diff --git a/docs/licenses/dictdiffer.txt b/docs/licenses/dictdiffer.txt deleted file mode 100644 index f1f1a91a07..0000000000 --- a/docs/licenses/dictdiffer.txt +++ /dev/null @@ -1,28 +0,0 @@ -Dictdiffer is free software; you can redistribute it and/or modify it -under the terms of the MIT License quoted below. - -Copyright (C) 2013 Fatih Erikli. -Copyright (C) 2013, 2014 CERN. - -Permission is hereby granted, free of charge, to any person obtaining -a copy of this software and associated documentation files (the -"Software"), to deal in the Software without restriction, including -without limitation the rights to use, copy, modify, merge, publish, -distribute, sublicense, and/or sell copies of the Software, and to -permit persons to whom the Software is furnished to do so, subject to -the following conditions: - -The above copyright notice and this permission notice shall be -included in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, -EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND -NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE -LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION -OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION -WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - -In applying this license, CERN does not waive the privileges and -immunities granted to it by virtue of its status as an -Intergovernmental Organization or submit itself to any jurisdiction. diff --git a/docs/licenses/pyhamcrest.txt b/docs/licenses/pyhamcrest.txt deleted file mode 100644 index 0bea089e5c..0000000000 --- a/docs/licenses/pyhamcrest.txt +++ /dev/null @@ -1,27 +0,0 @@ -BSD License - -Copyright 2011 hamcrest.org -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -Redistributions of source code must retain the above copyright notice, this list of -conditions and the following disclaimer. Redistributions in binary form must reproduce -the above copyright notice, this list of conditions and the following disclaimer in -the documentation and/or other materials provided with the distribution. - -Neither the name of Hamcrest nor the names of its contributors may be used to endorse -or promote products derived from this software without specific prior written -permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY -EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT -SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, -INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED -TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY -WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH -DAMAGE. diff --git a/docs/licenses/python-ldap.txt b/docs/licenses/python-ldap.txt index 0aa20b4ea0..cece5f74cb 100644 --- a/docs/licenses/python-ldap.txt +++ b/docs/licenses/python-ldap.txt @@ -1,3 +1,63 @@ +The MIT License applies to contributions committed after July 1st, 2021, and +to all contributions by the following authors: + +* A. Karl Kornel +* Alex Willmer +* Aymeric Augustin +* Bernhard M. Wiedemann +* Bradley Baetz +* Christian Heimes +* Éloi Rivard +* Eyal Cherevatzki +* Florian Best +* Fred Thomsen +* Ivan A. Melnikov +* johnthagen +* Jonathon Reinhart +* Jon Dufresne +* Martin Basti +* Marti Raudsepp +* Miro Hrončok +* Paul Aurich +* Petr Viktorin +* Pieterjan De Potter +* Raphaël Barrois +* Robert Kuska +* Stanislav Láznička +* Tobias Bräutigam +* Tom van Dijk +* Wentao Han +* William Brown + + +------------------------------------------------------------------------------- + +MIT License + +Copyright (c) 2021 python-ldap contributors + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + + + + +Previous license: The python-ldap package is distributed under Python-style license. diff --git a/docs/licenses/ruamel-yaml.txt b/docs/licenses/ruamel-yaml.txt deleted file mode 100644 index 787621c742..0000000000 --- a/docs/licenses/ruamel-yaml.txt +++ /dev/null @@ -1,21 +0,0 @@ - The MIT License (MIT) - - Copyright (c) 2014-2019 Anthon van der Neut, Ruamel bvba - - Permission is hereby granted, free of charge, to any person obtaining a copy - of this software and associated documentation files (the "Software"), to deal - in the Software without restriction, including without limitation the rights - to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - copies of the Software, and to permit persons to whom the Software is - furnished to do so, subject to the following conditions: - - The above copyright notice and this permission notice shall be included in - all copies or substantial portions of the Software. - - THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - SOFTWARE. diff --git a/docs/licenses/twisted.txt b/docs/licenses/twisted.txt index 255b2dae79..0a1dd5572f 100644 --- a/docs/licenses/twisted.txt +++ b/docs/licenses/twisted.txt @@ -1,4 +1,4 @@ -Copyright (c) 2001-2016 +Copyright (c) 2001-2022 Allen Short Amber Hawkie Brown Andrew Bennetts @@ -10,6 +10,7 @@ Benjamin Bruheim Bob Ippolito Canonical Limited Christopher Armstrong +Ciena Corporation David Reid Divmod Inc. Donovan Preston @@ -44,8 +45,10 @@ Sean Riley Software Freedom Conservancy Tavendo GmbH Thijs Triemstra +Thomas Grainger Thomas Herve Timothy Allen +Tom Most Tom Prince Travis B. Hartwell diff --git a/requirements/README.md b/requirements/README.md index 0f5f48f1b6..d98557aa58 100644 --- a/requirements/README.md +++ b/requirements/README.md @@ -16,12 +16,6 @@ then run the script: NOTE: `./updater.sh` uses /usr/bin/python3.6, to match the current python version (3.6) used to build releases. -##### Note - watch out for the updater script, using paths local to your machine instead of generalized paths; ie -```bash - # via -r /awx_devel/requirements/requirements.in <-RIGHT - # via -r /home/foo/bar/awx/requirements/requirements.in <-WRONG -``` - #### Upgrading Unpinned Dependency If you require a new version of a dependency that does not have a pinned version diff --git a/requirements/requirements.in b/requirements/requirements.in index 9b54685a3a..7e0c50de3c 100644 --- a/requirements/requirements.in +++ b/requirements/requirements.in @@ -5,7 +5,7 @@ autobahn>=20.12.3 # CVE-2020-35678 azure-keyvault==1.1.0 # see UPGRADE BLOCKERs channels channels-redis>=3.1.0 # https://github.com/django/channels_redis/issues/212 -cryptography>=35.0.0 +cryptography>=36.0.2,<37.0.0 # Until paramiko fixes https://github.com/paramiko/paramiko/issues/2038 we don't want to go to 37 or we end up with blowfish warnings in the job output Cython<3 # Since the bump to PyYAML 5.4.1 this is now a mandatory dep daphne distro @@ -30,8 +30,9 @@ irc jinja2>=2.11.3 # CVE-2020-28493 JSON-log-formatter jsonschema +kubernetes>=12.0.0 # CVE-2020-1747 Markdown # used for formatting API help -openshift>=0.11.0 # minimum version to pull in new pyyaml for CVE-2017-18342 +openshift>=0.12.0 # minimum version to pull in new pyyaml for CVE-2017-18342, minimum version to pull in new kubernetes for CVE-2020-1747 pexpect==4.7.0 # see library notes prometheus_client psycopg2 @@ -41,7 +42,7 @@ pyparsing python3-saml==1.13.0 python-dsv-sdk python-tss-sdk==1.0.0 -python-ldap>=3.3.1 # https://github.com/python-ldap/python-ldap/issues/270 +python-ldap>=3.4.0 # https://github.com/ansible/awx/security/dependabot/20 pyyaml>=5.4.1 # minimum to fix https://github.com/yaml/pyyaml/issues/478 receptorctl==1.1.1 schedule==0.6.0 @@ -49,10 +50,11 @@ social-auth-core==4.2.0 # see UPGRADE BLOCKERs social-auth-app-django==5.0.0 # see UPGRADE BLOCKERs redis requests +sqlparse>=0.4.2 # Required by Django, pinning for CVE-2021-32839 slack-sdk tacacs_plus==1.0 # UPGRADE BLOCKER: auth does not work with later versions twilio -twisted[tls]>=20.3.0 # CVE-2020-10108, CVE-2020-10109 +twisted[tls]>=22.4.0 # CVE-2020-10108, CVE-2020-10109, CVE-2022-21712 (https://github.com/ansible/awx/security/dependabot/46), https://github.com/ansible/awx/security/dependabot/53 uWSGI uwsgitop wheel diff --git a/requirements/requirements.txt b/requirements/requirements.txt index 5017e04318..c4857bb559 100644 --- a/requirements/requirements.txt +++ b/requirements/requirements.txt @@ -82,8 +82,6 @@ defusedxml==0.6.0 # via # python3-openid # social-auth-core -dictdiffer==0.8.1 - # via openshift distro==1.5.0 # via -r /awx_devel/requirements/requirements.in django==3.2.13 @@ -153,7 +151,7 @@ idna==2.9 # requests # twisted # yarl -incremental==17.5.0 +incremental==21.3.0 # via twisted irc==18.0.0 # via -r /awx_devel/requirements/requirements.in @@ -179,15 +177,15 @@ jaraco-text==3.2.0 # irc # jaraco-collections jinja2==3.0.3 - # via - # -r /awx_devel/requirements/requirements.in - # openshift + # via -r /awx_devel/requirements/requirements.in json-log-formatter==0.3.0 # via -r /awx_devel/requirements/requirements.in jsonschema==3.2.0 # via -r /awx_devel/requirements/requirements.in -kubernetes==11.0.0 - # via openshift +kubernetes==23.3.0 + # via + # -r /awx_devel/requirements/requirements.in + # openshift lockfile==0.12.2 # via python-daemon lxml==4.7.0 @@ -223,7 +221,7 @@ oauthlib==3.2.0 # django-oauth-toolkit # requests-oauthlib # social-auth-core -openshift==0.11.0 +openshift==0.13.1 # via -r /awx_devel/requirements/requirements.in packaging==21.3 # via @@ -260,8 +258,6 @@ pycparser==2.20 # via cffi pygerduty==0.38.2 # via -r /awx_devel/requirements/requirements.in -pyhamcrest==2.0.2 - # via twisted pyjwt==2.3.0 # via # adal @@ -286,7 +282,7 @@ python-dateutil==2.8.1 # receptorctl python-dsv-sdk==0.0.1 # via -r /awx_devel/requirements/requirements.in -python-ldap==3.3.1 +python-ldap==3.4.0 # via # -r /awx_devel/requirements/requirements.in # django-auth-ldap @@ -338,8 +334,6 @@ requests-oauthlib==1.3.1 # social-auth-core rsa==4.7.2 # via google-auth -ruamel-yaml==0.16.10 - # via openshift schedule==0.6.0 # via -r /awx_devel/requirements/requirements.in semantic-version==2.9.0 @@ -382,8 +376,10 @@ social-auth-core==4.2.0 # via # -r /awx_devel/requirements/requirements.in # social-auth-app-django -sqlparse==0.3.1 - # via django +sqlparse==0.4.2 + # via + # -r /awx_devel/requirements/requirements.in + # django tacacs-plus==1.0 # via -r /awx_devel/requirements/requirements.in tempora==2.1.0 @@ -394,7 +390,7 @@ tomli==2.0.1 # via setuptools-scm twilio==6.37.0 # via -r /awx_devel/requirements/requirements.in -twisted[tls]==20.3.0 +twisted[tls]==22.4.0 # via # -r /awx_devel/requirements/requirements.in # daphne @@ -404,6 +400,7 @@ typing-extensions==3.10.0.2 # via # aiohttp # setuptools-rust + # twisted urllib3==1.26.5 # via # kubernetes diff --git a/requirements/requirements_dev.txt b/requirements/requirements_dev.txt index bea1e88dc2..0b1d2279ef 100644 --- a/requirements/requirements_dev.txt +++ b/requirements/requirements_dev.txt @@ -1,7 +1,7 @@ django-debug-toolbar==3.2.4 django-rest-swagger # pprofile - re-add once https://github.com/vpelletier/pprofile/issues/41 is addressed -ipython==7.21.0 +ipython>=7.31.1 # https://github.com/ansible/awx/security/dependabot/30 unittest2 black pytest!=7.0.0 diff --git a/requirements/updater.sh b/requirements/updater.sh index 01f6000d2c..9f61376214 100755 --- a/requirements/updater.sh +++ b/requirements/updater.sh @@ -32,6 +32,7 @@ generate_requirements() { } main() { + base_dir=$(pwd) _tmp="$(mktemp -d --suffix .awx-requirements XXXX -p /tmp)" trap _cleanup INT TERM EXIT @@ -44,7 +45,8 @@ main() { generate_requirements - cp -vf requirements.txt "${requirements}" + echo "Changing $base_dir to /awx_devel/requirements" + cat requirements.txt | sed "s:$base_dir:/awx_devel/requirements:" > "${requirements}" _cleanup }