Update dependency python #108

GitHub Actions workflows and Dockerfile were updated to Python 3.13, presenting potential compatibility and stability risks due to using a pre-stable Python version without comprehensive validation.

Expand for full summary

Summary: GitHub Actions workflows and Dockerfile were updated to use Python 3.13, involving version changes across multiple configuration files with potential compatibility considerations.

Security Findings:

Python Version Compatibility Risk
- Using an unreleased/pre-stable Python version (3.13)
- Potential risks of unexpected behavior in build/test processes
- May introduce dependency compatibility issues
Workflow Configuration Uncertainty
- Changing Python versions without full validation
- Potential for introducing unverified dependencies
- Risk of pipeline instability with non-LTS Python release

No direct critical security vulnerabilities were identified, but the version changes require thorough compatibility testing before implementation.

View PR in the DryRun Dashboard.

dryrunsecurity · 2025-04-29T01:41:51Z

This pull request involves upgrading Python versions to 3.13 across GitHub Actions workflows and Dockerfiles, with a focus on using stable images and specific SHA256 digests to enhance supply chain security, and while potential version upgrade risks were noted, no concrete security vulnerabilities were identified.

⚠️ Potential Version Upgrade Risk in .github/workflows/build.yml

Vulnerability	Potential Version Upgrade Risk
Description	The GitHub Actions workflows and Dockerfile are being updated to use Python 3.13. While version upgrades can introduce compatibility risks, the suggested vulnerabilities are overly speculative. There's no concrete evidence of a specific security vulnerability introduced by this upgrade. The changes appear to be a routine version update, potentially to leverage newer Python features or security patches.

scsctl/.github/workflows/build.yml

Lines 23 to 29 in 99bdbee

    
               - name: Set up Python 3.10 
        
                 uses: actions/setup-python@v3 
        
                 with: 
        
                   python-version: "3.13" 
        
               - name: Install dependencies 
        
                 run: | 
        
                   python -m pip install --upgrade pip

⚠️ Potential Version Upgrade Risk in .github/workflows/python-app.yml

Vulnerability	Potential Version Upgrade Risk
Description	Similar to the previous hunk, this workflow update to Python 3.13 is a routine version change. The suggestion raises hypothetical compatibility concerns, but does not identify a specific, tangible security vulnerability. Without concrete evidence of a security issue, this should not be treated as a vulnerability.

scsctl/.github/workflows/python-app.yml

Lines 22 to 28 in 99bdbee

    
               - name: Set up Python 3.10 
        
                 uses: actions/setup-python@v3 
        
                 with: 
        
                   python-version: "3.13" 
        
               - name: Install dependencies 
        
                 run: | 
        
                   python -m pip install --upgrade pip

⚠️ Base Image Update in Dockerfile

Vulnerability	Base Image Update
Description	The Dockerfile is updated from a beta Python 3.12 image to a Python 3.13 slim image. While beta releases can pose risks, the upgrade to a stable version is generally a positive security practice. The use of a specific SHA256 digest provides additional supply chain security by ensuring the exact image version is used.

scsctl/Dockerfile

Lines 1 to 4 in 99bdbee

    
           FROM python:3.13-slim as build 
        
           RUN apt-get update 
        
           RUN apt-get install -y --no-install-recommends build-essential gcc

⚠️ Base Image Update in Dockerfile

Vulnerability	Base Image Update
Description	Identical to the previous hunk, this Dockerfile update replaces a beta Python image with a stable Python 3.13 slim image. The specific image digest helps mitigate supply chain risks by ensuring a consistent, verifiable base image.

scsctl/Dockerfile

Lines 29 to 35 in 99bdbee

    
           RUN pip install -r requirements.txt 
        
           # FROM python:3.12.0b3-slim@sha256:8e3ef64883278384c49293caf631d614b4bfdac7bb494d44e17cf2d711ce2652 
        
           FROM python:3.13-slim@sha256:d97b595c5f4ac718102e5a5a91adaf04b22e852961a698411637c718d45867c8 
        
           RUN groupadd -g 999 python && \ 
        
               useradd -r -u 999 -g python python

All finding details can be found in the DryRun Security Dashboard.

dryrunsecurity · 2025-06-11T03:56:16Z

This pull request uses an unpinned base image (python:3.13-slim) in the Dockerfile build stage, and because the Python virtualenv and dependencies are built there and copied into the final (pinned) image, it creates a supply-chain risk if that floating tag is later replaced with a malicious or vulnerable image; this finding is non-blocking. Consider pinning the build-stage base image to a digest (or rebuilding/installing dependencies in the pinned final stage) to mitigate the risk.

Supply Chain Security - Unpinned Base Image in Dockerfile

Vulnerability	Supply Chain Security - Unpinned Base Image
Description	The 'build' stage of the Dockerfile uses a floating tag `python:3.13-slim` as its base image. Although the final stage is pinned, the Python virtual environment, including all installed dependencies, is built in this unpinned 'build' stage and then copied to the final image. This creates a supply chain risk because if the `python:3.13-slim` tag is updated in the Docker registry with a malicious or vulnerable image, those compromised dependencies will be included in the final container image.

scsctl/Dockerfile

Lines 1 to 4 in f76cb85

    
           FROM python:3.13-slim as build 
        
           RUN apt-get update 
        
           RUN apt-get install -y --no-install-recommends build-essential gcc

All finding details can be found in the DryRun Security Dashboard.

Warning

Your DryRun Security account will expire on August 31, 2025. Contact [email protected] to avoid service interruption.

renovate bot force-pushed the renovate/python-3.x branch from 76afdb1 to 010fe53 Compare March 18, 2025 07:36

renovate bot force-pushed the renovate/python-3.x branch 4 times, most recently from 3c02a3b to e8f4317 Compare April 9, 2025 07:03

renovate bot force-pushed the renovate/python-3.x branch from e8f4317 to 0432299 Compare April 29, 2025 01:41

renovate bot force-pushed the renovate/python-3.x branch 3 times, most recently from 844e227 to 8a6c864 Compare April 30, 2025 02:42

renovate bot force-pushed the renovate/python-3.x branch from 8a6c864 to df88f9c Compare May 10, 2025 05:54

renovate bot force-pushed the renovate/python-3.x branch 3 times, most recently from 68debdf to e76a6b6 Compare May 22, 2025 17:42

renovate bot force-pushed the renovate/python-3.x branch 2 times, most recently from 99bdbee to d462ebb Compare June 11, 2025 03:55

renovate bot force-pushed the renovate/python-3.x branch 5 times, most recently from 5f41905 to b236106 Compare June 13, 2025 05:19

renovate bot force-pushed the renovate/python-3.x branch 3 times, most recently from c09be00 to 924a068 Compare July 1, 2025 20:47

renovate bot force-pushed the renovate/python-3.x branch 4 times, most recently from b484b94 to 536f558 Compare July 23, 2025 22:50

renovate bot force-pushed the renovate/python-3.x branch 6 times, most recently from 176ede4 to a399656 Compare August 13, 2025 19:10

renovate bot force-pushed the renovate/python-3.x branch 4 times, most recently from 95dff8e to c2100f6 Compare August 18, 2025 20:42

renovate bot force-pushed the renovate/python-3.x branch 2 times, most recently from ff46263 to f76cb85 Compare September 9, 2025 10:24

Update dependency python

ba477a7

renovate bot force-pushed the renovate/python-3.x branch from f76cb85 to ba477a7 Compare September 13, 2025 23:41

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Update dependency python #108

Update dependency python #108

renovate bot commented Mar 11, 2025 •

edited

Loading

Uh oh!

dryrunsecurity bot commented Mar 11, 2025 •

edited

Loading

Uh oh!

dryrunsecurity bot commented Apr 29, 2025 •

edited

Loading

Uh oh!

dryrunsecurity bot commented Jun 11, 2025 •

edited

Loading

Uh oh!

Uh oh!

Update dependency python #108

Are you sure you want to change the base?

Update dependency python #108

Conversation

renovate bot commented Mar 11, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

v3.13.7: 3.13.7

v3.13.6: 3.13.6

v3.13.5: 3.13.5

v3.13.4: 3.13.4

v3.13.3: 3.13.3

v3.13.2: 3.13.2

v3.13.1: 3.13.1

v3.13.0: 3.13.0

v3.12.11: 3.12.11

v3.12.10: 3.12.10

v3.12.9: 3.12.9

v3.12.8: 3.12.8

v3.12.7: 3.12.7

v3.12.6: 3.12.6

v3.12.5: 3.12.5

v3.12.4: 3.12.4

v3.12.3: 3.12.3

v3.12.2: 3.12.2

v3.12.1: 3.12.1

v3.12.0: 3.12.0

v3.11.13: 3.11.13

v3.11.12: 3.11.12

v3.11.11: 3.11.11

v3.11.10: 3.11.10

v3.11.9: 3.11.9

v3.11.8: 3.11.8

v3.11.7: 3.11.7

v3.11.6: 3.11.6

v3.11.5: 3.11.5

v3.11.4: 3.11.4

v3.11.3: 3.11.3

v3.11.2: 3.11.2

v3.11.1: 3.11.1

v3.11.0: 3.11.0

Configuration

Uh oh!

dryrunsecurity bot commented Mar 11, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

DryRun Security Summary

Uh oh!

dryrunsecurity bot commented Apr 29, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

dryrunsecurity bot commented Jun 11, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

renovate bot commented Mar 11, 2025 •

edited

Loading

`v3.13.7`: 3.13.7

`v3.13.6`: 3.13.6

`v3.13.5`: 3.13.5

`v3.13.4`: 3.13.4

`v3.13.3`: 3.13.3

`v3.13.2`: 3.13.2

`v3.13.1`: 3.13.1

`v3.13.0`: 3.13.0

`v3.12.11`: 3.12.11

`v3.12.10`: 3.12.10

`v3.12.9`: 3.12.9

`v3.12.8`: 3.12.8

`v3.12.7`: 3.12.7

`v3.12.6`: 3.12.6

`v3.12.5`: 3.12.5

`v3.12.4`: 3.12.4

`v3.12.3`: 3.12.3

`v3.12.2`: 3.12.2

`v3.12.1`: 3.12.1

`v3.12.0`: 3.12.0

`v3.11.13`: 3.11.13

`v3.11.12`: 3.11.12

`v3.11.11`: 3.11.11

`v3.11.10`: 3.11.10

`v3.11.9`: 3.11.9

`v3.11.8`: 3.11.8

`v3.11.7`: 3.11.7

`v3.11.6`: 3.11.6

`v3.11.5`: 3.11.5

`v3.11.4`: 3.11.4

`v3.11.3`: 3.11.3

`v3.11.2`: 3.11.2

`v3.11.1`: 3.11.1

`v3.11.0`: 3.11.0

dryrunsecurity bot commented Mar 11, 2025 •

edited

Loading

dryrunsecurity bot commented Apr 29, 2025 •

edited

Loading

dryrunsecurity bot commented Jun 11, 2025 •

edited

Loading