From 4cb88de0fac3bd1b1e91e3586cf1b78ea47e49fd Mon Sep 17 00:00:00 2001 From: "jan.nowotsch" Date: Wed, 29 Oct 2025 17:07:51 +0100 Subject: [PATCH 1/3] [pipaudit] Add an option to ignore vulnerabilities Extend the pipaudit rule, adding an option to ignore vulnerabilities. Sometimes a vulnerability does not have a fix yet. In such a case, the user must be able to ignore those as there is no other option for third-party libraries. --- quality/private/python/python_pip_audit_rule.bzl | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/quality/private/python/python_pip_audit_rule.bzl b/quality/private/python/python_pip_audit_rule.bzl index 3418b21..7ea63b6 100644 --- a/quality/private/python/python_pip_audit_rule.bzl +++ b/quality/private/python/python_pip_audit_rule.bzl @@ -28,6 +28,9 @@ def _pip_audit_rule_impl(ctx): requirement_file = ctx.file.requirement args_list = ["--disable-pip"] + if ctx.attr.ignore_vulnerability: + for vulnerability in ctx.attr.ignore_vulnerability: + args_list.extend(["--ignore-vuln", vulnerability]) if ctx.attr.no_deps: args_list.append("--no-deps") if ctx.attr.index_url: @@ -55,6 +58,13 @@ def _pip_audit_rule_impl(ctx): pip_audit_rule = rule( implementation = _pip_audit_rule_impl, attrs = { + "ignore_vulnerability": attr.string_list( + default = [], + doc = ( + "Optional. If set, pip-audit will ignore a specific set of vulnerabilities by their IDs." + + "If not provided, all vulnerabilities will be checked." + ), + ), "index_url": attr.string( default = "", doc = ( From 9f63a218573cc3887e00a39ee4c75c73a6a0b85d Mon Sep 17 00:00:00 2001 From: "jan.nowotsch" Date: Wed, 29 Oct 2025 17:10:25 +0100 Subject: [PATCH 2/3] [security] Ignore `GHSA-4xh5-x5gv-qwph` from `pip` The vulnerability `GHSA-4xh5-x5gv-qwph` is now affecting pip 25.2 as well but there is still no fix for it. Hence, it needs to be tolerated for now. --- SECURITY.md | 2 ++ third_party/pip/BUILD | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index 2236322..6740ef3 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -57,6 +57,8 @@ The following table lists all known vulnerabilities that could not be fixed: | ---------- | ------------------- | ------------------ | ------------- | -------------- | ------------------------------------ | | urllib3 | GHSA-48p4-8xcf-vxj5 | 2.2.3 | 2.5.0 | 3.8 | Fixed package requires Python >= 3.9 | | urllib3 | GHSA-pq67-6m6q-mj2v | 2.2.3 | 2.5.0 | 3.8 | Fixed package requires Python >= 3.9 | +| pip | GHSA-4xh5-x5gv-qwph | 25.0.1 | 25.2 | 3.8 | Fixed package requires Python >= 3.9 | +| pip | GHSA-4xh5-x5gv-qwph | 25.2 | - | All | Waiting for an open source fix | ### Vulnerable Python Versions diff --git a/third_party/pip/BUILD b/third_party/pip/BUILD index 2fdd1ec..9bee18e 100644 --- a/third_party/pip/BUILD +++ b/third_party/pip/BUILD @@ -50,6 +50,12 @@ EXTRA_ARGS = [ [ pip_audit_rule( name = "pip_audit_requirements_{}".format(version.replace(".", "_")), + # The list of ignored vulnerabilities should ideally be empty, but sometimes a certain vulnerability + # does not have a fix yet. In that case, we ignore it with `--ignore-vul` to avoid CI failures. + # Keep this in sync with SECURITY.md. + ignore_vulnerability = [ + "GHSA-4xh5-x5gv-qwph", # Added because there is no fix yet for pip 25.2. + ], requirement = "requirements_lock_{}.txt".format(version.replace(".", "_")), ) for version in PYTHON_VERSIONS From bbeb777111ebf0b7482ed9da135d57c04c6f71c7 Mon Sep 17 00:00:00 2001 From: jannowotsch Date: Thu, 30 Oct 2025 09:28:43 +0100 Subject: [PATCH 3/3] wip - address review findings --- SECURITY.md | 3 +-- third_party/pip/BUILD | 6 ------ third_party/pip/requirements_lock_3_10.txt | 6 +++--- third_party/pip/requirements_lock_3_11.txt | 6 +++--- third_party/pip/requirements_lock_3_12.txt | 6 +++--- third_party/pip/requirements_lock_3_9.txt | 6 +++--- 6 files changed, 13 insertions(+), 20 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 6740ef3..a814884 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -57,8 +57,7 @@ The following table lists all known vulnerabilities that could not be fixed: | ---------- | ------------------- | ------------------ | ------------- | -------------- | ------------------------------------ | | urllib3 | GHSA-48p4-8xcf-vxj5 | 2.2.3 | 2.5.0 | 3.8 | Fixed package requires Python >= 3.9 | | urllib3 | GHSA-pq67-6m6q-mj2v | 2.2.3 | 2.5.0 | 3.8 | Fixed package requires Python >= 3.9 | -| pip | GHSA-4xh5-x5gv-qwph | 25.0.1 | 25.2 | 3.8 | Fixed package requires Python >= 3.9 | -| pip | GHSA-4xh5-x5gv-qwph | 25.2 | - | All | Waiting for an open source fix | +| pip | GHSA-4xh5-x5gv-qwph | 25.0.1 | 25.3 | 3.8 | Fixed package requires Python >= 3.9 | ### Vulnerable Python Versions diff --git a/third_party/pip/BUILD b/third_party/pip/BUILD index 9bee18e..2fdd1ec 100644 --- a/third_party/pip/BUILD +++ b/third_party/pip/BUILD @@ -50,12 +50,6 @@ EXTRA_ARGS = [ [ pip_audit_rule( name = "pip_audit_requirements_{}".format(version.replace(".", "_")), - # The list of ignored vulnerabilities should ideally be empty, but sometimes a certain vulnerability - # does not have a fix yet. In that case, we ignore it with `--ignore-vul` to avoid CI failures. - # Keep this in sync with SECURITY.md. - ignore_vulnerability = [ - "GHSA-4xh5-x5gv-qwph", # Added because there is no fix yet for pip 25.2. - ], requirement = "requirements_lock_{}.txt".format(version.replace(".", "_")), ) for version in PYTHON_VERSIONS diff --git a/third_party/pip/requirements_lock_3_10.txt b/third_party/pip/requirements_lock_3_10.txt index 5114296..776e342 100644 --- a/third_party/pip/requirements_lock_3_10.txt +++ b/third_party/pip/requirements_lock_3_10.txt @@ -827,7 +827,7 @@ webencodings==0.5.1 \ # via html5lib # The following packages are considered to be unsafe in a requirements file: -pip==25.2 \ - --hash=sha256:578283f006390f85bb6282dffb876454593d637f5d1be494b5202ce4877e71f2 \ - --hash=sha256:6d67a2b4e7f14d8b31b8b52648866fa717f45a1eb70e83002f4331d07e953717 +pip==25.3 \ + --hash=sha256:8d0538dbbd7babbd207f261ed969c65de439f6bc9e5dbd3b3b9a77f25d95f343 \ + --hash=sha256:9655943313a94722b7774661c21049070f6bbb0a1516bf02f7c8d5d9201514cd # via pip-api diff --git a/third_party/pip/requirements_lock_3_11.txt b/third_party/pip/requirements_lock_3_11.txt index fe64180..70aa2fd 100644 --- a/third_party/pip/requirements_lock_3_11.txt +++ b/third_party/pip/requirements_lock_3_11.txt @@ -782,7 +782,7 @@ webencodings==0.5.1 \ # via html5lib # The following packages are considered to be unsafe in a requirements file: -pip==25.2 \ - --hash=sha256:578283f006390f85bb6282dffb876454593d637f5d1be494b5202ce4877e71f2 \ - --hash=sha256:6d67a2b4e7f14d8b31b8b52648866fa717f45a1eb70e83002f4331d07e953717 +pip==25.3 \ + --hash=sha256:8d0538dbbd7babbd207f261ed969c65de439f6bc9e5dbd3b3b9a77f25d95f343 \ + --hash=sha256:9655943313a94722b7774661c21049070f6bbb0a1516bf02f7c8d5d9201514cd # via pip-api diff --git a/third_party/pip/requirements_lock_3_12.txt b/third_party/pip/requirements_lock_3_12.txt index 53664da..f64bca6 100644 --- a/third_party/pip/requirements_lock_3_12.txt +++ b/third_party/pip/requirements_lock_3_12.txt @@ -782,7 +782,7 @@ webencodings==0.5.1 \ # via html5lib # The following packages are considered to be unsafe in a requirements file: -pip==25.2 \ - --hash=sha256:578283f006390f85bb6282dffb876454593d637f5d1be494b5202ce4877e71f2 \ - --hash=sha256:6d67a2b4e7f14d8b31b8b52648866fa717f45a1eb70e83002f4331d07e953717 +pip==25.3 \ + --hash=sha256:8d0538dbbd7babbd207f261ed969c65de439f6bc9e5dbd3b3b9a77f25d95f343 \ + --hash=sha256:9655943313a94722b7774661c21049070f6bbb0a1516bf02f7c8d5d9201514cd # via pip-api diff --git a/third_party/pip/requirements_lock_3_9.txt b/third_party/pip/requirements_lock_3_9.txt index 88dae35..a0858ca 100644 --- a/third_party/pip/requirements_lock_3_9.txt +++ b/third_party/pip/requirements_lock_3_9.txt @@ -828,7 +828,7 @@ webencodings==0.5.1 \ # via html5lib # The following packages are considered to be unsafe in a requirements file: -pip==25.2 \ - --hash=sha256:578283f006390f85bb6282dffb876454593d637f5d1be494b5202ce4877e71f2 \ - --hash=sha256:6d67a2b4e7f14d8b31b8b52648866fa717f45a1eb70e83002f4331d07e953717 +pip==25.3 \ + --hash=sha256:8d0538dbbd7babbd207f261ed969c65de439f6bc9e5dbd3b3b9a77f25d95f343 \ + --hash=sha256:9655943313a94722b7774661c21049070f6bbb0a1516bf02f7c8d5d9201514cd # via pip-api