Merge pull request #250 from cisagov/security/stop-ignoring-pip-audit-finding

Pin `ansible-core` to `>=2.17.7`

Author: jsf9k

.github/workflows/build.yml

@@ -100,7 +100,7 @@ jobs:
           permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
       - id: setup-env
         uses: cisagov/setup-env-github-action@v1
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - id: setup-python
         uses: actions/setup-python@v6
         with:
@@ -258,7 +258,7 @@ jobs:
           permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
       - id: setup-env
         uses: cisagov/setup-env-github-action@v1
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - id: setup-python
         uses: actions/setup-python@v6
         with:

.github/workflows/codeql-analysis.yml

@@ -114,7 +114,7 @@ jobs:
           permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
 
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL

.github/workflows/dependency-review.yml

@@ -89,7 +89,7 @@ jobs:
           permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
       - id: checkout-repo
         name: Checkout the repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - id: dependency-review
         name: Review dependency changes for vulnerabilities and license changes
         uses: actions/dependency-review-action@v4

.github/workflows/sync-labels.yml

@@ -84,7 +84,7 @@ jobs:
           # monitoring configuration *does not* require you to modify
           # this workflow.
           permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - name: Sync repository labels
         if: success()
         uses: crazy-max/ghaction-github-labeler@v5

.pre-commit-config.yaml

@@ -172,11 +172,6 @@ repos:
     hooks:
       - id: pip-audit
         args:
-          # We have to ignore this particular vulnerability in
-          # ansible-core>=2.11 as there is currently no fix.  See
-          # cisagov/skeleton-ansible-role#210 for more details.
-          - --ignore-vuln
-          - GHSA-99w6-3xph-cx78
           # We have to ignore this vulnerability since we need to pin
           # to Ansible 10 for now to support our CyHy code that must
           # still run on Debian Buster.  This vulnerability is fixed
@@ -201,10 +196,16 @@ repos:
     rev: v3.21.1
     hooks:
       - id: pyupgrade
+        args:
+          # Python 3.10 is currently the oldest non-EOL version of
+          # Python, so we want to apply all rules that apply to this
+          # version or later.  See here for more details:
+          # https://www.gyford.com/phil/writing/2025/08/26/how-to-use-pyupgrade/
+          - --py310-plus
 
   # Ansible hooks
   - repo: https://github.com/ansible/ansible-lint
-    rev: v25.11.0
+    rev: v25.11.1
     hooks:
       - id: ansible-lint
         additional_dependencies:
@@ -220,31 +221,13 @@ repos:
           # hook identifies a vulnerability in ansible-core 2.16.13,
           # but all versions of ansible 9 have a dependency on
           # ~=2.16.X.
-          #
-          # It is also a good idea to go ahead and upgrade to version
-          # 10 since version 9 is going EOL at the end of November:
-          # https://endoflife.date/ansible
           # - ansible>=10,<11
-          # ansible-core 2.16.3 through 2.16.6 suffer from the bug
-          # discussed in ansible/ansible#82702, which breaks any
-          # symlinked files in vars, tasks, etc. for any Ansible role
-          # installed via ansible-galaxy.  Hence we never want to
-          # install those versions.
-          #
-          # Note that the pip-audit pre-commit hook identifies a
-          # vulnerability in ansible-core 2.16.13.  The pin of
-          # ansible-core to >=2.17 effectively also pins ansible to
-          # >=10.
-          #
-          # It is also a good idea to go ahead and upgrade to
-          # ansible-core 2.17 since security support for ansible-core
-          # 2.16 ends this month:
-          # https://docs.ansible.com/ansible/devel/reference_appendices/release_and_maintenance.html#ansible-core-support-matrix
+          # ansible-core<2.17.7 suffers from GHSA-99w6-3xph-cx78.
           #
           # Note that any changes made to this dependency must also be
           # made in requirements.txt in cisagov/skeleton-packer and
           # requirements-test.txt in cisagov/skeleton-ansible-role.
-          - ansible-core>=2.17
+          - ansible-core>=2.17.7
 
   # Terraform hooks
   - repo: https://github.com/antonbabenko/pre-commit-terraform

requirements-test.txt

@@ -1,45 +1,19 @@
 --requirement requirements.txt
-# With the release of version 2.10, Ansible finally correctly
-# identifies Kali Linux as being the Kali distribution of the Debian
-# OS family.  This simplifies a lot of things for roles that support
-# Kali Linux, so it makes sense to force the installation of Ansible
-# 2.10 or newer.
-#
-# We need at least version 6 to correctly identify Amazon Linux 2023
-# as using the dnf package manager, and version 8 is currently the
-# oldest supported version.
-#
 # Version 10 is required because the pip-audit pre-commit hook
 # identifies a vulnerability in ansible-core 2.16.13, but all versions
 # of ansible 9 have a dependency on ~=2.16.X.
 #
-# It is also a good idea to go ahead and upgrade to version 10 since
-# version 9 is going EOL at the end of November:
-# https://endoflife.date/ansible
-#
 # We have tested against version 10.  We want to avoid automatically
 # jumping to another major version without testing, since there are
 # often breaking changes across major versions.  This is the reason
 # for the upper bound.
 ansible>=10,<11
-# ansible-core 2.16.3 through 2.16.6 suffer from the bug discussed in
-# ansible/ansible#82702, which breaks any symlinked files in vars,
-# tasks, etc. for any Ansible role installed via ansible-galaxy.
-# Hence we never want to install those versions.
-#
-# Note that the pip-audit pre-commit hook identifies a vulnerability
-# in ansible-core 2.16.13.  Normally we would pin ansible-core
-# accordingly (>2.16.13), but the above pin of ansible>=10 effectively
-# pins ansible-core to >=2.17 so that's what we do here.
-#
-# It is also a good idea to go ahead and upgrade to ansible-core 2.17
-# since security support for ansible-core 2.16 ends this month:
-# https://docs.ansible.com/ansible/devel/reference_appendices/release_and_maintenance.html#ansible-core-support-matrix
+# ansible-core<2.17.7 suffers from GHSA-99w6-3xph-cx78.
 #
 # Note that any changes made to this dependency must also be made in
 # requirements.txt in cisagov/skeleton-packer and
 # .pre-commit-config.yaml in cisagov/skeleton-generic.
-ansible-core>=2.17
+ansible-core>=2.17.7
 # With the release of molecule v5 there were some breaking changes so
 # we need to pin at v5 or newer. However, v5.0.0 had an internal
 # dependency issue so we must use the bugfix release as the actual

version.txt

@@ -1 +1 @@
-2.1.0
+2.1.1