Require newer version of pypi/setuptools to remove security scan issue (CVE-2022-40897)

[lewijw]

Description

Hi. My team is evaluating airflow, so I ran a security scan on it. It is flagging a Medium security issue with pypi/setuptools. See https://nvd.nist.gov/vuln/detail/CVE-2022-40897 for details. Is it possible to require a more recent version? Or perhaps airflow users are not vulnerable to this?

Use case/motivation

No response

Related issues

No response

Are you willing to submit a PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[boring-cyborg]

Thanks for opening your first issue here! Be sure to follow the issue template!

[potiuk]

We do not trust blindly security scans - following the ASF security tram recommendation. There are far too many false positives to accept a report which says 'those are all CVEs that our scanner found'. By default we simply drop such repoers

Generally If you think there is an exploitable scenario for a CVE- you should report the issue responsibly (see our security policy - via email and in private, rather than public issue, with reproducible scenario).

But we treat security seriously. Generally almost never airflow releases old versions with implemented security fixes - we release any fixes in latest minor branch (so next wave of security fixes might be in 2.5.2 or 2.6.0 whichever comes first. And with few exceptions where our dependencies are fixed or upper-bound, our build / CI mechanism automatically upgrades dependencies to latest released compatible version - which handles a lot of vulnerabilities automatically.

But setuptools is different - believe we fix setuptools in pyproject.toml to avoid surprises so likely it is worth to upgrade it. Then it will be used with next release.

Feel free to open PR and updateitto the version that is good. Our CI will automatically run complete test harness if you open such PR so if it will be green - i am happy to approve it and add to the next release.

[arjunanan6]

@potiuk I would like to give this a try if @lewijw isn't opening a PR.

[lewijw]

I am new to Python, so it might be a while before I can do it.

[arjunanan6]

Then I will take it, @potiuk :)