Security vulnerabilities in 17.0.0-rc1

[vogelsgesang]

An automated security scan of 17.0.0-rc1 complained about the following dependencies

The relevant requirement files are:

• llvm/utils/git/requirements.txt
  • certifi==2023.5.7 CVE-2023-3792 ; Security advisory
  • requests==2.28.1 CVE-2023-32681
• mlir/utils/vscode/package-lock.json
  • minimatch:3.0.4 Sonatype CWE 1333
  • semver:7.3.7 CVE-2022-25883
• third-party/benchmark/requirements.txt
  • numpy==1.19.4 CVE-2021-41495, CVE-2021-41496
  • pandas==1.1.5 CVE-2020-13091
  • scipy==1.5.4 CVE-2018-1999024
• flang/examples/FlangOmpReport/requirements.txt
  • ruamel.yaml==0.17.16 CVE-2019-20478; this actually looks like a false positive in the scanner; the used version should no longer be impacted; but I guess upgrading to the latest version 0.17.32 can't hurt

(Previously reported in #57907 (comment) ; splitting this off as a separate issue as requested on Discourse)

[vogelsgesang]

Tagging potential owners of the requirements files based on git log

• @tstellar re llvm/utils/git/requirements.txt
• @River707 re mlir/utils/vscode/package-lock.json
• @mtrofin re third-party/benchmark/requirements.txt
• @Sezoir @banach-space re flang/examples/FlangOmpReport/requirements.txt

Would be great if you could take a quick look at the dependencies, and upgrade them if possible

[mtrofin]

For third-party/benchmark/requirements.txt - https://reviews.llvm.org/D157101

(It's just a refresh from the upstream google/benchmark repo)

[tru]

https://reviews.llvm.org/D157254 for llvm/utils/git

[tru]

@vogelsgesang maybe this is a bit unrelated to this - but it would be nice to have the actions run this check somehow.

[vogelsgesang]

it would be nice to have the actions run this check somehow

Agree. I am not sure how to do this, though. The tool we are internally using is proprietary, and we are only scanning LLVM's source code when I am about to upgrade to a new version. I will reach out to the security team internally to figure out if they have an idea how to automate this

[pogo59]

Does github allow a project to enable dependabot? The GHE instance that Sony runs internally does that.

[tru]

@tstellar could we enable dependabot for python on llvm-project? or is there something blocking that?

[Sezoir]

https://reviews.llvm.org/D157284 for flang/examples/FlangOmpReport