Skip to content
Snippets Groups Projects

Updated poetry.lock

Merged Updated poetry.lock
ghsc/users/awernle/geomag-algorithms:poetry_update into master
All threads resolved!
Merged Wernle, Alexandra Nicole requested to merge ghsc/users/awernle/geomag-algorithms:poetry_update into master
All threads resolved!

Updated poetry.lock but pipeline is still failing due to outdated anyio version. Either update anyio in pyproject.toml or ignore the issue.

Edited by Wernle, Alexandra Nicole

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
  • Wernle, Alexandra Nicole changed the description

    changed the description

    • Erin (Josh) Rigler
      Erin (Josh) Rigler @erigler ·
      Owner
      Resolved by Erin (Josh) Rigler

      Anyio is not specifically listed in our pyproject.toml, and we should avoid adding it if we can, since we don't use it directly.

      If we update pyproject.toml to require httpx 0.26.0, anyio should update to the latest 4.X version (which should fix the vulnerability).

      What I'm not sure about is how updating httpx will impact our back-end. The httpx package seems to only be used in login.py to pull user information from the Gitlab API, and seems pretty straight-forward, but we should probably test this carefully before deploying to production.

      I'm going to loop @nshavers into this MR because 1) he has some recent experience with login.py, 2) he should be able to easily test on his local stack, and 3) @awernle is preparing to go on leave for a somewhat extended period.

      This should be an easy fix, but given it's capacity to break the backend, I want to be extra sure everything is tested prior to deployment.

  • Shavers, Nicholas H
    Shavers, Nicholas H @nshavers ·
    Maintainer

    After re-evaluating the vulnerability, it has been determined to be irrelevant to the geomag-algorithms project, and ignorable.

    1. We haven't had any 'thread race' related crashing issues.
    2. Further inspection shows the function in question _eventloop.get_asynclib is not used directly or indirectly by the dependencies FastAPI, HTTPX, and Watchfiles.

    Proof

    1. git clone https://github.com/samuelcolvin/watchfiles.git
    2. git clone https://github.com/tiangolo/fastapi.git
    3. git clone https://github.com/encode/starlette.git
    4. git clone https://github.com/encode/httpx.git

    Searching for the method in the repositories (should return empty - shows method is never called)

    1. grep -r "_eventloop.get_asynclib" watchfiles/
    2. grep -r "_eventloop.get_asynclib" fastapi/
    3. grep -r "_eventloop.get_asynclib" starlette/
    4. grep -r "_eventloop.get_asynclib" httpx/

    Searching for AnyIO imports in the repositories (will return something - shows AnyIO is used)

    1. grep -r "import anyio" watchfiles/
    2. grep -r "import anyio" fastapi/
    3. grep -r "import anyio" starlette/
    4. grep -r "import anyio" httpx/

    End of Proof

    Vulnerability Details

    1. Found in AnyIO Version 3.7.1
    2. Vulnerability ID: 71199
    3. Affected Specification: <4.4.0
    4. Advisory: AnyIO version 4.4.0 addresses a thread race condition in _eventloop.get_asynclib() that caused crashes when multiple event loops were involved.
  • Shavers, Nicholas H added 1 commit

    added 1 commit

    • 44fbd5a3 - Ignoring vulnerability 71199 as _eventloop.get_asynclib is not used directly...

    Compare with previous version

  • Erin (Josh) Rigler approved this merge request

    approved this merge request

  • Erin (Josh) Rigler resolved all threads

    resolved all threads

  • Erin (Josh) Rigler marked this merge request as ready

    marked this merge request as ready

  • Erin (Josh) Rigler mentioned in commit 92ef240a

    mentioned in commit 92ef240a

  • Erin (Josh) Rigler merged

    merged

Please register or sign in to reply