Security vulnerabilities in LLVM's third-party dependencies

[vogelsgesang]

An automated security scan of 15.0.1 during upgrading our toolchain to 15.0.1 complained about the following dependencies

The relevant requirement files are:

• third-party/benchmark/requirements.txt
  • numpy==1.19.4 CVE-2021-41495, CVE-2021-41496
  • pandas==1.1.5 CVE-2020-13091
  • scipy==1.5.4 CVE-2018-1999024
• llvm/utils/git/requirements.txt
  • gitpython==3.1.26 Sonatype CWE 1333
  • pyjwt==2.3.0 CVE-2022-29217
• mlir/utils/vscode/package-lock.json
  • minimatch:3.0.4 Sonatype CWE 1333
• flang/examples/FlangOmpReport/requirements.txt
  • ruamel.yaml==0.17.16 CVE-2019-20478; this actually looks like a false positive in the scanner; the used version should no longer be impacted

From my understanding, none of those dependencies affect the security of the built LLVM libraries/tools. I would still appreciate if we can update those libraries to their latest versions, so next time around I will not need security excemptions to use LLVM

[keith]

Some fixed here https://reviews.llvm.org/D135531

[AlexeySachkov]

Some fixed here https://reviews.llvm.org/D135531

gitpython=3.1.28 should further be uplifted, see intel/llvm#7982 (CVE-2022-24439)

[vogelsgesang]

Updated security scan results for 17.0.0-rc1