From 766e53dfb4ba07022046ea30eff60e1f1b357869 Mon Sep 17 00:00:00 2001 From: Alexander Hughes Date: Wed, 10 Jun 2020 09:22:28 -0400 Subject: [PATCH] Update safety check for Python dependencies This patch: 1. Updates the `tox -e safety` command to run the Safety tool [0] against both the Pegleg requirements.txt and the doc/requirements.txt file used only when `tox -e docs` is run. 2. Updates doc/requirements.txt with pinned dependencies so that Safety can check those dependencies. At the time of this patch it is expected for the non-voting Safety gate to fail, because the Promenade version used by Pegleg requires an insecure version of kubernetes, 3.0.0. This version of Kubernetes is impacted by [1] due to the urllib version being used. [0] https://pypi.org/project/safety/ [1] https://nvd.nist.gov/vuln/detail/CVE-2018-20060 Change-Id: I64fb4b1ae7c2814ad0ae11222bf8be531d4f40a5 Signed-off-by: Alexander Hughes --- doc/requirements.txt | 10 +++++----- tox.ini | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/doc/requirements.txt b/doc/requirements.txt index 3958ea11..0d1f8577 100644 --- a/doc/requirements.txt +++ b/doc/requirements.txt @@ -3,12 +3,12 @@ # process, which may cause wedges in the gate later. # Documentation -sphinx>2.1.0 -oslosphinx>=4.7.0 # Apache-2.0 -sphinx_rtd_theme +sphinx==3.1.0 +oslosphinx==4.18.0 # Apache-2.0 +sphinx_rtd_theme==0.4.3 # UML image generation -plantuml +plantuml==0.3.0 # Releasenotes -reno>=2.5.0 # Apache-2.0 +reno==3.1.0 # Apache-2.0 diff --git a/tox.ini b/tox.ini index a28c37ee..0d08e006 100644 --- a/tox.ini +++ b/tox.ini @@ -67,7 +67,7 @@ deps = safety commands = pipenv check - safety check -r {toxinidir}/doc/requirements.txt --full-report + safety check -r {toxinidir}/requirements.txt -r {toxinidir}/doc/requirements.txt --full-report [testenv:cover] basepython = python3