SNYK finding: Upgrade setuptools to version 78.1.1 or higher

[FuhuXia]

Please keep any sensitive details in Google Drive.

Date of report: 2025-05-02
Severity: High
Due date: 2025-06-02

Due date is based on severity and described in RA-5. 15-days for Critical, 30-days for High, and 90-days for Moderate and lower.

• Analysis has been performed and an issue has been linked to address other occurrences for this class of vulnerability* (link)

* When a finding is identified, we create two issues. One to address the specific instance identified in the report. The other is to identify and address all other occurrences of this vulnerability within the application.

Brief description

https://security.snyk.io/vuln/SNYK-PYTHON-SETUPTOOLS-9964606

  Upgrade setuptools@71.0.4 to setuptools@78.1.1 to fix
  ✗ Directory Traversal (new) [High Severity][https://security.snyk.io/vuln/SNYK-PYTHON-SETUPTOOLS-9964606] in setuptools@71.0.4
    introduced by setuptools@71.0.4 and 5 other path(s)

[FuhuXia]

After upgraded to setuptools@78.1.1 or latest @80.3.1, got error when pushing to cloud.gov.

Running setup.py install for feedgen: started
 Running setup.py install for feedgen: finished with status 'error'
 error: subprocess-exited-with-error
 
 × Running setup.py install for feedgen did not run successfully.
 │ exit code: 1
 ╰─> [22 lines of output]
 Traceback (most recent call last):
 File "<string>", line 2, in <module>
 File "<pip-setuptools-caller>", line 34, in <module>
 File "/tmp/pip-install-p1ylde8n/feedgen_cbf7c3546fb9424198fc326f327489f2/setup.py", line 10, in <module>
 setup(name='feedgen',
 File "/tmp/contents1254751672/deps/1/python/lib/python3.10/site-packages/setuptools/__init__.py", line 117, in setup
 return distutils.core.setup(**attrs)
 File "/tmp/contents1254751672/deps/1/python/lib/python3.10/site-packages/setuptools/_distutils/core.py", line 148, in setup
 _setup_distribution = dist = klass(attrs)
 File "/tmp/contents1254751672/deps/1/python/lib/python3.10/site-packages/setuptools/dist.py", line 323, in __init__
 _Distribution.__init__(self, dist_attrs)
 File "/tmp/contents1254751672/deps/1/python/lib/python3.10/site-packages/setuptools/_distutils/dist.py", line 309, in __init__
 self.finalize_options()
 File "/tmp/contents1254751672/deps/1/python/lib/python3.10/site-packages/setuptools/dist.py", line 786, in finalize_options
 ep(self)
 File "/tmp/contents1254751672/deps/1/python/lib/python3.10/site-packages/setuptools/dist.py", line 806, in _finalize_setup_keywords
 ep.load()(self, ep.name, value)
 File "/tmp/contents1254751672/deps/1/python/lib/python3.10/importlib/metadata/__init__.py", line 173, in load
 return functools.reduce(getattr, attrs, module)
 File "/tmp/contents1254751672/deps/1/python/lib/python3.10/site-packages/setuptools/dist.py", line 83, in __getattr__
 raise AttributeError(f"module {__name__!r} has no attribute {name!r}")
 AttributeError: module 'setuptools.dist' has no attribute 'check_test_suite'
 [end of output]
 
 note: This error originates from a subprocess, and is likely not a problem with pip.
 error: legacy-install-failure
 
 × Encountered error while trying to install package.
 ╰─> feedgen
 
 note: This is an issue with the package mentioned above, not pip.
 hint: See above for output from the failure.
 **ERROR** Could not install pip packages: could not run pip: exit status 1
 Failed to compile droplet: Failed to run all supply scripts: exit status 14

[FuhuXia]

cf push command failed with this simplified requirements.txt

feedgen==1.0.0
setuptools==78.1.1