Security/fix vulnerabilities (#72)

* Updated dependencies Incl. openapi-python-client which required additional changes. Incl. #29 Nox task for adding transitive dependencies into main pyproject.toml * Fixed review findings
exasol · Jul 4, 2024 · 0612829 · 0612829
1 parent 9b74483
commit 0612829
Show file tree

Hide file tree

Showing 19 changed files with 393 additions and 284 deletions.
diff --git a/doc/changes/unreleased.md b/doc/changes/unreleased.md
@@ -1,7 +1,15 @@
 # Unreleased
 
+This release fixes vulnerabilities by updating dependencies.
+
+## Security
+
+* Fixed vulnerabilities by updating dependencies
+  * Vulnerability CVE-2024-21503 in transitive dependency via `exasol-toolbox` to `black` in versions below `24.3.0`
+
 ## Refactorings
 
 * #68: Update to Python 3.10
 * #70: Optimized logging
 * n/a: Changed schedule checking if open api is outdated to 2 am
+* #29: Enhanced nox task generate-api to add transitive dependencies into main `pyproject.toml`
diff --git a/exasol/saas/client/openapi/models/connection_i_ps.py b/exasol/saas/client/openapi/models/connection_i_ps.py
diff --git a/exasol/saas/client/openapi/models/create_database.py b/exasol/saas/client/openapi/models/create_database.py
diff --git a/exasol/saas/client/openapi/models/create_extension_instance.py b/exasol/saas/client/openapi/models/create_extension_instance.py
diff --git a/exasol/saas/client/openapi/models/database.py b/exasol/saas/client/openapi/models/database.py
diff --git a/exasol/saas/client/openapi/models/database_integrations_item.py b/exasol/saas/client/openapi/models/database_integrations_item.py
diff --git a/exasol/saas/client/openapi/models/extension.py b/exasol/saas/client/openapi/models/extension.py
diff --git a/exasol/saas/client/openapi/models/extension_detail.py b/exasol/saas/client/openapi/models/extension_detail.py
diff --git a/exasol/saas/client/openapi/models/file.py b/exasol/saas/client/openapi/models/file.py
diff --git a/exasol/saas/client/openapi/models/patch_user_databases.py b/exasol/saas/client/openapi/models/patch_user_databases.py
diff --git a/exasol/saas/client/openapi/models/update_database.py b/exasol/saas/client/openapi/models/update_database.py
diff --git a/exasol/saas/client/openapi/models/usage.py b/exasol/saas/client/openapi/models/usage.py
diff --git a/exasol/saas/client/openapi/models/usage_additional_property_item.py b/exasol/saas/client/openapi/models/usage_additional_property_item.py
diff --git a/exasol/saas/client/openapi/models/user.py b/exasol/saas/client/openapi/models/user.py
diff --git a/noxfile.py b/noxfile.py
@@ -1,9 +1,13 @@
 import json
 import os
 import nox
+import re
 import requests
+import shutil
+import toml # type: ignore
 
 from datetime import datetime, timezone
+from typing import List
 from pathlib import Path
 from nox import Session
 from noxconfig import PROJECT_CONFIG
@@ -15,6 +19,9 @@
 # default actions to be run if nothing is explicitly specified with the -s option
 nox.options.sessions = ["fix"]
 
+# destination folder for the generated open api client code
+DEST_DIR = "exasol/saas/client/openapi"
+
 
 def _download_openapi_json() -> Path:
     url = f"{SAAS_HOST}/openapi.json"
@@ -31,6 +38,20 @@ def _download_openapi_json() -> Path:
     return file
 
 
+def dependencies(filename: str) -> List[str]:
+    def unlimit_max(lib, version):
+      version_spec = re.sub(r",.*$", "", version)
+      return f"{lib}@{version_spec}"
+
+    with open(filename, "r") as stream:
+        _toml = toml.load(stream)
+    return [
+        unlimit_max(lib, version)
+        for lib, version in _toml["tool"]["poetry"]["dependencies"].items()
+        if lib != "python"
+    ]
+
+
 @nox.session(name="generate-api", python=False)
 def generate_api(session: Session):
     """
@@ -43,16 +64,22 @@ def generate_api(session: Session):
     https://docs.github.com/en/actions/learn-github-actions/variables.
     #default-environment-variables.
     """
-    silent = "CI" not in os.environ
+    local_build = "CI" not in os.environ
     filename = _download_openapi_json()
     session.run(
         "openapi-python-client",
-        "update",
+        "generate",
         "--path", str(filename),
         "--config", "openapi_config.yml",
-        silent=silent,
+        "--output-path", "tmp",
+        silent=local_build,
     )
-    session.run("isort", "-q", "exasol/saas/client/openapi")
+    shutil.rmtree(DEST_DIR)
+    shutil.move("tmp/generated", DEST_DIR)
+    if local_build:
+        session.run("poetry", "add", *dependencies("tmp/pyproject.toml"))
+    shutil.rmtree("tmp")
+    session.run("isort", "-q", DEST_DIR)
 
 
 @nox.session(name="check-api-outdated", python=False)
@@ -61,7 +88,7 @@ def check_api_outdated(session: Session):
     Generate API and run git diff to verify if API is out-dated.
     """
     generate_api(session)
-    session.run("git", "diff", "--exit-code", "exasol/saas/client/openapi")
+    session.run("git", "diff", "--exit-code", DEST_DIR)
 
 
 @nox.session(name="get-project-short-tag", python=False)

diff --git a/openapi.json b/openapi.json
@@ -6,7 +6,7 @@
         "version": "1.0",
         "download": {
             "source": "https://cloud.exasol.com/openapi.json",
-            "timestamp": "2024-06-06T11:49:51.200508+00:00"
+            "timestamp": "2024-07-03T14:36:30.377504+00:00"
         }
     },
     "servers": [

diff --git a/openapi_config.yml b/openapi_config.yml
@@ -1,3 +1,2 @@
-project_name_override: "exasol"
-package_name_override: saas/client/openapi
+project_name_override: "generated"
 post_hooks: []