Python Seldon Core Library dependency update

[ramonpzg]

What this PR does / why we need it:

The following are the CVEs addressed by this PR.
CVE-2023-46136 which deals with werkzeug
CVE-2023-49083 which addresses the cryptography library
werkzeug==3.0.4 and cryptography==43.0.1

[sakoush]

I left some comments about the policy to specify dependency ranges.

Also what tests have been performed to make sure things still work?

[sakoush]

should we just adjust the upper bound, why do we have to pin it to a particular version

[ahousley]

I suggest cryptography 41.0.6 as the lower bound since this is the patch version for CVE-2023-49083

Do you agree @sakoush and @gsunner?

[ahousley]

>=41.0.6, <=43.0.1

[sakoush]

Lets have a lower bound with the patched version we would want to have. It is unclear whether we have to have an upper bound, it depends on the tests.

[sakoush]

should we just bump up the upper version, why do we have to pin it to a particular version?

[ahousley]

does this range work based on the CVE patch versions?
>=2.3.8, <=3.0.4

@sakoush @gsunner

[sakoush]

Perhaps we can have only a min bound, i.e. >=2.3.8. Upper bound could be added if there are issues with tests.

[sakoush]

(not related to this PR but this comment might be stale)

[gsunner]

There are some failing tests.

V1 Python Tests / python-tests - is failing I think due the version of python in the ci environment and the new dependency changes.

To simulate the problem I used python 3.7.10 that the ci uses and attempted to apply the "werkzeug==3.0.4" update.

$ docker run --rm python:3.7.10 bash -c 'pip install "werkzeug==3.0.4"'
ERROR: Could not find a version that satisfies the requirement werkzeug==3.0.4 (from versions: 0.1, 0.2, 0.3, 0.3.1, 0.4, 0.4.1, 0.5, 0.5.1, 0.6, 0.6.1, 0.6.2, 0.7, 0.7.1, 0.7.2, 0.8, 0.8.1, 0.8.2, 0.8.3, 0.9, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.9.6, 0.10, 0.10.1, 0.10.2, 0.10.4, 0.11, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.11.5, 0.11.6, 0.11.7, 0.11.8, 0.11.9, 0.11.10, 0.11.11, 0.11.12, 0.11.13, 0.11.14, 0.11.15, 0.12, 0.12.1, 0.12.2, 0.13, 0.14, 0.14.1, 0.15.0, 0.15.1, 0.15.2, 0.15.3, 0.15.4, 0.15.5, 0.15.6, 0.16.0, 0.16.1, 1.0.0rc1, 1.0.0, 1.0.1, 2.0.0rc1, 2.0.0rc2, 2.0.0rc3, 2.0.0rc4, 2.0.0rc5, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.1.0, 2.1.1, 2.1.2, 2.2.0a1, 2.2.0, 2.2.1, 2.2.2, 2.2.3)
ERROR: No matching distribution found for werkzeug==3.0.4

Using python version 3.8 or later is what is needed if you want to use "werkzeug==3.0.4"

$ docker run --rm python:3.8.20 bash -c 'pip install "werkzeug==3.0.4"' 
Collecting werkzeug==3.0.4
  Downloading werkzeug-3.0.4-py3-none-any.whl (227 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 227.6/227.6 kB 4.3 MB/s eta 0:00:00
Collecting MarkupSafe>=2.1.1
  Downloading MarkupSafe-2.1.5-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (26 kB)
Installing collected packages: MarkupSafe, werkzeug
Successfully installed MarkupSafe-2.1.5 werkzeug-3.0.4

[gsunner]

There seem to be some inconsistencies in the way the the tests are applying the dependencies they share.

This may be due to there being two different containerized environments for the different tests. The version of python is different in each one.

$ # V1 Python Tests
$ docker run --rm seldonio/python-builder:0.8 python --version
Python 3.7.10

$ # V1 Docs Test
$ docker run --rm seldonio/core-builder:0.30 python --version
Python 3.8.10

[sakoush]

As werkzeug patch (2.3.8/3.0.4) requires python 3.8+, we also should change the minimum python version here

Also note that cryptography 41.0.6 has itself a high CVE, we should consider whether we can to move to 43.0.1 or higher.