py3-cassandra-medusa: Use python packages from wolfi when available

ci-cve-scan currently fails with the errors below[*]. This is a result of us installing pinned versions of dependencies from PyPI. We could instead install these packages from wolfi, and we'll get the latest fixes. Everything this package needs is available in wolfi except for the parallel-ssh, ssh2 and ssh, which were removed in commit a5e4968. Perhaps we should also resurrect those and "multi-version" them as py3.11-only. [*] ├── 📄 /home/cassandra/.venv/lib/python3.11/site-packages/pip/_vendor/vendor.txt │ 📦 certifi 2023.7.22 (python) │ Low CVE-2024-39689 GHSA-248v-346w-9cwc fixed in 2024.07.04 │ 📦 idna 3.4 (python) │ Medium CVE-2024-3651 GHSA-jjg7-2v4v-x38h fixed in 3.7 │ 📦 requests 2.31.0 (python) │ Medium CVE-2024-35195 GHSA-9wx4-h78v-vm56 fixed in 2.32.0 │ 📦 setuptools 68.0.0 (python) │ High CVE-2024-6345 GHSA-cx63-2mw6-8hw5 fixed in 70.0.0 │ 📦 urllib3 1.26.17 (python) │ Medium CVE-2024-37891 GHSA-34jh-p97f-mpxf fixed in 1.26.19 │ Medium CVE-2023-45803 GHSA-g4mx-q9vg-27p4 fixed in 1.26.18 ├── 📄 /home/cassandra/.venv/lib/python3.11/site-packages/virtualenv/seed/wheels/embed/setuptools-68.0.0-py3-none-any.whl │ 📦 setuptools 68.0.0 (python) │ High CVE-2024-6345 GHSA-cx63-2mw6-8hw5 fixed in 70.0.0 └── 📄 /home/cassandra/.venv/lib/python3.11/site-packages/virtualenv/seed/wheels/embed/setuptools-69.5.1-py3-none-any.whl 📦 setuptools 69.5.1 (python) High CVE-2024-6345 GHSA-cx63-2mw6-8hw5 fixed in 70.0.0 Signed-off-by: dann frazier <[email protected]>
dannf · Dec 22, 2024 · e87a04f · e87a04f
1 parent 703d49e
commit e87a04f
Showing 1 changed file with 34 additions and 24 deletions.
diff --git a/py3-cassandra-medusa.yaml b/py3-cassandra-medusa.yaml
@@ -11,7 +11,29 @@ package:
     no-depends: true
   dependencies:
     runtime:
-      - py${{vars.py-version}}-poetry
+      - py${{vars.py-version}}-aiohttp
+      - py${{vars.py-version}}-azure-identity
+      - py${{vars.py-version}}-azure-storage-blob
+      - py${{vars.py-version}}-boto3
+      - py${{vars.py-version}}-cassandra-driver
+      - py${{vars.py-version}}-click
+      - py${{vars.py-version}}-click-aliases
+      - py${{vars.py-version}}-certifi
+      - py${{vars.py-version}}-cryptography
+      - py${{vars.py-version}}-datadog
+      - py${{vars.py-version}}-dnspython
+      - py${{vars.py-version}}-ffwd
+      - py${{vars.py-version}}-gcloud-aio-storage
+      - py${{vars.py-version}}-gevent
+      - py${{vars.py-version}}-grpcio
+      - py${{vars.py-version}}-grpcio-health-checking
+      - py${{vars.py-version}}-idna
+      - py${{vars.py-version}}-psutil
+      - py${{vars.py-version}}-pyopenssl
+      - py${{vars.py-version}}-requests
+      - py${{vars.py-version}}-retrying
+      - py${{vars.py-version}}-urllib3
+      - py${{vars.py-version}}-pyyaml
 
 vars:
   py-version: 3.11
@@ -22,7 +44,7 @@ environment:
       - build-base
       - ca-certificates-bundle
       - py${{vars.py-version}}-build-base-dev
-      - py${{vars.py-version}}-poetry-bin
+      - py${{vars.py-version}}-poetry
       - wolfi-base
 
 pipeline:
@@ -33,36 +55,24 @@ pipeline:
       expected-commit: 6202aca6e4c2859d2ad601571571a774df7bebc8
 
   - name: Python Build
-    runs: |
-      poetry add "aiohttp==3.10.11"
-      poetry add "certifi==2024.7.4"
-      poetry add "dnspython==2.6.1"
-      poetry add "idna==3.7"
-      poetry add "pyOpenSSL@^24.0.0"
-      poetry add "cryptography@^43.0.1"
-      # CVE-2024-35195: requests
-      poetry add "requests@^2.23.0"
-      # GHSA-m5vv-6r4h-3vj9: azure-identity
-      poetry add "azure-identity==1.16.1"
-      # GHSA-34jh-p97f-mpxf: urllib3
-      poetry add "urllib3==1.26.19"
-      poetry run pip freeze | grep -v cassandra-medusa > requirements.txt
-      POETRY_VIRTUALENVS_IN_PROJECT=true poetry install
-      poetry build
+    uses: py/pip-build-install
+    with:
+      python: python${{vars.py-version}}
 
   - runs: |
       # Setup the virtualenv
       python${{vars.py-version}} -m venv .venv --system-site-packages
-      # Bump pip to patch a CVE
-      .venv/bin/pip${{vars.py-version}} install --upgrade pip==24.0 setuptools==70.0.0
 
-  - runs: |
-      .venv/bin/pip${{vars.py-version}} install -I -r requirements.txt --no-compile
-      .venv/bin/pip${{vars.py-version}} install -I --no-compile dist/*.whl
+  - name: Install deps from PyPI that aren't currently packaged in wolfi
+    runs: |
+      .venv/bin/pip${{vars.py-version}} install -I parallel-ssh --no-compile --no-deps
+      .venv/bin/pip${{vars.py-version}} install -I ssh2-python --no-compile --no-deps
+      .venv/bin/pip${{vars.py-version}} install -I ssh-python --no-compile --no-deps
+      .venv/bin/pip${{vars.py-version}} install -I .wheels/${{vars.py-version}}/*.whl --no-compile --no-deps
 
   - runs: |
       # python-snappy is required to run medusa using $MEDUSA_MODE=GRPC.
-      .venv/bin/pip${{vars.py-version}} install -I python-snappy --no-compile
+      .venv/bin/pip${{vars.py-version}} install -I python-snappy --no-compile --no-deps
 
   - runs: |
       mkdir -p ${{targets.destdir}}/home/cassandra