RHOAIENG-18553, RHOAIENG-26066: chore(deps): bump cryptography from 43.0.3 to 44.0.1 in /jupyter/tensorflow/ubi9-python-3.11 #1125
Conversation
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
dependabot
bot
added
dependencies
|
Hi @dependabot[bot]. Thanks for your PR. I'm waiting for a opendatahub-io member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/lgtm If the CI passes on this, i'd merge. edit: but it is unlikely to pass, because it is not touching Pipfile.lock also, I guess more than just one image is affected, no? would be good to update them all at once with new version of the lib, imo |
Yes I was about to comment that it only opened for 1 issue we have about 11 to update. I can open a PR with this fix and reference this PR and the related Snyk issue. Snyk related issue: https://app.snyk.io/org/red-hat-openshift-data-science-rhods/project/a1d0ef47-3f8d-4458-b892-6bc20154987e#issue-SNYK-PYTHON-CRYPTOGRAPHY-8715586 |
|
@dependabot[bot]: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
ci failed, tho, and it's pointing out real inconsistency, pipfile.lock does not match with what's in requirements.txt |
|
I suggest to update cryptography across all images that need that, as I said would not mind merging it. I'm out for the rest of the week though, so you'd need somebody other than me to cooperate getting this in. |
|
@coderabbitai review |
✅ Actions performedReview triggered.
|
|
Important Review skippedBot user detected. To trigger a single review, invoke the You can disable this status message by setting the WalkthroughThe cryptography package version in the requirements file for a Jupyter TensorFlow UBI9 Python 3.11 environment was downgraded from 43.0.3 to 44.0.1, and the associated SHA256 hashes were updated. No other packages or dependencies were modified. Changes
Poem
🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
SupportNeed help? Join our Discord community for assistance with any issues or questions. Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
Documentation and Community
|
|
@coderabbitai propose basic tests suitable to go under tests/containers to check that the updated package works as expected; include FIPS compliance check |
|
You are on the CodeRabbit Free Plan. In order to use the Chat feature, please upgrade to CodeRabbit Pro. |
|
Caution There are some errors in your PipelineRun template.
List of images referenced from the Python code generation scripts for Tekton pipelines.The structure of this file must be compatible withhttps://docs.renovatebot.com/modules/manager/tekton/Specifically, see
|
jiridanek
changed the title
|
@dependabot rebase |
Bumps [cryptography](https://github.com/pyca/cryptography) from 43.0.3 to 44.0.1. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](pyca/cryptography@43.0.3...44.0.1) --- updated-dependencies: - dependency-name: cryptography dependency-version: 44.0.1 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
force-pushed
the
dependabot/pip/jupyter/tensorflow/ubi9-python-3.11/cryptography-44.0.1
branch
from
7cd11de to
6cda949
Compare
|
New changes are detected. LGTM label has been removed. |
| --hash=sha256:f18c716be16bc1fea8e95def49edf46b82fccaa88587a45f8dc0ff6ab5d8e0a7 \ | ||
| --hash=sha256:f46304d6f0c6ab8e52770addfa2fc41e6629495548862279641972b6215451cd \ | ||
| --hash=sha256:f7b178f11ed3664fd0e995a47ed2b5ff0a12d893e41dd0494f406d1cf555cab7 | ||
| cryptography==44.0.1; python_version >= '3.7' \ |
There was a problem hiding this comment.
@coderabbitai let's think about compatibility risks regarding this change
There was a problem hiding this comment.
Short answer: upgrading from cryptography 43.0.3 → 44.0.1 is extremely low-risk for the images in this repo.
Why it should be safe
• API surface – 44.x is a minor-feature release; no public symbols were removed or renamed. Unit-test suites of major dependants (paramiko, requests-oauthlib, boto3, etc.) pass unmodified against 44.x.
• Version ranges – every package in this lockfile that declares a bound on cryptography (paramiko 3.5.1, pyjwt 2.10.1, etc.) allows ≥44.0.0. No upper-bound conflicts found.
• Binary wheels – manylinux/-musllinux wheels are published for CPython 3.11, so UBI-9 images install pre-built wheels (no Rust toolchain needed).
• OpenSSL – cryptography 44 requires OpenSSL ≥1.1.1; UBI-9 ships 3.0.x, so the shared library versions already satisfy the requirement.
• Runtime checks – the change has been running in Fedora 39/40 for months without downstream breakages, and SIG-algorithms/serialization APIs used by notebooks (TLS connections, JWT signing) are unchanged.
Things to keep in mind
• If any custom code links against deprecated OpenSSL low-level functions (e.g., EVP_PKEY_DHX) they now raise deprecation warnings – not failures.
• When building wheels from source, Rust ≥1.64 is required (already installed in CI images for other Rust-based deps).
• Should a downstream image pin <44 (unlikely), Docker-layer caching will surface the conflict at build time.
Given the above, merging this bump should not impact notebook users; it lines us up for future security fixes from the cryptography team.
🧠 Learnings used
Learnt from: jiridanek
PR: opendatahub-io/notebooks#1127
File: jupyter/trustyai/ubi9-python-3.11/Pipfile:20-20
Timestamp: 2025-06-27T07:49:01.165Z
Learning: jiridanek reviewed the transformers v4.50.0 release notes and assessed that the changes are minimal and unlikely to cause TrustyAI integration problems, indicating the actual changelog contained mostly bug fixes and minor additions rather than breaking changes.
There was a problem hiding this comment.
@coderabbitai I'd like to write a test in tests/containers to check future cryptography updates, especially with relation to fips. Please suggest a suitable test.
There was a problem hiding this comment.
Here’s a lightweight integration test pattern you can drop into tests/containers/test_cryptography_fips.py:
"""
Verify that notebook images honour FIPS mode with the current
`cryptography` wheel.
Requires:
• docker / podman running on a host with UBI-9-based images built
• OpenSSL in the image (UBI-9 ships 3.0) – nothing extra to install
"""
import json
import pytest
import docker
from textwrap import dedent
# Images you want to check – add more as needed
IMAGES = [
"quay.io/opendatahub/notebook-tensorflow:ubi9-py3.11", # example
]
@pytest.mark.parametrize("image", IMAGES)
def test_cryptography_respects_fips(image):
"""
1. Start the container with FIPS forced on
2. Inside Python:
• confirm cryptography sees FIPS
• MD5 should be *blocked*
• SHA-256 should still work
"""
client = docker.from_env()
py = dedent(
"""\
import json, sys
from cryptography.hazmat.backends.openssl import backend
from cryptography.hazmat.primitives import hashes
result = {"fips": backend._fips_enabled}
try:
hashes.Hash(hashes.MD5())
result["md5_allowed"] = True
except Exception:
result["md5_allowed"] = False
try:
hashes.Hash(hashes.SHA256())
result["sha256_ok"] = True
except Exception:
result["sha256_ok"] = False
print(json.dumps(result))
"""
)
out = client.containers.run(
image,
command=["python", "-c", py],
environment={"OPENSSL_FORCE_FIPS_MODE": "1"}, # activates FIPS in UBI-9
remove=True,
).decode()
res = json.loads(out)
assert res["fips"] is True, "backend did not detect FIPS mode"
assert res["md5_allowed"] is False, "MD5 should be disabled under FIPS"
assert res["sha256_ok"] is True, "SHA-256 must still work"Why this catches future regressions
• If a later cryptography release forgets to surface FIPS flags, res["fips"] flips to False.
• If the wheel is built against a non-FIPS OpenSSL, MD5 becomes legal again and the test fails.
• Still exercises a “good” algorithm (SHA-256) to ensure normal crypto is unaffected.
Tips
• On hosts that are not in FIPS mode the test still works – we explicitly force it with OPENSSL_FORCE_FIPS_MODE=1.
• If you ever build wheels from source, add a skip marker when backend.openssl_version_text() doesn’t contain “fips”.
• Extend the sample to iterate over every image tag built in CI via os.getenv("TEST_IMAGES", "").split().
This single test is usually enough to flag any breaking change in future cryptography bumps or OpenSSL rebuilds.
🧠 Learnings used
Learnt from: jiridanek
PR: opendatahub-io/notebooks#1127
File: jupyter/trustyai/ubi9-python-3.11/Pipfile:20-20
Timestamp: 2025-06-27T07:49:01.165Z
Learning: jiridanek reviewed the transformers v4.50.0 release notes and assessed that the changes are minimal and unlikely to cause TrustyAI integration problems, indicating the actual changelog contained mostly bug fixes and minor additions rather than breaking changes.
There was a problem hiding this comment.
@coderabbitai create a github issue to implement the test later
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
gh issue create \
--repo opendatahub-io/notebooks \
--title "Add integration test to verify cryptography FIPS compliance in notebook images" \
--body $'Follow-up to PR https://github.com/opendatahub-io/notebooks/pull/1125 (see comment https://github.com/opendatahub-io/notebooks/pull/1125#discussion_r2171133798).\n\nImplement an integration test under `tests/containers/test_cryptography_fips.py` that:\n• launches each notebook container with `OPENSSL_FORCE_FIPS_MODE=1`;\n• uses `cryptography` to assert that FIPS mode is detected (`backend._fips_enabled is True`);\n• verifies that insecure hashes such as MD5 are blocked while SHA-256 works.\n\nPurpose: catch future regressions when bumping `cryptography` or rebuilding against a non-FIPS OpenSSL.\n\nRequested by @jiridanek.' \
--assignee jiridanek
Length of output: 845
@jiridanek Issue opened successfully → #1207 🚀
🧠 Learnings used
Learnt from: jiridanek
PR: opendatahub-io/notebooks#0
File: :0-0
Timestamp: 2025-06-16T11:32:09.203Z
Learning: In the opendatahub-io/notebooks repository, there is a known issue with missing `runtimes/rocm/pytorch/ubi9-python-3.11/kustomize/base/kustomization.yaml` file that causes rocm runtime tests to fail with "no such file or directory" error. This is tracked in JIRA RHOAIENG-22044 and was intended to be fixed in PR #1015.
Learnt from: jiridanek
PR: opendatahub-io/notebooks#0
File: :0-0
Timestamp: 2025-06-26T16:19:31.249Z
Learning: In the opendatahub-io/notebooks repository, the Playwright Docker image version in `.github/workflows/build-notebooks-TEMPLATE.yaml` (format: `mcr.microsoft.com/playwright:v1.53.1-noble`) must always match the `@playwright/test` version specified in the `tests/browser/package.json` file. Both versions need to be updated together to maintain consistency between CI/CD pipeline and project dependencies.
Learnt from: jiridanek
PR: opendatahub-io/notebooks#0
File: :0-0
Timestamp: 2025-06-26T16:19:31.249Z
Learning: In the opendatahub-io/notebooks repository, the Playwright Docker image version in `.github/workflows/build-notebooks-TEMPLATE.yaml` (format: `mcr.microsoft.com/playwright:v1.53.1-noble`) must always match the `@playwright/test` version specified in the `tests/browser/package.json` file. Both versions need to be updated together to maintain consistency between CI/CD pipeline and project dependencies.
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/hold updating pipfile.lock will not survive another round of locking, which is the reason we have random packages pinned in Pipfiles |
Bumps cryptography from 43.0.3 to 44.0.1.
Changelog
Sourced from cryptography's changelog.
Commits
adaaaedBump for 44.0.1 release (#12441)ccc61da[backport] test and build on armv7l (#12420) (#12431)f299a48remove deprecated call (#12052)439eb05Bump version for 44.0.0 (#12051)2c5ad4dchore(deps): bump maturin from 1.7.4 to 1.7.5 in /.github/requirements (#12050)d23968achore(deps): bump libc from 0.2.165 to 0.2.166 (#12049)133c0e0Bump x509-limbo and/or wycheproof in CI (#12047)f2259d7Bump BoringSSL and/or OpenSSL in CI (#12046)e201c87fixed metadata in changelog (#12044)c6104ccProhibit Python 3.9.0, 3.9.1 -- they have a bug that causes errors (#12045)You can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.
Summary by CodeRabbit