1. 26 Jan, 2022 2 commits
  2. 25 Jan, 2022 1 commit
    • Jérome Perrin's avatar
      check_software: fix warning on python2 · e6b637a2
      Jérome Perrin authored
      On python2, warnings.warn expects the message to be passed as a str
      and it will silently output nothing when the message is an unicode
      that can not be converted to str using ascii encoding (cf.
      https://bugs.python.org/issue34752 )
      
      Since october update of pyupio/safety-db there is a new vulnerability
      for pytest-runner, which is described as:
      
          "pytest-runner": [
              {
                  "advisory": "Pytest-runner depends on deprecated features of setuptools and relies on features that break security mechanisms in pip. For example \u2018setup_requires\u2019 and \u2018tests_require\u2019 bypass pip --require-hashes. See also pypa/setuptools#1684.\r\nIt is recommended that you:\r\n- Remove 'pytest-runner' from your setup_requires, preferably removing the setup_requires option.\r\n- Remove 'pytest' and any other testing requirements from tests_require, preferably removing the tests_requires option.\r\n- Select a tool to bootstrap and then run tests such as tox.",
                  "cve": "PVE-2021-43313",
                  "id": "pyup.io-43313",
                  "specs": [
                      ">0"
                  ],
                  "v": ">0"
              }
          ],
      
      notice the quotes:
      
          \u2018setup_requires\u2019 and \u2018tests_require\u2019
      
      this was sent to warnings.warn as unicode and because all our softwares
      have this vulnerability (that BTW do not impact us because we run
      buildout with a patch for setup_requires), we no longer saw any
      warning on python2 software release tests.
      e6b637a2
  3. 24 Jan, 2022 2 commits
    • Jérome Perrin's avatar
      check_software: check egg vulnerabilities for every used python versions · 3cb8a899
      Jérome Perrin authored
      pkg_resources.Environment only scans packages for the current python
      version, but the checked software might be using a different python
      version than the python version used to check software (the slapos
      python). The checked software might also include packages for
      multiples python versions.
      
      Compute the list used python packages from the eggs directory and use
      an Environment for each python version, this way we check all python
      versions and also when slapos python and software python are different.
      3cb8a899
    • Jérome Perrin's avatar
      check_software: fix indentation · f72f61db
      Jérome Perrin authored
      f72f61db
  4. 17 Jan, 2022 1 commit
    • Jérome Perrin's avatar
      check_software fixes · 79cc1ec0
      Jérome Perrin authored
       - only consider shared parts from checked software
       - support new `.buildout-shared.json` signature files
       - unit test coverage
      
      See merge request !361
      79cc1ec0
  5. 12 Jan, 2022 1 commit
  6. 11 Jan, 2022 6 commits
  7. 06 Jan, 2022 2 commits
  8. 29 Dec, 2021 25 commits