Skip to content

Commit 76ad1ac

Browse files
committed
fix: resolve security vulnerabilities and code quality issues
- Fix clear-text logging of sensitive data (CodeQL py/clear-text-logging-sensitive-data) - Pin ca-certificates to version 20250419 (Hadolint DL3008) - Format detect_secrets.py (Ruff formatting) - Update uv.lock with urllib3 dependency - Update setuptools requirement for security
1 parent 944eeb3 commit 76ad1ac

4 files changed

Lines changed: 11 additions & 9 deletions

File tree

Dockerfile

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ FROM python:${PYTHON_VERSION}-slim
1010
RUN apt-get update && \
1111
apt-get upgrade -y && \
1212
apt-get install -y --no-install-recommends \
13-
ca-certificates && \
13+
ca-certificates=20250419 && \
1414
apt-get clean && \
1515
rm -rf /var/lib/apt/lists/*
1616

@@ -21,7 +21,7 @@ ARG PACKAGE_NAME_SHORT=orb
2121
RUN apt-get update && \
2222
apt-get upgrade -y && \
2323
apt-get install -y --no-install-recommends \
24-
ca-certificates && \
24+
ca-certificates=20250419 && \
2525
apt-get clean && \
2626
rm -rf /var/lib/apt/lists/* && \
2727
# Security: Upgrade setuptools to latest version
@@ -50,7 +50,7 @@ ENV BUILD_DATE="${BUILD_DATE}" \
5050

5151
# Install runtime dependencies and create user in single layer
5252
RUN apt-get update && apt-get install -y --no-install-recommends \
53-
ca-certificates \
53+
ca-certificates=20250419 \
5454
&& rm -rf /var/lib/apt/lists/* \
5555
&& apt-get clean \
5656
&& groupadd -r "${PACKAGE_NAME_SHORT:-orb}" \

dev-tools/security/detect_secrets.py

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -48,17 +48,17 @@ def detect_secrets(source_dir: str = "src") -> bool:
4848
for _match in matches:
4949
# Check if this is an exception
5050
if not any(exc in line for exc in exceptions):
51-
found_secrets.append(f"{py_file}:{line_num}: {line.strip()}")
51+
# Store only file path and line number to avoid retaining secret content
52+
found_secrets.append((str(py_file), line_num))
5253

5354
except Exception as e:
5455
logger.warning(f"Could not read {py_file}: {e}")
5556

5657
if found_secrets:
5758
logger.error("Potential hardcoded secrets found:")
58-
for secret in found_secrets:
59-
# Security: Don't log the actual secret content, only the location
60-
location = secret.split(':')[0] if ':' in secret else 'unknown location'
61-
logger.error(f" Secret detected at: {location}")
59+
for file_path, line_number in found_secrets:
60+
# Security: Log only file and line number, never the actual secret content
61+
logger.error(f" Secret detected at: {file_path}:{line_number}")
6262
return False
6363
else:
6464
logger.info("No hardcoded secrets detected")

pyproject.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
[build-system]
2-
requires = ["setuptools>=78.1.1", "wheel"]
2+
requires = ["setuptools>=80.9.0", "wheel"]
33
build-backend = "setuptools.build_meta"
44

55
[project]

uv.lock

Lines changed: 2 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)