superset Superset 4.0.1 uses again outdated setuptools 58.1.0 with CVE

Bug description

outdated setuptool used => CVE-2022-40897⁠ CVE Score 7.5 (high) by Docker Scout

How to reproduce the bug

fetch 4.0.1 image & scan image

Screenshots/recordings

No response

Superset version

4.0.1

Python version

3.9

Node version

16

Browser

Chrome

Additional context

same bug was on 3.x.x for fix refer https://github.com/apache/superset/issues/26991

Checklist

[X] I have searched Superset docs and Slack and didn't find a solution to my problem.
[X] I have searched the GitHub issue tracker and didn't find a similar bug report.
[X] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

May 21 '24 12:05 nigzak

To address the issue of the outdated setuptools version in Superset 4.0.1, you can update the setuptools dependency to version 65.5.1 or newer. This will resolve the security vulnerability CVE-2022-40897. Here are the steps to update the setuptools version:

Modify the setup.py file:
- Open the setup.py file in the Superset repository.
- Update the install_requires section to specify the new setuptools version.

Here is an example of how you can modify the setup.py file:

from setuptools import find_packages, setup

# ... other imports and code ...

setup(
    version=version_string,
    packages=find_packages(),
    include_package_data=True,
    zip_safe=False,
    install_requires=[
        "setuptools>=65.5.1",
        # ... other dependencies ...
    ],
    entry_points={
        "console_scripts": ["superset=superset.cli.main:superset"],
        "sqlalchemy.dialects": [
            "postgres.psycopg2 = sqlalchemy.dialects.postgresql:dialect",
            "postgres = sqlalchemy.dialects.postgresql:dialect",
            "superset = superset.extensions.metadb:SupersetAPSWDialect",
        ],
        "shillelagh.adapter": [
            "superset=superset.extensions.metadb:SupersetShillelaghAdapter"
        ],
    },
    download_url="https://www.apache.org/dist/superset/" + version_string,
)

Check and Update CI/CD Pipelines:
- Ensure that the CI/CD pipelines are updated to reflect this change. The .github/workflows/superset-python-integrationtest.yml, .github/workflows/superset-python-unittest.yml, and .github/workflows/superset-python-misc.yml workflows include steps that involve setting up Python and installing dependencies using pip, which would be affected by changes in the setuptools version.
Run Tests:
- After updating the setuptools version, run the existing tests to ensure that everything works correctly. The Superset project has automated tests and CI/CD pipelines in place to verify the compatibility and functionality of dependencies.
Release Process:
- Once the changes are verified, follow the release process to publish a new version. The release process involves a GitHub Actions workflow that triggers on pushes to the "master" branch or any branch matching the pattern "[0-9].[0-9]". Ensure that the necessary secrets (NPM_TOKEN and GH_PERSONAL_ACCESS_TOKEN) are available for the workflow to complete successfully.

For more details on the release process, you can refer to the release.yml file and the UPDATING.md document.

By following these steps, you can update the setuptools version in Superset 4.0.1 to address the security vulnerability CVE-2022-40897.

Details

Sources

About Dosu This response is meant to be useful and save you time. It is not meant to be a precise solution, but rather a starting point for your own research.

Help me be more useful! Please leave a 👍 if this is helpful and 👎 if it is irrelevant.

To continue the conversation, mention @dosu.

May 21 '24 12:05 dosubot[bot]

Hi @nigzak. Please follow the instructions on Reporting Security Vulnerabilities. There's also this warning in the issue template:

🚨 Reporting a security issue: send an email to [email protected]. DO NOT USE GITHUB ISSUES TO REPORT SECURITY PROBLEMS.

May 23 '24 20:05 michael-s-molina