Merge branch 'fix/resolve_vulnerabilities' into broadcast-link-checker-fix

Author: PhBouzid

.github/workflows/automatic-pr-labeler.yaml

@@ -24,7 +24,9 @@ jobs:
     if: (github.event.pull_request.merged == false) && (github.event.pull_request.user.login != 'dependabot[bot]') && (github.event.pull_request.user.login != 'github-actions[bot]')
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: "Execute assign labels"
         id: action-assign-labels
@@ -42,4 +44,4 @@ jobs:
             echo "⚠️ Pull request from fork! ⚠️";
             echo "Labels will not be applied to PR. Assign them manually please.";
             echo "Labels to assign: ${{ steps.action-assign-labels.outputs.labels-next }}";
-          } >> $GITHUB_STEP_SUMMARY
+          } >> "$GITHUB_STEP_SUMMARY"

.github/workflows/cla.yaml

@@ -7,13 +7,16 @@ on:
     types: [opened, closed, synchronize]
 
 permissions:
-  actions: write
   contents: read
-  pull-requests: write
-  statuses: write
 
 jobs:
   CLAAssistant:
+    if: github.event.pull_request.draft == false
+    permissions:
+      actions: write
+      contents: write
+      pull-requests: write
+      statuses: write
     runs-on: ubuntu-latest
     steps:
       - name: "CLA Assistant"

.github/workflows/link-checker.yaml

@@ -5,10 +5,6 @@ on:
   push: null
   repository_dispatch: null
   workflow_dispatch: null
-  pull_request:
-    branches: [main]
-    types:
-      [opened, reopened, synchronize]
 permissions:
   contents: read
 jobs:

.github/workflows/pr-conventional-commits.yaml

@@ -16,6 +16,8 @@ jobs:
     name: Conventional Commits
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - uses: webiny/action-conventional-commits@v1.3.0

.github/workflows/pr-lint-title.yaml

@@ -18,6 +18,6 @@ jobs:
     name: Validate PR title
     runs-on: ubuntu-latest
     steps:
-      - uses: amannn/action-semantic-pull-request@v5
+      - uses: amannn/action-semantic-pull-request@v6
         env:
           GITHUB_TOKEN: ${{ github.token }}

.github/workflows/super-linter.yaml

@@ -29,25 +29,70 @@ permissions:
   contents: read
 
 jobs:
+  prepare-configs:
+    runs-on: ubuntu-latest
+    steps:
+    - name: "Get the common linters configuration"
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        ref: main # fix/superlinter-config
+        repository: netcracker/.github
+        persist-credentials: false
+        sparse-checkout: |
+          config/linters
+    - name: "Upload the common linters configuration"
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      with:
+        name: linter-config
+        path: "${{ github.workspace }}/config"
+        include-hidden-files: true
   run-lint:
+    needs: [prepare-configs]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: read
+      # To report GitHub Actions status checks
+      statuses: write
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          # Full git history is needed to get a proper list of changed files within `super-linter`
-          fetch-depth: 0
+    - name: Checkout code
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        # Full git history is needed to get a proper list of changed files within `super-linter`
+        fetch-depth: 0
+        persist-credentials: false
+    - name: "Get the common linters configuration"
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      id: download
+      with:
+        name: linter-config
+        path: /tmp/linter-config
+    - name: "Apply the common linters configuration"
+      if: ${{ steps.download.outputs.download-path != '' }}
+      run: |
+        mkdir -p ./.github/linters
+        cp --update=none -vRT /tmp/linter-config/linters ./.github/linters
+
+    - name: "Load super-linter environment file"
+      shell: bash
+      run: |
+        # shellcheck disable=2086
+        if [ -f "${GITHUB_WORKSPACE}/.github/super-linter.env" ]; then
+          echo "Applying local linter environment:"
+          grep "\S" ${GITHUB_WORKSPACE}/.github/super-linter.env | grep -v "^#"
+          grep "\S" ${GITHUB_WORKSPACE}/.github/super-linter.env | grep -v "^#" >> $GITHUB_ENV
+        elif [ -f "/tmp/linter-config/linters/super-linter.env" ]; then
+          echo "::warning:: Local linter environment file .github/super-linter.env is not found"
+          echo "Applying common linter environment:"
+          grep "\S" /tmp/linter-config/linters/super-linter.env | grep -v "^#"
+          grep "\S" /tmp/linter-config/linters/super-linter.env | grep -v "^#" >> $GITHUB_ENV
+        fi
 
-      - name: "Load super-linter environment file"
-        run: |
-          # shellcheck disable=2086
-          if [ -f "./.github/super-linter.env" ]; then
-            grep "\S" ./.github/super-linter.env | grep -v "^#"
-            grep "\S" ./.github/super-linter.env | grep -v "^#" >> $GITHUB_ENV
-          fi
+    - name: Lint Code Base
+      uses: super-linter/super-linter/slim@ffde3b2b33b745cb612d787f669ef9442b1339a6 # v8.1.0
+      env:
+        VALIDATE_ALL_CODEBASE: ${{ inputs.full_scan || false }}
+        # To report GitHub Actions status checks
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        DEFAULT_BRANCH: ${{ github.event.pull_request.base.ref || github.event.push.ref }}
 
-      - name: Lint Code Base
-        uses: super-linter/super-linter@v7
-        env:
-          VALIDATE_ALL_CODEBASE: ${{ inputs.full_scan || false }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.qubership/grand-report.json

@@ -0,0 +1,12 @@
+{
+  "exclusions" : [ {
+    "t-hash" : "14ff48a222e433c0dc21ba755e1990034a4c35e1e9bde940516f190323a73619",
+    "f-hash" : "a82fe1c8cecf4df558b8f06a146f9857d7706e9dbda4df8b84a559c857255332"
+  }, {
+    "t-hash" : "9a012439f50df45095bcebd75aa1efe2615c1f28c137c55cfbef11f9d9ceb730",
+    "f-hash" : "eca12c0a30e25b4b46522ebf89465a03ba72a03f540796c979137931d8f92055"
+  }, {
+    "t-hash" : "322aa41d6d24e719b096f97c792be784ef4b494d6f4ec2dacaa58f4f2941d2db",
+    "f-hash" : "f6ed156e4bf5c791680662464b94ea5d753f219ee816b385f67870e2c0d7d4c7"
+  } ]
+}

alpine/Dockerfile

@@ -4,8 +4,8 @@ ENV BACKUP_DAEMON_HOME=/opt/backup
 ENV S3_CERT_PATH_INTERNAL=/s3CertInternal
 
 ARG PY_APSW_VER="3.40.1.0"
-ARG PIP="22.2.0"
-ARG SETUPTOOLS="78.1.1"
+ARG PIP="25.3"
+ARG SETUPTOOLS="80.9.0"
 ARG TMP_DIR="/tmp"
 
 COPY requirements.txt ${BACKUP_DAEMON_HOME}/

requirements.txt

@@ -2,8 +2,8 @@ aniso8601==9.0.1
 appdirs==1.4.4
 apsw==3.40.1.0
 attrs==21.4.0
-boto3==1.28.62
-botocore==1.31.62
+boto3==1.34.63
+botocore==1.34.63
 CacheControl==0.12.10
 certifi==2024.7.4
 charset-normalizer==2.0.7
@@ -19,7 +19,7 @@ flask-restx==1.1.0
 html5lib==1.1
 idna==3.7
 itsdangerous==2.0.1
-Jinja2==3.1.5
+Jinja2==3.1.6
 jmespath==0.10.0
 jsonschema==4.4.0
 lockfile==0.12.2
@@ -37,12 +37,12 @@ pyrsistent==0.18.1
 python-dateutil==2.8.2
 pytz==2021.3
 PyYAML==6.0.1
-requests==2.31.0
+requests==2.32.4
 retrying==1.3.3
-s3transfer==0.7.0
+s3transfer==0.10.0
 six==1.16.0
 toml==0.10.2
 tomli==1.2.2
-urllib3==2.0.6
+urllib3==2.6.3
 webencodings==0.5.1
-Werkzeug==3.0.6
+Werkzeug==3.1.5

src/db.py

@@ -13,6 +13,7 @@
 # limitations under the License.
 
 import logging
+import threading
 import apsw
 
 
@@ -29,6 +30,8 @@ class DbException(Exception):
 
 
 class DB:
+    _lock = threading.Lock()
+    
     def __init__(self, dbfile):
         """
         Create a connection to sqlite database
@@ -41,7 +44,7 @@ def __init__(self, dbfile):
         self.__dbfile = dbfile
         try:
             log.debug("Database file: %s" % self.__dbfile)
-            self.__cursor = DB.__create_connection(dbfile).cursor()
+            self.__conn = DB.__create_connection(dbfile)
         except apsw.Error as err:
             log.exception("Database error during init: %s" % err)
             raise DbException("Database error during init")
@@ -67,24 +70,27 @@ def __create_connection(db_file):
 
     def __create_table(self, query):
         try:
-            self.__cursor.execute(query)
+            cursor = self.__conn.cursor()
+            with cursor:
+                cursor.execute(query)
         except apsw.Error as err:
             log.exception("Database Error: %s" % err)
             return 0
 
     @staticmethod
     def __log_and_execute(cursor, sql, args):
-        log.debug("SQL command: " + sql.replace('?', '%s') % args)
-        cursor.execute(sql, args)
+        with DB._lock:
+            log.debug("SQL command: " + sql.replace('?', '%s') % args)
+            cursor.execute(sql, args)
 
     def __insert_or_delete(self, query, params, login=False):
         try:
             if login:
                 cursor = DB.__create_connection(self.__dbfile).cursor()
             else:
-                cursor = self.__cursor
-
-            DB.__log_and_execute(cursor, query, params)
+                cursor = self.__conn.cursor()
+            with cursor:
+                DB.__log_and_execute(cursor, query, params)
             return 1
         except apsw.Error as err:
             log.exception("Database Error: %s" % err)
@@ -95,10 +101,10 @@ def __select(self, query, params, login=False):
             if login:
                 cursor = DB.__create_connection(self.__dbfile).cursor()
             else:
-                cursor = self.__cursor
-
-            DB.__log_and_execute(cursor, query, params)
-            return cursor.fetchall()
+                cursor = self.__conn.cursor()
+            with cursor:
+                DB.__log_and_execute(cursor, query, params)
+                return cursor.fetchall()
         except apsw.Error as err:
             log.exception("Database Error: %s" % err)
             return None