Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade configobj library to > 5.0.8 #4632

Closed
Rebits opened this issue Oct 20, 2023 · 3 comments · Fixed by #4803
Closed

Upgrade configobj library to > 5.0.8 #4632

Rebits opened this issue Oct 20, 2023 · 3 comments · Fixed by #4803
Assignees
@Deblintrake09
Labels
level/subtask Subtask issue type/bug

Comments

@Rebits
Copy link
Member

Rebits commented Oct 20, 2023

Description

Regarding /~https://github.com/wazuh/wazuh-jenkins/issues/5724#issuecomment-1771170116, due to a vulnerability detected in configobj library prior to 1.11.0, it needs to be updated to a version later than 5.0.8, while checking its compatibility with other libraries required.

In addition it would be necessary to document which tests or modules make use of this dependency
@davidjiglesias davidjiglesias added level/subtask Subtask issue and removed level/task Task issue labels Nov 22, 2023
@Deblintrake09 Deblintrake09 self-assigned this Jan 3, 2024
@Deblintrake09
Copy link
Contributor

Deblintrake09 commented Jan 3, 2024
edited
Loading

Research update

  • Currently this library is not being directly used in the repository. It is only added to the requirements file but never imported for usage, so technically it can be removed.
image image

@Rebits
Copy link
Member Author

Rebits commented Jan 3, 2024

@Deblintrake09 it seems this dependencies was included for the deprecated WPK integration tests

The current tests no longer rely on that particular dependency. Therefore, I recommend removing the associated library from the system.

@Deblintrake09
Copy link
Contributor

@Rebits Checking on this wazuh-jenkins it shows that it is not being used there either, so it is not a dependency for a Jenkins pipeline. It should be possible to remove it without affecting the repository.

@Deblintrake09 Deblintrake09 mentioned this issue Jan 3, 2024
Merged
@Deblintrake09 Deblintrake09 linked a pull request Jan 3, 2024 that will close this issue
Remove configobj library from requirements.txt #4803
Merged
@wazuhci wazuhci moved this to Done in Release 4.9.0 Apr 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Deblintrake09 Deblintrake09

Labels
level/subtask Subtask issue type/bug
Projects
No open projects
Release 4.9.0
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove configobj library from requirements.txt wazuh/wazuh-qa
3 participants
@Rebits @Deblintrake09 @davidjiglesias