From 96eacd336dadfab3e4b40a434e18d2539d920fed Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Tue, 24 Sep 2024 04:15:49 +0000 Subject: [PATCH 1/4] fix: requirements.txt to reduce vulnerabilities The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-DNSPYTHON-6241713 - https://snyk.io/vuln/SNYK-PYTHON-NLTK-7411380 - https://snyk.io/vuln/SNYK-PYTHON-ZIPP-7430899 --- requirements.txt | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/requirements.txt b/requirements.txt index 280a754..73b45dc 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,6 @@ pymongo~=4.7.2 requests~=2.32.2 -nltk~=3.8.1 -rapidfuzz~=3.9.3 \ No newline at end of file +nltk~=3.8.2 +rapidfuzz~=3.9.3 +dnspython>=2.6.1 # not directly required, pinned by Snyk to avoid a vulnerability +zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability \ No newline at end of file From 140167c7903337565733e5c01268b04ccd5b85bd Mon Sep 17 00:00:00 2001 From: ausmaster Date: Mon, 23 Sep 2024 21:48:36 -0700 Subject: [PATCH 2/4] Bump NLTK to version 3.9.1 to fix CVE-2024-39705. --- requirements.txt | 2 +- vaultlib/config.py | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/requirements.txt b/requirements.txt index 73b45dc..951fbed 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,6 +1,6 @@ pymongo~=4.7.2 requests~=2.32.2 -nltk~=3.8.2 +nltk~=3.9.1 rapidfuzz~=3.9.3 dnspython>=2.6.1 # not directly required, pinned by Snyk to avoid a vulnerability zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability \ No newline at end of file diff --git a/vaultlib/config.py b/vaultlib/config.py index 45805e0..d0e415c 100644 --- a/vaultlib/config.py +++ b/vaultlib/config.py @@ -37,8 +37,8 @@ def __init__(self, config_path: str = "config.json") -> None: self.conn_retry_delay_mult: int = 3 # Number of threads used to fetch API data self.fetch_threads: int = 3 - # NLTK "Punkt" Pre-trained model URL - self.punkt_url: str = "punkt" + # NLTK "Punkt Tab" Pre-trained model URL + self.punkt_url: str = "punkt_tab" # All Config values from config.json are converted from camelCase to snake_case # overrides instance variable if exists From c34d01ff0352f4a2df2b026b3f35a5ae537606b7 Mon Sep 17 00:00:00 2001 From: ausmaster Date: Mon, 23 Sep 2024 21:52:42 -0700 Subject: [PATCH 3/4] Pylint. --- vaultlib/api.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vaultlib/api.py b/vaultlib/api.py index fc84323..d44db20 100644 --- a/vaultlib/api.py +++ b/vaultlib/api.py @@ -413,7 +413,7 @@ class NVDParallelAPICaller: # pylint: disable=R0902 """ Introduces parallelism for API calls to NVD. """ - def __init__( # pylint: disable=R0913 + def __init__( # pylint: disable=R0913,R0917 self, delay: float, progress_callback: Callable[[int, int], None], From 3df4700c8c69bfc436093659cc2d7471f131bff1 Mon Sep 17 00:00:00 2001 From: ausmaster Date: Mon, 23 Sep 2024 21:53:55 -0700 Subject: [PATCH 4/4] Bump pymongo to 4.9.1 Bump Dockerfile python to 3.12.5 --- Dockerfile | 2 +- requirements.txt | 6 ++---- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 7c10220..99ea06f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.12.3 +FROM python:3.12.5 WORKDIR /usr/src/app diff --git a/requirements.txt b/requirements.txt index 951fbed..1199994 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,6 +1,4 @@ -pymongo~=4.7.2 +pymongo~=4.9.1 requests~=2.32.2 nltk~=3.9.1 -rapidfuzz~=3.9.3 -dnspython>=2.6.1 # not directly required, pinned by Snyk to avoid a vulnerability -zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability \ No newline at end of file +rapidfuzz~=3.9.3 \ No newline at end of file