TMMA-509: Improve security of Python packaging tool; Update Python pa…

…ckaging tool
MRCIEU · Sep 10, 2024 · 83b2253 · 83b2253
1 parent cde74b7
commit 83b2253
Show file tree

Hide file tree

Showing 6 changed files with 21 additions and 18 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,3 +1,6 @@
+9.8.1   TMMA-509: Improve security of Python packaging tool
+        Update Python packaging tool
+
 9.8.0   Updated Django to 4.2.16 and updated other libraries
         Removed old Bitbucket IPs
         Update deployments for RHEL8 and apachectl compatibility

diff --git a/deploy/Dockerfile b/deploy/Dockerfile
@@ -1,12 +1,12 @@
-FROM python:3.8.19-slim
+FROM python:3.8.20-slim
 
 ENV PYTHONDONTWRITEBYTECODE=1
 ENV PYTHONUNBUFFERED=1
 ENV PIP_VERSION='24.2'
-ENV SETUPTOOLS_VERSION='72.2.0'
+ENV SETUPTOOLS_VERSION='74.1.2'
 ENV PIP_TOOLS_VERSION='7.4.1'
 # NB: Version 15.1.0 is installed on RHEL
-ENV VE_VERSION='20.26.3'
+ENV VE_VERSION='20.26.4'
 
 # Update system packages and install dependencies
 RUN apt update -y && \
@@ -49,6 +49,6 @@ VOLUME [ "/srv" ]
 
 ARG REQUIREMENTS_FILE='requirements.txt'
 COPY requirements/$REQUIREMENTS_FILE /srv
-RUN pip install --no-deps -r /srv/$REQUIREMENTS_FILE
+RUN pip install --no-deps --require-hashes -r /srv/$REQUIREMENTS_FILE
 
 CMD [ "pip", "check" ]
diff --git a/deploy/fabfile.py b/deploy/fabfile.py
@@ -19,7 +19,7 @@
 # Tools not handled by pip-tools and/or requirements installs using pip
 # Also update pip version in tests/build-test-env.sh and Dockerfile
 PIP_VERSION = '24.2'
-SETUPTOOLS_VERSION = '72.2.0'
+SETUPTOOLS_VERSION = '74.1.2'
 PIP_TOOLS_VERSION = '7.4.1'
 
 
@@ -112,7 +112,7 @@ def make_virtualenv(env="dev", configure_apache=False, clone_repo=False, branch=
             caller('./bin/pip3 install -U setuptools==%s' % SETUPTOOLS_VERSION)
             caller('./bin/pip3 install pip-tools==%s' % PIP_TOOLS_VERSION)
             # Fix TMMA-456 - Resolve issue on Debian systems where dependencies loosely pinned upstream but correctly pinned overall in our requirements file causes builds to fail
-            caller('./bin/pip3 install --no-deps -r src/temmpo/requirements/%s.txt' % requirements)
+            caller('./bin/pip3 install --no-deps --require-hashes -r src/temmpo/requirements/%s.txt' % requirements)
             caller('./bin/pip3 freeze')
 
             # # Regenerate all pyc files

diff --git a/requirements/dev.txt b/requirements/dev.txt
@@ -332,9 +332,9 @@ django-rq==2.10.2 \
     --hash=sha256:5fe340e071c141a23ea0859df73c48b0a3df33a851835b2a8f8c4fca7a8b1849 \
     --hash=sha256:d1690b6a409934a0ea23c208ccb00d69477899f8edc61106ce5395c19dcdfb1e
     # via -r requirements/test.txt
-django-upgrade==1.20.0 \
-    --hash=sha256:47aa2133972b600a8d935bab8d58d69b2e426bfc985d4c4f4c2fefecd754dd88 \
-    --hash=sha256:938afa1a531399a12904eb71ffacad0c997ddbe0c45ec38bc0883a1cdcfd99ef
+django-upgrade==1.21.0 \
+    --hash=sha256:a0a7b11d5108fb2d3038cea2382c1332c9be4ff5059a38357fbd28116ebf3803 \
+    --hash=sha256:e65021029e7d18b407bd128a8ccb31e5e06685068b37b6b1eaf2f77aa3d3df98
     # via -r requirements/dev.in
 easyprocess==1.1 \
     --hash=sha256:82eed523a0a5eb12a81fa4eacd9f342caeb3f900eb4b798740e6696ad07e63f9 \
@@ -626,9 +626,9 @@ matplotlib-inline==0.1.7 \
     --hash=sha256:8423b23ec666be3d16e16b60bdd8ac4e86e840ebd1dd11a30b9f117f2fa0ab90 \
     --hash=sha256:df192d39a4ff8f21b1895d72e6a13f5fcc5099f00fa84384e0ea28c2cc0653ca
     # via ipython
-more-itertools==10.4.0 \
-    --hash=sha256:0f7d9f83a0a8dcfa8a2694a770590d98a67ea943e3d9f5298309a484758c4e27 \
-    --hash=sha256:fe0e63c4ab068eac62410ab05cccca2dc71ec44ba8ef29916a0090df061cf923
+more-itertools==10.5.0 \
+    --hash=sha256:037b0d3203ce90cca8ab1defbbdac29d5f993fc20131f3664dc8d6acfa872aef \
+    --hash=sha256:5482bfef7849c25dc3c6dd53a6173ae4795da2a41a80faea6700d9f5846c5da6
     # via -r requirements/test.txt
 mss==9.0.2 \
     --hash=sha256:685fa442cc96d8d88b4eb7aadbcccca7b858e789c9259b603e1ef0e435b60425 \

diff --git a/requirements/requirements.txt b/requirements/requirements.txt
@@ -356,9 +356,9 @@ lxml==5.3.0 \
     --hash=sha256:f914c03e6a31deb632e2daa881fe198461f4d06e57ac3d0e05bbcab8eae01945 \
     --hash=sha256:fb66442c2546446944437df74379e9cf9e9db353e61301d1a0e26482f43f0dd8
     # via -r requirements/requirements.in
-more-itertools==10.4.0 \
-    --hash=sha256:0f7d9f83a0a8dcfa8a2694a770590d98a67ea943e3d9f5298309a484758c4e27 \
-    --hash=sha256:fe0e63c4ab068eac62410ab05cccca2dc71ec44ba8ef29916a0090df061cf923
+more-itertools==10.5.0 \
+    --hash=sha256:037b0d3203ce90cca8ab1defbbdac29d5f993fc20131f3664dc8d6acfa872aef \
+    --hash=sha256:5482bfef7849c25dc3c6dd53a6173ae4795da2a41a80faea6700d9f5846c5da6
     # via -r requirements/requirements.in
 mysql-connector-python==8.4.0 \
     --hash=sha256:085024bf12d15f9b428938fdbeb50bd9b15dda9c4d3a474e6df061cb08713e6a \

diff --git a/requirements/test.txt b/requirements/test.txt
@@ -575,9 +575,9 @@ lxml==5.3.0 \
     --hash=sha256:f914c03e6a31deb632e2daa881fe198461f4d06e57ac3d0e05bbcab8eae01945 \
     --hash=sha256:fb66442c2546446944437df74379e9cf9e9db353e61301d1a0e26482f43f0dd8
     # via -r requirements/requirements.txt
-more-itertools==10.4.0 \
-    --hash=sha256:0f7d9f83a0a8dcfa8a2694a770590d98a67ea943e3d9f5298309a484758c4e27 \
-    --hash=sha256:fe0e63c4ab068eac62410ab05cccca2dc71ec44ba8ef29916a0090df061cf923
+more-itertools==10.5.0 \
+    --hash=sha256:037b0d3203ce90cca8ab1defbbdac29d5f993fc20131f3664dc8d6acfa872aef \
+    --hash=sha256:5482bfef7849c25dc3c6dd53a6173ae4795da2a41a80faea6700d9f5846c5da6
     # via -r requirements/requirements.txt
 mss==9.0.2 \
     --hash=sha256:685fa442cc96d8d88b4eb7aadbcccca7b858e789c9259b603e1ef0e435b60425 \