Merge branch 'fixes/appsec-packages' into 'develop'

rstrahan · rstrahan · commit e1c570cde795 · 2025-09-12T13:55:24.000Z
Update IDP CLI dependencies to address security vulnerabilities

See merge request genaiic-reusable-assets/engagement-artifacts/genaiic-idp-accelerator!302
diff --git a/memory-bank/activeContext.md b/memory-bank/activeContext.md
@@ -2,9 +2,41 @@
 
 ## Current Task Status
 
-**Feature Implementation**: ✅ **COMPLETED** - Service Principal GovCloud Compatibility Updates
+**Security Vulnerability Mitigation**: ✅ **COMPLETED** - IDP CLI Dependency Security Updates
 
-## Feature Overview
+**Previous Task**: ✅ **COMPLETED** - Service Principal GovCloud Compatibility Updates
+
+## Security Vulnerability Mitigation Overview
+
+Successfully addressed critical security vulnerabilities in the IDP CLI development tool by updating vulnerable dependencies:
+
+### Issues Resolved:
+1. **urllib3 vulnerabilities (Medium severity - CVSS 5.3)**:
+   - CVE-2025-50181: Redirect handling bypass vulnerability
+   - CVE-2025-50182: Browser/Node.js redirect control issues
+   - Updated from version 2.3.0 → 2.5.0
+
+2. **tornado vulnerability (High severity - CVSS 7.5)**:
+   - CVE-2025-47287: DoS through multipart/form-data parser logging
+   - Updated from version 6.4.2 → 6.5.2
+
+### Implementation Details:
+- **Location**: `scripts/sdlc/idp-cli/` (Development CLI tool)
+- **Method**: Direct dependency version constraints in `pyproject.toml`
+- **Approach**: Added explicit version requirements to force secure versions
+- **Testing**: Verified dependency resolution and basic functionality
+
+### Files Modified:
+- `scripts/sdlc/idp-cli/pyproject.toml` - Added urllib3 >= 2.5.0 and tornado >= 6.5 constraints
+- `scripts/sdlc/idp-cli/poetry.lock` - Updated with new secure dependency versions
+
+### Security Status:
+- ✅ All identified vulnerabilities resolved
+- ✅ Dependencies updated to secure versions
+- ✅ Functionality verified
+- ✅ Low implementation risk (development tool only)
+
+## Previous Feature Overview (GovCloud Compatibility)
 
 Successfully updated all CloudFormation templates to replace hardcoded AWS service principals with dynamic expressions for GovCloud compatibility:
 
diff --git a/scripts/sdlc/idp-cli/poetry.lock b/scripts/sdlc/idp-cli/poetry.lock
diff --git a/scripts/sdlc/idp-cli/pyproject.toml b/scripts/sdlc/idp-cli/pyproject.toml
@@ -13,7 +13,8 @@ dependencies = [
     "typer (>=0.15.1,<0.16.0)",
     "loguru (>=0.7.3,<0.8.0)",
     "python-slugify (>=8.0.4,<9.0.0)",
-    "pytest (>=8.3.4,<9.0.0)"
+    "pytest (>=8.3.4,<9.0.0)",
+    "urllib3 (>=2.5.0,<3.0.0)"
 ]
 
 [tool.poetry]
@@ -24,6 +25,7 @@ idpcli = "idp_cli.cli.main:app"
 
 [tool.poetry.group.dev.dependencies]
 ipykernel = "^6.29.5"
+tornado = ">=6.5,<7.0"
 
 [build-system]
 requires = ["poetry-core>=2.0.0,<3.0.0"]
