Merge branch 'development' into docs/update

.github/workflows/test_cornflow_client.yml

@@ -151,3 +151,4 @@ jobs:
         uses: codecov/codecov-action@v3
         with:
           flags: client-tests
+          token: ${{secrets.CODECOV_TOKEN}}

.github/workflows/test_cornflow_dags.yml

@@ -86,4 +86,5 @@ jobs:
     - name: Upload coverage to codecov
       uses : codecov/codecov-action@v3
       with:
-        flags: dags-tests
+        flags: dags-tests
+        token: ${{secrets.CODECOV_TOKEN}}

.github/workflows/test_cornflow_server.yml

@@ -165,3 +165,4 @@ jobs:
       uses: codecov/codecov-action@v3
       with:
         flags: server-tests
+        token: ${{secrets.CODECOV_TOKEN}}

cornflow-server/Dockerfile

@@ -1,4 +1,4 @@
-# VERSION 1.0.8
+# VERSION 1.0.10
 # AUTHOR: sistemas@baobabsoluciones.es
 
 FROM python:3.10-slim-buster
@@ -9,7 +9,7 @@ ENV DEBIAN_FRONTEND noninteractive
 ENV TERM linux
 
 # CORNFLOW vars
-ARG CORNFLOW_VERSION=1.0.9
+ARG CORNFLOW_VERSION=1.0.10
 
 # install linux pkg
 RUN apt update -y && apt-get install -y --no-install-recommends \

cornflow-server/airflow_config/Dockerfile

@@ -1,7 +1,7 @@
-# VERSION 2.7.1
+# AIRFLOW VERSION 2.9.0
 # AUTHOR: cornflow@baobabsoluciones.es
-# DESCRIPTION: Airflow 2.7.1 image personalized for use with Cornflow (from baobabsoluciones/pysolver image)
-# baobab code version is 1.0.8
+# DESCRIPTION: Airflow 2.9.0 image personalized for use with Cornflow (from baobabsoluciones/pysolver image)
+# baobab code version is 1.0.10
 
 FROM baobabsoluciones/pysolver:1.0
 LABEL maintainer="cornflow@baobabsoluciones"
@@ -11,14 +11,16 @@ ENV DEBIAN_FRONTEND noninteractive
 ENV TERM linux
 
 # Airflow vars
-ARG AIRFLOW_VERSION=2.7.1
+ARG AIRFLOW_VERSION=2.9.0
 ARG AIRFLOW_USER_HOME=/usr/local/airflow
 ARG CONSTRAINT_URL="https://raw.githubusercontent.com/apache/airflow/constraints-${AIRFLOW_VERSION}/constraints-3.10.txt"
 ARG AIRFLOW__CORE__LOAD_EXAMPLES=False
 ENV AIRFLOW_HOME=${AIRFLOW_USER_HOME}
 
 # install Airflow and extras: celery,postgres and redis
 RUN pip install "apache-airflow[celery,google,postgres,redis,sendgrid]==${AIRFLOW_VERSION}" --constraint "${CONSTRAINT_URL}"
+# We add these overruns due to security reasons as suggested here: https://airflow.apache.org/docs/apache-airflow/stable/installation/installing-from-pypi.html#upgrading-and-installing-dependencies-including-providers
+RUN pip install "apache-airflow[celery,google,postgres,redis,sendgrid]==${AIRFLOW_VERSION}" "cryptography==42.0.5" "gunicorn==22.0.0" "requests==2.31.0" "Werkzeug==2.3.8"
 
 # copy init script and config to container
 COPY scripts ${AIRFLOW_HOME}/scripts

cornflow-server/changelog.rst

@@ -1,3 +1,14 @@
+version 1.0.10
+---------------
+
+- released: 2024-04-17
+- description: changed libraries versions due to discovered vulnerabilities
+- changelog:
+    - Upgraded cryptography version to 42.0.5
+    - Upgraded gunicorn version to 22.0.0
+    - Upgraded requests version to 2.31.0
+    - Upgraded Werkzeug version to 2.3.8
+
 version 1.0.9
 --------------
 

cornflow-server/cornflow/shared/licenses.py

@@ -1,75 +1,39 @@
-import pkg_resources
+import importlib.metadata as metadata
 
 
-def get_license_txt(pkg):
-    if pkg.has_metadata("LICENSE"):
-        lic = pkg.get_metadata("LICENSE")
-    else:
-        lic = "(license detail not found)"
-    return lic
-
-
-def get_info(name, lines):
+def get_info(name, pkg):
     """
-    Search information in a list of lines.
+    Search information in a package metadata.
     The expected format of the line is "name: info"
-    This function search the name and return the info.
+    This function searches for the name and returns the info.
 
-    :param name: name to be search at the beginning of a line.
-    :param lines: list of strings.
+    :param name: name to be searched.
+    :param pkg: a dictionary representing the package metadata.
     :return: the info part of the line for the given name.
     """
-    sep = name + ": "
-    for line in lines:
-        if line.startswith(sep):
-            return line.split(sep, maxsplit=1)[1]
+    if name in pkg:
+        return pkg[name]
     return f"({name} not found)"
 
 
-def get_main_info(pkg):
-    """
-    Get information from libraries.
-
-    :param pkg: a package object from pkg_resources.working_set
-    :return: a dict with library, license, version, author, description and home page.
-    """
-    lines1 = []
-    lines2 = []
-    # Find info in metadata
-    if pkg.has_metadata("METADATA"):
-        lines1 = pkg.get_metadata_lines("METADATA")
-    # find info in PKG-INFO
-    if pkg.has_metadata("PKG-INFO"):
-        lines2 = pkg.get_metadata_lines("PKG-INFO")
-    # Transform lines into list
-    lines = [l for l in lines1] + [l for l in lines2]
-
-    # Manage case where license is UNKNOWN
-    lic = get_info("License", lines)
-    if lic == "UNKNOWN":
-        lic = get_info("Classifier: License :", lines)
-    return {
-        "library": get_info("Name", lines),
-        "license": lic,
-        "version": get_info("Version", lines),
-        "author": get_info("Author", lines),
-        "description": get_info("Summary", lines),
-        "home page": get_info("Home-page", lines),
-    }
-
-
 def get_licenses_summary():
     """
     Get a list of dicts with licenses and library information.
 
     :return: a list of dicts with library, license, version, author, description, home page and license text.
     """
     license_list = []
-    for pkg in sorted(pkg_resources.working_set, key=lambda x: str(x).lower()):
+    for pkg in sorted(metadata.distributions(), key=lambda x: x.metadata['Name'].lower()):
+        pkg_metadata = dict(pkg.metadata.items())
         license_list += [
             {
-                **get_main_info(pkg),
-                "license_text": get_license_txt(pkg),
+                "library": get_info("Name", pkg_metadata),
+                "license": get_info("License", pkg_metadata),
+                "version": get_info("Version", pkg_metadata),
+                "author": get_info("Author", pkg_metadata),
+                "description": get_info("Summary", pkg_metadata),
+                "home page": get_info("Home-page", pkg_metadata),
             }
         ]
+
     return license_list

cornflow-server/cornflow/tests/unit/test_licenses.py

@@ -11,9 +11,9 @@ def read_requirements():
             requirements = content.split("\n")
 
         requirements = [
-            r.split("=")[0].split(">")[0].split("<")[0].lower()
+            r.split("=")[0].split(">")[0].split("<")[0].split("@")[0].lower()
             for r in requirements
-            if r != ""
+            if r != "" and not r.startswith("#")
         ]
         return requirements
 

cornflow-server/requirements.txt

@@ -2,7 +2,7 @@ alembic==1.9.2
 apispec<=6.2.0
 click<=8.1.3
 cornflow-client<=1.0.16
-cryptography<=39.0.2
+cryptography<=42.0.5
 disposable-email-domains>=0.0.86
 Flask==2.3.2
 flask-apispec<=0.11.4
@@ -16,15 +16,15 @@ Flask-SQLAlchemy==2.5.1
 gevent==23.9.1
 greenlet<=2.0.2;python_version<"3.11"
 greenlet==3.0.0;python_version>="3.11"
-gunicorn<=20.1.0
+gunicorn<=22.0.0
 jsonpatch<=1.32
 ldap3<=2.9.1
 marshmallow<=3.19.0
 PuLP<=2.7.0
 psycopg2<=2.95
 PyJWT<=2.6.0
 pytups>=0.86.2
-requests<=2.29.0
+requests<=2.31.0
 SQLAlchemy==1.3.21
 webargs<=8.2.0
-Werkzeug<=2.3.3
+Werkzeug<=2.3.8

cornflow-server/setup.py

@@ -9,7 +9,7 @@
 
 setuptools.setup(
     name="cornflow",
-    version="1.0.9",
+    version="1.0.10",
     author="baobab soluciones",
     author_email="cornflow@baobabsoluciones.es",
     description="Cornflow is an open source multi-solver optimization server with a REST API built using flask.",