Maintenance: pyproject.toml and poetry.lock dependency versions appear at odds

[availity-droo]

Why is this needed?

In the process of developing and deploying a solution utilizing aws-lambda-powertools, we discovered our SCA scanner was noticing pydantic CVE-2024-3772 due to version 2.0.3 being installed when using conda. I noticed the poetry.lock file references 2.9.1 of pydantic, however, and was curious if that discrepancy was intentional.

I am aware the vulnerable method validate_email is not being called from the CVE, but it is always nicer to have a clean vulnerability scan and avoid creating waivers/mitigations for findings.

Which area does this relate to?

Other

Solution

Update the pyproject.toml dependency list to reflect those currently locked via poetry.

Acknowledgment

• This request meets Powertools for AWS Lambda (Python) Tenets
• Should this be considered in other Powertools for AWS Lambda languages? i.e. Java, TypeScript, and .NET

[boring-cyborg]

Thanks for opening your first issue here! We'll come back to you as soon as we can.
In the meantime, check out the #python channel on our Powertools for AWS Lambda Discord: Invite link

[leandrodamascena]

Hi @availity-droo! Thanks for opening this issue! I need a bit more information about the reported problem. I know Pydantic had some CVEs in v2, not just the one you mentioned, but others, but we're not pinning the version 2.0.3. The version specification for pydantic is "^2.0.3" and uses the caret (^) operator, which means "compatible with version 2.0.3 and any later minor or patch versions, but not major versions".

Also, checking the poetry instalation, everything looks ok.

➜  aws-lambda-powertools-v3 git:(develop) ✗ poetry lock --check
poetry lock --check is deprecated, use `poetry check --lock` instead.
poetry.lock is consistent with pyproject.toml.
➜  aws-lambda-powertools-v3 git:(develop) ✗ 

➜  aws-lambda-powertools-v3 git:(develop) ✗ poetry show --all | grep pydantic
pydantic                                    2.9.1          
pydantic-core                               2.23.3         
➜  aws-lambda-powertools-v3 git:(develop) ✗ 

We also have some security checks and we don't have alert in any of them.

Maybe it's because your SCA scanner is looking for this line as 2.0.3 and not allowing 2.0.3+? Or maybe an issue related to how conda doesn't install all dependencies?

Please let me know your thoughts.

[sthulb]

Hi @availity-droo, can you tell us which tools you're using for scanning? I'd like to replicate your environment so I can reproduce.

Thanks!

[leandrodamascena]

Hi @availity-droo I think it makes sense to bump the Pydantic version in project.toml to at least 2.4.0 and prevent customers from installing any version with CVE. I mean, we don't install versions with CVE because when someone uses our layers or install aws-lambda-powertools[all/tracer] we install the latest Pydantic version, but that doesn't prevent someone from installing a version with CVE and SAST tools complaining. I'm changing the version to 2.4.0 minimum.