From 46b874f18b69fc1596c48fd76455c4794bcd986b Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 8 Nov 2024 13:52:52 -0500 Subject: [PATCH 1/3] Bump up the lower bound on ansible-core This is being done because the pip-audit pre-commit hook identifies a vulnerability in ansible-core version 2.16.13. Note that this requires that we bump up ansible to version 10 since all versions of ansible 9 have a dependency on ~=2.16.X. --- requirements-test.txt | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/requirements-test.txt b/requirements-test.txt index d680733..a69eb44 100644 --- a/requirements-test.txt +++ b/requirements-test.txt @@ -9,20 +9,27 @@ # as using the dnf package manager, and version 8 is currently the # oldest supported version. # -# We have tested against version 9. We want to avoid automatically +# Version 10 is required because the pip-audit pre-commit hook +# identifies a vulnerability in ansible-core 2.16.13, but all versions +# of ansible 9 have a dependency on ~=2.16.X. +# +# We have tested against version 10. We want to avoid automatically # jumping to another major version without testing, since there are # often breaking changes across major versions. This is the reason # for the upper bound. -ansible>=9,<10 +ansible>=10,<11 # ansible-core 2.16.3 through 2.16.6 suffer from the bug discussed in # ansible/ansible#82702, which breaks any symlinked files in vars, # tasks, etc. for any Ansible role installed via ansible-galaxy. # Hence we never want to install those versions. # +# Note that the pip-audit pre-commit hook identifies a vulnerability +# in ansible-core 2.16.13. +# # Note that any changes made to this dependency must also be made in # requirements.txt in cisagov/skeleton-packer and # .pre-commit-config.yaml in cisagov/skeleton-generic. -ansible-core>=2.16.7 +ansible-core>2.16.13 # With the release of molecule v5 there were some breaking changes so # we need to pin at v5 or newer. However, v5.0.0 had an internal # dependency issue so we must use the bugfix release as the actual From b5a06b436c453c90c4a75989bd8537a9f33b8303 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 13 Nov 2024 21:27:59 -0500 Subject: [PATCH 2/3] Adjust pin for ansible-core The pin of ansible-core was originally put in place because the pip-audit pre-commit hook identifies a vulnerability in ansible-core 2.16.13. Normally we would pin ansible-core accordingly (>2.16.13), but the earlier pin of ansible>=10 effectively pins ansible-core to >=2.17 so that's what we do here. Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- requirements-test.txt | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/requirements-test.txt b/requirements-test.txt index a69eb44..3ca64f1 100644 --- a/requirements-test.txt +++ b/requirements-test.txt @@ -24,12 +24,14 @@ ansible>=10,<11 # Hence we never want to install those versions. # # Note that the pip-audit pre-commit hook identifies a vulnerability -# in ansible-core 2.16.13. +# in ansible-core 2.16.13. Normally we would pin ansible-core +# accordingly (>2.16.13), but the above pin of ansible>=10 effectively +# pins ansible-core to >=2.17 so that's what we do here. # # Note that any changes made to this dependency must also be made in # requirements.txt in cisagov/skeleton-packer and # .pre-commit-config.yaml in cisagov/skeleton-generic. -ansible-core>2.16.13 +ansible-core>=2.17 # With the release of molecule v5 there were some breaking changes so # we need to pin at v5 or newer. However, v5.0.0 had an internal # dependency issue so we must use the bugfix release as the actual From 38081fd03487edae5cc53259e3986773440edadb Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 20 Nov 2024 12:46:30 -0500 Subject: [PATCH 3/3] Add comments about looming EOL issues for ansible and ansible-core This adds even more evidence for why it is a good idea to go ahead and upgrade ansible and ansible-core, in addition to the vulnerability that pip-audit turned up. Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- requirements-test.txt | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/requirements-test.txt b/requirements-test.txt index 3ca64f1..f62e440 100644 --- a/requirements-test.txt +++ b/requirements-test.txt @@ -13,6 +13,10 @@ # identifies a vulnerability in ansible-core 2.16.13, but all versions # of ansible 9 have a dependency on ~=2.16.X. # +# It is also a good idea to go ahead and upgrade to version 10 since +# version 9 is going EOL at the end of November: +# https://endoflife.date/ansible +# # We have tested against version 10. We want to avoid automatically # jumping to another major version without testing, since there are # often breaking changes across major versions. This is the reason @@ -28,6 +32,10 @@ ansible>=10,<11 # accordingly (>2.16.13), but the above pin of ansible>=10 effectively # pins ansible-core to >=2.17 so that's what we do here. # +# It is also a good idea to go ahead and upgrade to ansible-core 2.17 +# since security support for ansible-core 2.16 ends this month: +# https://docs.ansible.com/ansible/devel/reference_appendices/release_and_maintenance.html#ansible-core-support-matrix +# # Note that any changes made to this dependency must also be made in # requirements.txt in cisagov/skeleton-packer and # .pre-commit-config.yaml in cisagov/skeleton-generic.