chore: update cryptography to >= 42.0.5 #27249
Conversation
| @@ -81,7 +81,7 @@ def get_git_sha() -> str: | |||
| "croniter>=0.3.28", | |||
| "cron-descriptor", | |||
| # snowflake-connector-python as of 3.7.0 doesn't support >=42.* therefore lowering the min to 41.0.2 | |||
| "cryptography>=41.0.2, <43.0.0", | |||
| "cryptography>=42.0.5, <43.0.0", | |||
There was a problem hiding this comment.
We need to keep this at 41.0.2 because there are extra dependencies that colide with it. use base.in instead
There was a problem hiding this comment.
you mean to roll back the changes and only add the 42.0.5 version in base.in instead for now - right?
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #27249 +/- ##
==========================================
- Coverage 69.69% 69.57% -0.12%
==========================================
Files 1908 1908
Lines 74530 74530
Branches 8309 8309
==========================================
- Hits 51942 51856 -86
- Misses 20535 20621 +86
Partials 2053 2053
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
|
This is being done here: #27281 snowflake just updated and released. |
|
cryptography 42.0.4 also has no findings (CVE scan) and it is already in master |
SUMMARY
cryptography has some high CVE findings which are fixed with newer version.
To fix this the min-version in setup.py should be updated to latest version (42.0.5)
CVE-2024-26130 (CVSS 7.5)
CVE-2023-50782 (CVSS 7.5)
CVE-2024-0727 (CVSS 5.5)
CVE-2023-49083 (CVSS 5.9)
(and some low)
BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
TESTING INSTRUCTIONS
Open final build software and check that cryptography 41.0.5 (or newer) is inside
ADDITIONAL INFORMATION