Merge pull request #1213 from newrelic/add-trivy

Add Trivy to CI

Author: hmstepanek

.github/workflows/tests.yml

@@ -54,6 +54,47 @@ jobs:
       - name: Success
         run: echo "Success!"
 
+  # Upload Trivy data
+  trivy:
+    if: success() || failure() # Does not run on cancelled workflows
+    runs-on: ubuntu-20.04
+    needs:
+      - tests
+
+    steps:
+      # Git Checkout
+      - name: Checkout Code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # 4.1.1
+        with:
+          token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
+          fetch-depth: 0
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        if: ${{ github.event_name == 'pull_request' }}
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: table
+          exit-code: 1
+          severity: 'CRITICAL,HIGH,MEDIUM,LOW'
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        if: ${{ github.event_name == 'schedule' }}
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH,MEDIUM,LOW'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        if: ${{ github.event_name == 'schedule' }}
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'
+
   # Combine and upload coverage data
   coverage:
     if: success() || failure() # Does not run on cancelled workflows

newrelic/packages/requirements.txt

@@ -3,6 +3,6 @@
 # This file is used by dependabot to keep track of and recommend updates
 # to the New Relic Python Agent's dependencies in newrelic/packages/.
 opentelemetry_proto==1.0.0
-urllib3==1.26.18
+urllib3==1.26.19
 wrapt==1.16.0
 asgiref==3.6.0  # We only vendor asgiref.compatibility.py

newrelic/packages/urllib3/LICENSE.txt

@@ -19,6 +19,22 @@
 from .util.timeout import Timeout
 from .util.url import get_host
 
+# === NOTE TO REPACKAGERS AND VENDORS ===
+# Please delete this block, this logic is only
+# for urllib3 being distributed via PyPI.
+# See: https://github.com/urllib3/urllib3/issues/2680
+try:
+    import urllib3_secure_extra  # type: ignore # noqa: F401
+except ImportError:
+    pass
+else:
+    warnings.warn(
+        "'urllib3[secure]' extra is deprecated and will be removed "
+        "in a future release of urllib3 2.x. Read more in this issue: "
+        "https://github.com/urllib3/urllib3/issues/2680",
+        category=DeprecationWarning,
+        stacklevel=2,
+    )
 
 __author__ = "Andrey Petrov ([email protected])"
 __license__ = "MIT"

newrelic/packages/urllib3/__init__.py

@@ -1,2 +1,2 @@
 # This file is protected via CODEOWNERS
-__version__ = "1.26.18"
+__version__ = "1.26.19"

newrelic/packages/urllib3/_version.py

@@ -68,7 +68,7 @@ class BrokenPipeError(Exception):
 
 # When it comes time to update this value as a part of regular maintenance
 # (ie test_recent_date is failing) update it to ~6 months before the current date.
-RECENT_DATE = datetime.date(2022, 1, 1)
+RECENT_DATE = datetime.date(2024, 1, 1)
 
 _CONTAINS_CONTROL_CHAR_RE = re.compile(r"[^-!#$%&'*+.^_`|~0-9a-zA-Z]")
 
@@ -437,7 +437,7 @@ def connect(self):
             and self.ssl_version is None
             and hasattr(self.sock, "version")
             and self.sock.version() in {"TLSv1", "TLSv1.1"}
-        ):
+        ):  # Defensive:
             warnings.warn(
                 "Negotiating TLSv1/TLSv1.1 by default is deprecated "
                 "and will be disabled in urllib3 v2.0.0. Connecting to "

newrelic/packages/urllib3/connection.py

@@ -768,7 +768,9 @@ def _is_ssl_error_message_from_http_proxy(ssl_error):
                 # so we try to cover our bases here!
                 message = " ".join(re.split("[^a-z]", str(ssl_error).lower()))
                 return (
-                    "wrong version number" in message or "unknown protocol" in message
+                    "wrong version number" in message
+                    or "unknown protocol" in message
+                    or "record layer failure" in message
                 )
 
             # Try to detect a common user error with proxies which is to

newrelic/packages/urllib3/connectionpool.py

@@ -235,7 +235,9 @@ class Retry(object):
     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
 
     #: Default headers to be used for ``remove_headers_on_redirect``
-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
+        ["Cookie", "Authorization", "Proxy-Authorization"]
+    )
 
     #: Maximum backoff time.
     DEFAULT_BACKOFF_MAX = 120