulnerability

All effective changes:

2,3c2,3
< charset-normalizer==2.1.1
< docker==6.0.0
---
> charset-normalizer==3.2.0
> docker==6.1.3
4a5,6
> lz4==4.0.2
> orjson==3.8.0
10c12
< pycrypto==2.6.1
---
> pycryptodomex==3.18.0
13c15
< pysnmp==4.3.0
---
> pysnmp==4.4.12
17c19
< requests==2.28.1
---
> requests==2.31.0
21c23
< urllib3==1.26.16
---
> urllib3==2.0.4
22a25
> zstandard==0.19.0

github-actions[bot] commented 1 year ago

Test Results

    28 files ±0     28 suites ±0 49m 31s :stopwatch: -5s 1 447 tests ±0 1 422 :heavy_check_mark: ±0   25 :zzz: ±0 0 :x: ±0 9 760 runs ±0 9 467 :heavy_check_mark: ±0 293 :zzz: ±0 0 :x: ±0

Results for commit a87079ad. ± Comparison against base commit 6acff3c1.

:recycle: This comment has been updated with latest results.

codecov[bot] commented 1 year ago

Codecov Report

Merging #1173 (a87079a) into master (6acff3c) will decrease coverage by 0.10%. The diff coverage is 33.33%.

:exclamation: Current head a87079a differs from pull request most recent head 70c3aee. Consider uploading reports for the commit 70c3aee to get more accurate results

@@            Coverage Diff             @@
##           master    #1173      +/-   ##
==========================================
- Coverage   81.30%   81.20%   -0.10%     
==========================================
  Files         173      173              
  Lines       41867    41869       +2     
  Branches     4682     4682              
==========================================
- Hits        34037    33996      -41     
- Misses       6627     6657      +30     
- Partials     1203     1216      +13

Files Changed	Coverage Δ
...end_to_end_tests/run_in_remote_machine/__init__.py	`0.00% <0.00%> (ø)`
tests/unit/scalyr_client_test.py	`99.42% <100.00%> (ø)`

... and 9 files with indirect coverage changes

tomaz-s1 commented 1 year ago

@alesnovak-s1 As you are probably aware, this will only affect dependencies inside the Docker Images, but not the dependencies we vendor with the artifacts (rpm, deb and also directory we include inside docker image) - https://github.com/scalyr/scalyr-agent-2/tree/master/scalyr_agent/third_party

In the past, we didn't want / couldn't update vendored / bundled dependencies since we still support Python 2.7 and we couldn't update them.

One thing we need to do is to verify that the actual Docker images use dependencies from this requirements file and not the one bundled inside scalyr_agent/ directory - we need to verify this with Docker image. I forget exactly the priority since the agent does PYTHONPATH manipulator to ensure dependencies scalyr_agent/third_party are actually being used.

tomaz-s1 commented 1 year ago

My comment above can be partially ignored.

I confirm that recent Docker images don't bundle / vendor dependencies from third_party_* directory anymore (except tcollector) so we should be fine here.

root@25babb35531c:/# ls -la /usr/share/scalyr-agent-2/py/scalyr_agent/third_party* total 16 drwxr-xr-x 3 root root 4096 Aug 14 14:18 . drwxr-xr-x 1 root root 4096 Aug 14 14:50 .. drwxr-xr-x 4 root root 4096 Aug 14 14:18 tcollector