Merge pull request #11 from alan-turing-institute/iss10_fix

package dependency updates
alan-turing-institute · Apr 18, 2024 · 7a836c9 · 7a836c9
2 parents 92e0d1c + 92b4c7a
commit 7a836c9
Show file tree

Hide file tree

Showing 9 changed files with 1,048 additions and 788 deletions.
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -8,7 +8,6 @@ on:
     branches:
       - main
 
-
 ###############
 # Set the Job #
 ###############
@@ -36,7 +35,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v4
         with:
-          python-version: "3.7"
+          python-version: "3.8"
 
       - name: Bootstrap poetry
         shell: bash
@@ -57,10 +56,16 @@ jobs:
           path: .venv
           key: venv-${{ runner.os }}-${{ steps.full-python-version.outputs.version }}-${{ hashFiles('**/poetry.lock') }}
 
+      - name: Check poetry.lock consistency
+        shell: bash
+        run: poetry check --lock
+
       - name: Install dependencies
         shell: bash
         run: |
           python -m poetry install
 
       - name: Pre-Commit
         uses: pre-commit/action@v2.0.3
+        env:
+          SAFETY_API_KEY: ${{ secrets.SAFETY_API_KEY }}
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -36,7 +36,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v4
         with:
-          python-version: "3.7"
+          python-version: "3.8"
 
       - name: Bootstrap poetry
         shell: bash

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -23,7 +23,7 @@ repos:
     - id: safety
       name: Safety
       # Ignore pip vulnerability
-      entry: poetry run safety check --full-report -i 40291 -i 40622 -i 42559 -i 42218
+      entry: poetry run safety --stage cicd scan --policy-file .safety-policy.yml
       pass_filenames: false
       language: system
     - id: mypy

diff --git a/.safety-policy.yml b/.safety-policy.yml
@@ -0,0 +1,47 @@
+version: '3.0'
+
+scanning-settings:
+  max-depth: 6
+  exclude: []
+  include-files: []
+  system:
+    targets: []
+
+
+report:
+  dependency-vulnerabilities:
+    enabled: true
+    auto-ignore-in-report:
+      python:
+        environment-results: true
+        unpinned-requirements: true
+      cvss-severity: []
+      vulnerabilities:
+        64459:
+            reason: Python wide vulnerability.
+            expires: '2024-12-12'
+        64396:
+            reason: Python wide vulnerability.
+            expires: '2024-12-12'
+        67599:
+            reason: Only applies if using private package repo.
+            expires: '2026-04-17'
+
+
+fail-scan-with-exit-code:
+  dependency-vulnerabilities:
+    enabled: true
+    fail-on-any-of:
+      cvss-severity:
+        - critical
+        - high
+        - medium
+      exploitability:
+        - critical
+        - high
+        - medium
+
+security-updates:
+  dependency-vulnerabilities:
+    auto-security-updates-limit:
+      - patch
diff --git a/README.md b/README.md
@@ -16,11 +16,21 @@ poetry install
 ```
 
 ### Pre-commit
+
 Run to make CI-tests pass
 ```bash
 poetry run pre-commit run --all-files
 ```
 
+Note: `SAFETY_API_KEY` environment variable needs to be set to run
+the pre-commit hooks. Create an account with the [Safety package](https://platform.safetycli.com/)
+and then navigate to Organization > API keys to fetch the key. Once
+the key has been obtained, set the variable in your terminal using:
+
+```bash
+export SAFETY_API_KEY=your-api-key
+```
+
 ## Examples
 See [examples/app.py](examples/app.py) for a simple example.
 

diff --git a/fastapimsal/auth_routes.py b/fastapimsal/auth_routes.py
@@ -1,6 +1,7 @@
 """
 Add routes to a FastAPI application to handle OAuth
 """
+
 import logging
 from typing import Dict, List, Optional
 

diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,29 +1,30 @@
 [tool.poetry]
 name = "fastapimsal"
-version = "0.4.8"
+version = "0.4.9"
 description = "Library to authenticate users using MSAL"
 authors = ["Oscar Giles <ogiles@turing.ac.uk>"]
 
 [tool.poetry.dependencies]
-python = "^3.7"
+python = "^3.8"
 pydantic = "^1.8.1"
 python-jose = {extras = ["cryptography"], version = "^3.2.0"}
 msal = "^1.10.0"
 itsdangerous = "^1.1.0"
 httpx = "^0.23"
 async_lru = "^1.0.2"
-fastapi = "^0.95.0"
+fastapi = "^0.110.1"
 uvicorn = {version = "^0.17.6", extras = ["standard"]}
 
 [tool.poetry.dev-dependencies]
-black = "^22.3.0"
+black = "^24.4.0"
 pytest = "^7.2"
 isort = "^5.8.0"
 pylint = "^2.7.2"
 flake8 = "^5"
 mypy = "^1.1.1"
 httpie-jwt-auth = "^0.4.0"
-safety = "^2.2.0"
+httpie = "3.2.1"  # addded to fix version to avoid SSL certificate vulnerability in 3.2.2
+safety = "^3.1.0"
 pre-commit = "^2.14.1"
 
 [build-system]

diff --git a/tests/test_frontend_auth.py b/tests/test_frontend_auth.py
@@ -20,7 +20,6 @@ def client_frontend(**kwargs) -> TestClient:
 def request_path(
     client: TestClient, path: str, method: str = "get", **kwargs: Any
 ) -> requests.Response:
-
     """Request giving the name of route function
 
     Args: