Updated dependencies to reduce issues with dependabot and container scanning (#12180)

Modify updater.sh to remove the local path references.
2026-01-11 01:57:35 -03:30 · 2022-05-12 09:25:36 -04:00 · 2022-05-12 09:25:36 -04:00 · 78660ad0a2
commit 78660ad0a2
parent 70697869d7
10 changed files with 88 additions and 106 deletions
--- a/docs/licenses/dictdiffer.txt
+++ b/docs/licenses/dictdiffer.txt
@ -1,28 +0,0 @@
-Dictdiffer is free software; you can redistribute it and/or modify it
-under the terms of the MIT License quoted below.
-
-Copyright (C) 2013 Fatih Erikli.
-Copyright (C) 2013, 2014 CERN.
-
-Permission is hereby granted, free of charge, to any person obtaining
-a copy of this software and associated documentation files (the
-"Software"), to deal in the Software without restriction, including
-without limitation the rights to use, copy, modify, merge, publish,
-distribute, sublicense, and/or sell copies of the Software, and to
-permit persons to whom the Software is furnished to do so, subject to
-the following conditions:
-
-The above copyright notice and this permission notice shall be
-included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
-LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
-OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-In applying this license, CERN does not waive the privileges and
-immunities granted to it by virtue of its status as an
-Intergovernmental Organization or submit itself to any jurisdiction.
--- a/docs/licenses/pyhamcrest.txt
+++ b/docs/licenses/pyhamcrest.txt
@ -1,27 +0,0 @@
-BSD License
-
-Copyright 2011 hamcrest.org
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-Redistributions of source code must retain the above copyright notice, this list of
-conditions and the following disclaimer. Redistributions in binary form must reproduce
-the above copyright notice, this list of conditions and the following disclaimer in
-the documentation and/or other materials provided with the distribution.
-
-Neither the name of Hamcrest nor the names of its contributors may be used to endorse
-or promote products derived from this software without specific prior written
-permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
-EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
-SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
-INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
-TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
-WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
-DAMAGE.
--- a/docs/licenses/python-ldap.txt
+++ b/docs/licenses/python-ldap.txt
@ -1,3 +1,63 @@
+The MIT License applies to contributions committed after July 1st, 2021, and
+to all contributions by the following authors:
+
+* A. Karl Kornel
+* Alex Willmer
+* Aymeric Augustin
+* Bernhard M. Wiedemann
+* Bradley Baetz
+* Christian Heimes
+* Éloi Rivard
+* Eyal Cherevatzki
+* Florian Best
+* Fred Thomsen
+* Ivan A. Melnikov
+* johnthagen
+* Jonathon Reinhart
+* Jon Dufresne
+* Martin Basti
+* Marti Raudsepp
+* Miro Hrončok
+* Paul Aurich
+* Petr Viktorin
+* Pieterjan De Potter
+* Raphaël Barrois
+* Robert Kuska
+* Stanislav Láznička
+* Tobias Bräutigam
+* Tom van Dijk
+* Wentao Han
+* William Brown
+
+
+-------------------------------------------------------------------------------
+
+MIT License
+
+Copyright (c) 2021 python-ldap contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+
+
+
+Previous license:

 The python-ldap package is distributed under Python-style license.

--- a/docs/licenses/ruamel-yaml.txt
+++ b/docs/licenses/ruamel-yaml.txt
@ -1,21 +0,0 @@
- The MIT License (MIT)
-
- Copyright (c) 2014-2019 Anthon van der Neut, Ruamel bvba
-
- Permission is hereby granted, free of charge, to any person obtaining a copy
- of this software and associated documentation files (the "Software"), to deal
- in the Software without restriction, including without limitation the rights
- to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- copies of the Software, and to permit persons to whom the Software is
- furnished to do so, subject to the following conditions:
-
- The above copyright notice and this permission notice shall be included in
- all copies or substantial portions of the Software.
-
- THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- SOFTWARE.
--- a/docs/licenses/twisted.txt
+++ b/docs/licenses/twisted.txt
@ -1,4 +1,4 @@
-Copyright (c) 2001-2016
+Copyright (c) 2001-2022
 Allen Short
 Amber Hawkie Brown
 Andrew Bennetts
@ -10,6 +10,7 @@ Benjamin Bruheim
 Bob Ippolito
 Canonical Limited
 Christopher Armstrong
+Ciena Corporation
 David Reid
 Divmod Inc.
 Donovan Preston
@ -44,8 +45,10 @@ Sean Riley
 Software Freedom Conservancy
 Tavendo GmbH
 Thijs Triemstra
+Thomas Grainger
 Thomas Herve
 Timothy Allen
+Tom Most
 Tom Prince
 Travis B. Hartwell

--- a/requirements/README.md
+++ b/requirements/README.md
@ -16,12 +16,6 @@ then run the script:
 NOTE: `./updater.sh` uses /usr/bin/python3.6, to match the current python version
 (3.6) used to build releases.

-##### Note - watch out for the updater script, using paths local to your machine instead of generalized paths; ie
-```bash
-    # via -r /awx_devel/requirements/requirements.in <-RIGHT
-    # via -r /home/foo/bar/awx/requirements/requirements.in <-WRONG
-```
-
 #### Upgrading Unpinned Dependency

 If you require a new version of a dependency that does not have a pinned version
--- a/requirements/requirements.in
+++ b/requirements/requirements.in
@ -5,7 +5,7 @@ autobahn>=20.12.3  # CVE-2020-35678
 azure-keyvault==1.1.0  # see UPGRADE BLOCKERs
 channels
 channels-redis>=3.1.0  # https://github.com/django/channels_redis/issues/212
-cryptography>=35.0.0
+cryptography>=36.0.2,<37.0.0 # Until paramiko fixes https://github.com/paramiko/paramiko/issues/2038 we don't want to go to 37 or we end up with blowfish warnings in the job output
 Cython<3 # Since the bump to PyYAML 5.4.1 this is now a mandatory dep
 daphne
 distro
@ -30,8 +30,9 @@ irc
 jinja2>=2.11.3  # CVE-2020-28493
 JSON-log-formatter
 jsonschema
+kubernetes>=12.0.0  # CVE-2020-1747
 Markdown  # used for formatting API help
-openshift>=0.11.0  # minimum version to pull in new pyyaml for CVE-2017-18342
+openshift>=0.12.0  # minimum version to pull in new pyyaml for CVE-2017-18342, minimum version to pull in new kubernetes for CVE-2020-1747
 pexpect==4.7.0 # see library notes
 prometheus_client
 psycopg2
@ -41,7 +42,7 @@ pyparsing
 python3-saml==1.13.0
 python-dsv-sdk
 python-tss-sdk==1.0.0
-python-ldap>=3.3.1 # https://github.com/python-ldap/python-ldap/issues/270
+python-ldap>=3.4.0 # https://github.com/ansible/awx/security/dependabot/20
 pyyaml>=5.4.1  # minimum to fix https://github.com/yaml/pyyaml/issues/478
 receptorctl==1.1.1
 schedule==0.6.0
@ -49,10 +50,11 @@ social-auth-core==4.2.0  # see UPGRADE BLOCKERs
 social-auth-app-django==5.0.0  # see UPGRADE BLOCKERs
 redis
 requests
+sqlparse>=0.4.2 # Required by Django, pinning for CVE-2021-32839
 slack-sdk
 tacacs_plus==1.0  # UPGRADE BLOCKER: auth does not work with later versions
 twilio
-twisted[tls]>=20.3.0  # CVE-2020-10108, CVE-2020-10109
+twisted[tls]>=22.4.0  # CVE-2020-10108, CVE-2020-10109, CVE-2022-21712 (https://github.com/ansible/awx/security/dependabot/46), https://github.com/ansible/awx/security/dependabot/53
 uWSGI
 uwsgitop
 wheel
--- a/requirements/requirements.txt
+++ b/requirements/requirements.txt
@ -82,8 +82,6 @@ defusedxml==0.6.0
    # via
    #   python3-openid
    #   social-auth-core
-dictdiffer==0.8.1
-    # via openshift
 distro==1.5.0
    # via -r /awx_devel/requirements/requirements.in
 django==3.2.13
@ -153,7 +151,7 @@ idna==2.9
    #   requests
    #   twisted
    #   yarl
-incremental==17.5.0
+incremental==21.3.0
    # via twisted
 irc==18.0.0
    # via -r /awx_devel/requirements/requirements.in
@ -179,15 +177,15 @@ jaraco-text==3.2.0
    #   irc
    #   jaraco-collections
 jinja2==3.0.3
-    # via
-    #   -r /awx_devel/requirements/requirements.in
-    #   openshift
+    # via -r /awx_devel/requirements/requirements.in
 json-log-formatter==0.3.0
    # via -r /awx_devel/requirements/requirements.in
 jsonschema==3.2.0
    # via -r /awx_devel/requirements/requirements.in
-kubernetes==11.0.0
-    # via openshift
+kubernetes==23.3.0
+    # via
+    #   -r /awx_devel/requirements/requirements.in
+    #   openshift
 lockfile==0.12.2
    # via python-daemon
 lxml==4.7.0
@ -223,7 +221,7 @@ oauthlib==3.2.0
    #   django-oauth-toolkit
    #   requests-oauthlib
    #   social-auth-core
-openshift==0.11.0
+openshift==0.13.1
    # via -r /awx_devel/requirements/requirements.in
 packaging==21.3
    # via
@ -260,8 +258,6 @@ pycparser==2.20
    # via cffi
 pygerduty==0.38.2
    # via -r /awx_devel/requirements/requirements.in
-pyhamcrest==2.0.2
-    # via twisted
 pyjwt==2.3.0
    # via
    #   adal
@ -286,7 +282,7 @@ python-dateutil==2.8.1
    #   receptorctl
 python-dsv-sdk==0.0.1
    # via -r /awx_devel/requirements/requirements.in
-python-ldap==3.3.1
+python-ldap==3.4.0
    # via
    #   -r /awx_devel/requirements/requirements.in
    #   django-auth-ldap
@ -338,8 +334,6 @@ requests-oauthlib==1.3.1
    #   social-auth-core
 rsa==4.7.2
    # via google-auth
-ruamel-yaml==0.16.10
-    # via openshift
 schedule==0.6.0
    # via -r /awx_devel/requirements/requirements.in
 semantic-version==2.9.0
@ -382,8 +376,10 @@ social-auth-core==4.2.0
    # via
    #   -r /awx_devel/requirements/requirements.in
    #   social-auth-app-django
-sqlparse==0.3.1
-    # via django
+sqlparse==0.4.2
+    # via
+    #   -r /awx_devel/requirements/requirements.in
+    #   django
 tacacs-plus==1.0
    # via -r /awx_devel/requirements/requirements.in
 tempora==2.1.0
@ -394,7 +390,7 @@ tomli==2.0.1
    # via setuptools-scm
 twilio==6.37.0
    # via -r /awx_devel/requirements/requirements.in
-twisted[tls]==20.3.0
+twisted[tls]==22.4.0
    # via
    #   -r /awx_devel/requirements/requirements.in
    #   daphne
@ -404,6 +400,7 @@ typing-extensions==3.10.0.2
    # via
    #   aiohttp
    #   setuptools-rust
+    #   twisted
 urllib3==1.26.5
    # via
    #   kubernetes
--- a/requirements/requirements_dev.txt
+++ b/requirements/requirements_dev.txt
@ -1,7 +1,7 @@
 django-debug-toolbar==3.2.4
 django-rest-swagger
 # pprofile - re-add once https://github.com/vpelletier/pprofile/issues/41 is addressed
-ipython==7.21.0
+ipython>=7.31.1 # https://github.com/ansible/awx/security/dependabot/30
 unittest2
 black
 pytest!=7.0.0
--- a/requirements/updater.sh
+++ b/requirements/updater.sh
@ -32,6 +32,7 @@ generate_requirements() {
 }

 main() {
+  base_dir=$(pwd)
  _tmp="$(mktemp -d --suffix .awx-requirements XXXX -p /tmp)"
  trap _cleanup INT TERM EXIT

@ -44,7 +45,8 @@ main() {

  generate_requirements

-  cp -vf requirements.txt "${requirements}"
+  echo "Changing $base_dir to /awx_devel/requirements"
+  cat requirements.txt | sed "s:$base_dir:/awx_devel/requirements:" > "${requirements}"

  _cleanup
 }