Skip to content

fix(deps): consolidate vulnerable package remediation#657

Merged
bindsi merged 1 commit into
mainfrom
fix/consolidate-vuln-packages
Jul 1, 2026
Merged

fix(deps): consolidate vulnerable package remediation#657
bindsi merged 1 commit into
mainfrom
fix/consolidate-vuln-packages

Conversation

@katriendg

Copy link
Copy Markdown
Collaborator

Description

This PR folds several outstanding dependency-update PRs into a single, coherent vulnerable-package remediation commit. It moves the Python and Rust dependency stacks forward, centralizes the dependency-review policy, and suppresses one transitive advisory consistently across every security scanner the repository runs.

The work spans three distinct areas: a coordinated OpenTelemetry uplift across the Rust telemetry services, Python dependency bumps for checkov and the ROS2 connector, and security-scanner configuration changes that consolidate suppression policy into a dedicated config file.

Rust OpenTelemetry migration

Migrated the OpenTelemetry family from 0.29.x to 0.32.x across three services — 501-rust-telemetry/services/receiver, 501-rust-telemetry/services/sender, and 504-mqtt-otel-trace-exporter — with matching pins in each Cargo.toml and regenerated Cargo.lock.

  • Bumped opentelemetry 0.29.1 → 0.32.0, opentelemetry-http 0.29.0 → 0.32.0, opentelemetry-otlp 0.29.0 → 0.32.0 (retaining grpc-tonic), opentelemetry-proto 0.29.0 → 0.32.0, opentelemetry_sdk 0.29.0 → 0.32.1, and tracing-opentelemetry 0.30.0 → 0.33.0.
  • Dropped the explicit rt-tokio feature on opentelemetry_sdk in each manifest, reflecting the newer SDK's async-runtime feature reorganization.
  • Pulled the transport stack forward: tonic 0.12.3 → 0.14.6, prost/prost-derive 0.13.5 → 0.14.4, and reqwest 0.12.28 → 0.13.4.
  • Added new transitive crates (portable-atomic 1.13.1, prost-types 0.14.4, tonic-prost 0.14.6, tonic-types 0.14.6) and consolidated duplicates by removing indexmap 1.9.3 (and hashbrown 0.12.3), glob 0.3.3, ryu 1.0.23, and serde_urlencoded 0.7.1, collapsing the dual tower graph into a single version.
  • Adapted a breaking API in 501-rust-telemetry/services/receiver/src/otel.rs: span.set_parent(cx) now returns a Result, so the call site logs a tracing::warn! on failure rather than assuming success.

Python dependency bumps

  • Bumped root checkov ~=3.2.529~=3.3.6 in requirements.in and regenerated requirements.txt, which added ecdsa 0.19.2 (pulled in via checkov) and moved aiohttp 3.14.1 → 3.13.5 as a transitive consequence of the new constraint.
  • Raised the ROS2 connector pins in 506-ros2-connector/services/requirements.base.in: numpy >=2.4.6>=2.5.0, pytest 9.0.3 → 9.1.1, pytest-asyncio 1.3.0 → 1.4.0. The regenerated requirements.base.txt also normalized its # via -r annotations to repo-root-relative paths, indicating pip-compile was re-run from the repository root.

Security scanner configuration

  • Added .github/dependency-review-config.yml and reworked the Dependency Review step in .github/workflows/pr-validation.yml to reference it via config-file instead of inline with: parameters.
  • Suppressed the ecdsa Minerva timing-attack advisory (GHSA-wj6h-64fc-37mp / CVE-2024-23342, P-256, no upstream fix, transitive via checkov) in parallel across .grype.yaml, osv-scanner.toml, and the new dependency-review config, each carrying matching justification and a shared "re-evaluate when checkov drops ecdsa" exit condition.

Related Issue

Fixes #656

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Blueprint modification or addition
  • Component modification or addition
  • Documentation update
  • CI/CD pipeline change
  • Other (please describe): Dependency and vulnerable-package remediation across Python and Rust services

Implementation Details

Consolidated multiple dependency PRs into one commit. The OpenTelemetry uplift kept each service's Cargo.toml and Cargo.lock tightly aligned (for example, opentelemetry_sdk pinned to 0.32.1 in both), and lockfile churn favored graph simplification by eliminating duplicate crate versions rather than introducing behavioral change. The single required source change was the set_parent fallibility adaptation in the receiver.

Security suppressions were applied once per scanner (grype, osv-scanner, dependency-review) with identical rationale, and the dependency-review policy was externalized from the workflow YAML into a version-controlled config file to reduce duplication.

Testing Performed

  • Terraform plan/apply
  • Blueprint deployment test
  • Unit tests
  • Integration tests
  • Bug fix includes regression test (see Test Policy)
  • Manual validation
  • Other: cargo clippy --all-targets and cargo test run against the receiver and mqtt-otel-trace-exporter services after the OpenTelemetry update

Validation Steps

  1. From each updated Rust service directory (receiver, sender, mqtt-otel-trace-exporter), run cargo clippy --all-targets and cargo test.
  2. Confirm the Python lockfiles resolve: pip install -r requirements.txt and the regenerated 506-ros2-connector requirements.base.txt.
  3. Verify the Dependency Review, grype, and osv-scanner steps pass in CI with the ecdsa advisory suppressed via the shared config.

Checklist

  • I have updated the documentation accordingly
  • I have added tests to cover my changes
  • All new and existing tests passed
  • I have run terraform fmt on all Terraform code
  • I have run terraform validate on all Terraform code
  • I have run az bicep format on all Bicep code
  • I have run az bicep build to validate all Bicep code
  • I have checked for any sensitive data/tokens that should not be committed
  • Lint checks pass (run applicable linters for changed file types)

Security Review

  • No credentials, secrets, or tokens are hardcoded or logged
  • RBAC and identity changes follow least-privilege principles
  • No new network exposure or public endpoints introduced without justification
  • Dependency additions or updates have been reviewed for known vulnerabilities
  • Container image changes use pinned digests or SHA references

Additional Notes

  • The aiohttp 3.14.1 → 3.13.5 move is a transitive consequence of the checkov 3.3.6 constraint (marked # via checkov), not a deliberate direct pin: checkov 3.3.6 (latest release) declares aiohttp<3.14.0,>=3.8.0
  • Externalizing the dependency-review allow-list into .github/dependency-review-config.yml dropped a prior inline issue #641 comment reference from pr-validation.yml.
  • The ecdsa suppression carries a re-evaluation trigger: it should be revisited once checkov drops its ecdsa dependency.

Screenshots (if applicable)

Bump checkov to 3.3.6 (root) and numpy/pytest/pytest-asyncio in the
ros2-connector, and migrate opentelemetry_sdk 0.29->0.32.1 across the
telemetry sender/receiver and mqtt-otel-trace-exporter services.

Suppress the transitive ecdsa timing-attack finding
(GHSA-wj6h-64fc-37mp, no upstream fix) in .grype.yaml and
osv-scanner.toml, and centralize the dependency-review allow-list out
of pr-validation.yml into .github/dependency-review-config.yml.

Handle the new Result from span.set_parent in the receiver otel setup.
@katriendg katriendg requested a review from a team July 1, 2026 12:12
@codecov-commenter

codecov-commenter commented Jul 1, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 0% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 31.79%. Comparing base (6a344ea) to head (b56dbb5).

Files with missing lines Patch % Lines
...n/501-rust-telemetry/services/receiver/src/otel.rs 0.00% 3 Missing ⚠️
Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main     #657      +/-   ##
==========================================
- Coverage   31.80%   31.79%   -0.02%     
==========================================
  Files          40       40              
  Lines        6015     6017       +2     
==========================================
  Hits         1913     1913              
- Misses       4102     4104       +2     
Flag Coverage Δ
rust 31.79% <0.00%> (-0.02%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
...n/501-rust-telemetry/services/receiver/src/otel.rs 46.28% <0.00%> (-0.78%) ⬇️
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@bindsi bindsi merged commit 1de9545 into main Jul 1, 2026
61 checks passed
@bindsi bindsi deleted the fix/consolidate-vuln-packages branch July 1, 2026 12:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

fix: consolidate open dependency PRs into one vulnerable-package remediation

3 participants