Updated dependencies to reduce issues with dependabot and container scanning (#12180)

Modify updater.sh to remove the local path references.

requirements/README.md

@@ -16,12 +16,6 @@ then run the script:
 NOTE: `./updater.sh` uses /usr/bin/python3.6, to match the current python version
 (3.6) used to build releases.
 
-##### Note - watch out for the updater script, using paths local to your machine instead of generalized paths; ie
-```bash
-    # via -r /awx_devel/requirements/requirements.in <-RIGHT
-    # via -r /home/foo/bar/awx/requirements/requirements.in <-WRONG
-```
-
 #### Upgrading Unpinned Dependency
 
 If you require a new version of a dependency that does not have a pinned version

requirements/requirements.in

@@ -5,7 +5,7 @@ autobahn>=20.12.3  # CVE-2020-35678
 azure-keyvault==1.1.0  # see UPGRADE BLOCKERs
 channels
 channels-redis>=3.1.0  # https://github.com/django/channels_redis/issues/212
-cryptography>=35.0.0
+cryptography>=36.0.2,<37.0.0 # Until paramiko fixes https://github.com/paramiko/paramiko/issues/2038 we don't want to go to 37 or we end up with blowfish warnings in the job output
 Cython<3 # Since the bump to PyYAML 5.4.1 this is now a mandatory dep
 daphne
 distro
@@ -30,8 +30,9 @@ irc
 jinja2>=2.11.3  # CVE-2020-28493
 JSON-log-formatter
 jsonschema
+kubernetes>=12.0.0  # CVE-2020-1747
 Markdown  # used for formatting API help
-openshift>=0.11.0  # minimum version to pull in new pyyaml for CVE-2017-18342
+openshift>=0.12.0  # minimum version to pull in new pyyaml for CVE-2017-18342, minimum version to pull in new kubernetes for CVE-2020-1747
 pexpect==4.7.0 # see library notes
 prometheus_client
 psycopg2
@@ -41,7 +42,7 @@ pyparsing
 python3-saml==1.13.0
 python-dsv-sdk
 python-tss-sdk==1.0.0
-python-ldap>=3.3.1 # https://github.com/python-ldap/python-ldap/issues/270
+python-ldap>=3.4.0 # https://github.com/ansible/awx/security/dependabot/20
 pyyaml>=5.4.1  # minimum to fix https://github.com/yaml/pyyaml/issues/478
 receptorctl==1.1.1
 schedule==0.6.0
@@ -49,10 +50,11 @@ social-auth-core==4.2.0  # see UPGRADE BLOCKERs
 social-auth-app-django==5.0.0  # see UPGRADE BLOCKERs
 redis
 requests
+sqlparse>=0.4.2 # Required by Django, pinning for CVE-2021-32839
 slack-sdk
 tacacs_plus==1.0  # UPGRADE BLOCKER: auth does not work with later versions
 twilio
-twisted[tls]>=20.3.0  # CVE-2020-10108, CVE-2020-10109
+twisted[tls]>=22.4.0  # CVE-2020-10108, CVE-2020-10109, CVE-2022-21712 (https://github.com/ansible/awx/security/dependabot/46), https://github.com/ansible/awx/security/dependabot/53
 uWSGI
 uwsgitop
 wheel

requirements/requirements.txt

@@ -82,8 +82,6 @@ defusedxml==0.6.0
     # via
     #   python3-openid
     #   social-auth-core
-dictdiffer==0.8.1
-    # via openshift
 distro==1.5.0
     # via -r /awx_devel/requirements/requirements.in
 django==3.2.13
@@ -153,7 +151,7 @@ idna==2.9
     #   requests
     #   twisted
     #   yarl
-incremental==17.5.0
+incremental==21.3.0
     # via twisted
 irc==18.0.0
     # via -r /awx_devel/requirements/requirements.in
@@ -179,15 +177,15 @@ jaraco-text==3.2.0
     #   irc
     #   jaraco-collections
 jinja2==3.0.3
-    # via
-    #   -r /awx_devel/requirements/requirements.in
-    #   openshift
+    # via -r /awx_devel/requirements/requirements.in
 json-log-formatter==0.3.0
     # via -r /awx_devel/requirements/requirements.in
 jsonschema==3.2.0
     # via -r /awx_devel/requirements/requirements.in
-kubernetes==11.0.0
-    # via openshift
+kubernetes==23.3.0
+    # via
+    #   -r /awx_devel/requirements/requirements.in
+    #   openshift
 lockfile==0.12.2
     # via python-daemon
 lxml==4.7.0
@@ -223,7 +221,7 @@ oauthlib==3.2.0
     #   django-oauth-toolkit
     #   requests-oauthlib
     #   social-auth-core
-openshift==0.11.0
+openshift==0.13.1
     # via -r /awx_devel/requirements/requirements.in
 packaging==21.3
     # via
@@ -260,8 +258,6 @@ pycparser==2.20
     # via cffi
 pygerduty==0.38.2
     # via -r /awx_devel/requirements/requirements.in
-pyhamcrest==2.0.2
-    # via twisted
 pyjwt==2.3.0
     # via
     #   adal
@@ -286,7 +282,7 @@ python-dateutil==2.8.1
     #   receptorctl
 python-dsv-sdk==0.0.1
     # via -r /awx_devel/requirements/requirements.in
-python-ldap==3.3.1
+python-ldap==3.4.0
     # via
     #   -r /awx_devel/requirements/requirements.in
     #   django-auth-ldap
@@ -338,8 +334,6 @@ requests-oauthlib==1.3.1
     #   social-auth-core
 rsa==4.7.2
     # via google-auth
-ruamel-yaml==0.16.10
-    # via openshift
 schedule==0.6.0
     # via -r /awx_devel/requirements/requirements.in
 semantic-version==2.9.0
@@ -382,8 +376,10 @@ social-auth-core==4.2.0
     # via
     #   -r /awx_devel/requirements/requirements.in
     #   social-auth-app-django
-sqlparse==0.3.1
-    # via django
+sqlparse==0.4.2
+    # via
+    #   -r /awx_devel/requirements/requirements.in
+    #   django
 tacacs-plus==1.0
     # via -r /awx_devel/requirements/requirements.in
 tempora==2.1.0
@@ -394,7 +390,7 @@ tomli==2.0.1
     # via setuptools-scm
 twilio==6.37.0
     # via -r /awx_devel/requirements/requirements.in
-twisted[tls]==20.3.0
+twisted[tls]==22.4.0
     # via
     #   -r /awx_devel/requirements/requirements.in
     #   daphne
@@ -404,6 +400,7 @@ typing-extensions==3.10.0.2
     # via
     #   aiohttp
     #   setuptools-rust
+    #   twisted
 urllib3==1.26.5
     # via
     #   kubernetes

requirements/requirements_dev.txt

@@ -1,7 +1,7 @@
 django-debug-toolbar==3.2.4
 django-rest-swagger
 # pprofile - re-add once https://github.com/vpelletier/pprofile/issues/41 is addressed
-ipython==7.21.0
+ipython>=7.31.1 # https://github.com/ansible/awx/security/dependabot/30
 unittest2
 black
 pytest!=7.0.0

requirements/updater.sh

@@ -32,6 +32,7 @@ generate_requirements() {
 }
 
 main() {
+  base_dir=$(pwd)
   _tmp="$(mktemp -d --suffix .awx-requirements XXXX -p /tmp)"
   trap _cleanup INT TERM EXIT
 
@@ -44,7 +45,8 @@ main() {
 
   generate_requirements
 
-  cp -vf requirements.txt "${requirements}"
+  echo "Changing $base_dir to /awx_devel/requirements"
+  cat requirements.txt | sed "s:$base_dir:/awx_devel/requirements:" > "${requirements}"
 
   _cleanup
 }