added log parsing script#322
Conversation
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. 🗂️ Base branches to auto review (1)
Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
Comment |
![semgrep-sast-meesho[bot]](https://avatars.githubusercontent.com/u/19436680?s=60&v=4){kind=small}
|
|
||
| [project.optional-dependencies] | ||
| # Install zstandard if your logs are zstd-compressed (compression_enabled=True) | ||
| zstd = ["zstandard>=0.21.0"] |
There was a problem hiding this comment.
Semgrep identified a blocking 🔴 issue in your code:
Dependency "$MATCH" uses a range operator. Pin to exact version with == or use a lockfile (e.g. uv.lock, pdm.lock, poetry.lock). Range pins allow auto-upgrades to compromised versions in CI.
To resolve this comment:
✨ Commit Assistant fix suggestion
| zstd = ["zstandard>=0.21.0"] | |
| zstd = ["zstandard==0.21.0"] |
View step-by-step instructions
- Replace the version range operator (
>=) inzstd = ["zstandard>=0.21.0"]with an exact version using==, so the line readszstd = ["zstandard==0.21.0"]. - Make sure that this pinned version (
0.21.0) is tested and works as expected in your environment. - Alternatively, if you need to support newer versions for a specific reason, consider adopting a lockfile (such as
poetry.lock,pdm.lock, oruv.lock) to ensure deterministic installs, but do not use a range operator in the pyproject.toml for security-critical dependencies.
Pinning dependencies to exact versions helps prevent your project from unintentionally using untested or compromised versions released in the future.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by pyproject-dependency-range-pin.
You can view more details about this finding in the Semgrep AppSec Platform.
| requires-python = ">=3.10" | ||
| dependencies = [ | ||
| "inference-logging-client>=0.3.1", | ||
| "pandas>=1.5.0", |
There was a problem hiding this comment.
Semgrep identified a blocking 🔴 issue in your code:
Dependency "$MATCH" uses a range operator. Pin to exact version with == or use a lockfile (e.g. uv.lock, pdm.lock, poetry.lock). Range pins allow auto-upgrades to compromised versions in CI.
To resolve this comment:
✨ Commit Assistant fix suggestion
| "pandas>=1.5.0", | |
| "pandas==1.5.0", |
View step-by-step instructions
- Change the dependency version specifier from a range (e.g.
pandas>=1.5.0) to an exact version using==, for example:"pandas==1.5.0", or preferably specify the exact version you plan to support (e.g."pandas==2.2.2"if that's what is installed or tested with your code). - Make the same change for any other dependencies using range operators in the
[project].dependenciesand[project.optional-dependencies]sections to avoid accidental upgrades. - This prevents your code from automatically pulling newer, potentially incompatible or vulnerable versions of dependencies each time it is installed.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by pyproject-dependency-range-pin.
You can view more details about this finding in the Semgrep AppSec Platform.
| description = "Parse asyncloguploader SSD log files into pandas DataFrames" | ||
| requires-python = ">=3.10" | ||
| dependencies = [ | ||
| "inference-logging-client>=0.3.1", |
There was a problem hiding this comment.
Semgrep identified a blocking 🔴 issue in your code:
Dependency "$MATCH" uses a range operator. Pin to exact version with == or use a lockfile (e.g. uv.lock, pdm.lock, poetry.lock). Range pins allow auto-upgrades to compromised versions in CI.
To resolve this comment:
✨ Commit Assistant fix suggestion
| "inference-logging-client>=0.3.1", | |
| dependencies = [ | |
| "inference-logging-client==0.3.1", | |
| "pandas>=1.5.0", | |
| ] |
View step-by-step instructions
- Change the dependency specification from a range operator (
>=,<=, etc.) to an exact version using==for all dependencies in yourdependencieslist and optional dependencies. - For
"inference-logging-client>=0.3.1", update it to the exact installed version, for example:"inference-logging-client==0.3.1"(replace with the correct version if different). - Repeat this for other dependencies like pandas and zstandard, e.g. update
"pandas>=1.5.0"to"pandas==1.5.0"and"zstandard>=0.21.0"to"zstandard==0.21.0"(adjust version as needed). - Save your changes.
When dependencies are pinned to a specific version, the project avoids accidentally installing newer versions in CI/CD that may contain vulnerabilities or breaking changes.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by pyproject-dependency-range-pin.
You can view more details about this finding in the Semgrep AppSec Platform.
2 participants
🔁 Pull Request Template – BharatMLStack
Context:
Give a brief overview of the motivation behind this change. Include any relevant discussion links (Slack, documents, tickets, etc.) that help reviewers understand the background and the issue being addressed.
Describe your changes:
Mention the changes made in the codebase.
Testing:
Please describe how you tested the code. If manual tests were performed - please explain how. If automatic tests were added or existing ones cover the change - please explain how did you run them.
Monitoring:
Explain how this change will be tracked after deployment. Indicate whether current dashboards, alerts, and logs are enough, or if additional instrumentation is required.
Rollback plan
Explain rollback plan in case of issues.
Checklist before requesting a review
📂 Modules Affected
horizon(Real-time systems / networking)online-feature-store(Feature serving infra)trufflebox-ui(Admin panel / UI)infra(Docker, CI/CD, GCP/AWS setup)docs(Documentation updates)___________✅ Type of Change
___________📊 Benchmark / Metrics (if applicable)