aws-cli built from source gets flagged for CVE-2025-47273 #9758
Description
Describe the issue
When aws-cli is built from source, it gets flagged for CVE-2025-47273. This is because the setuptools is pinned at 71.1.0. Could you update that pin to 78.1.1 or higher?
Additional Information/Context
AWSCLI_VERSION=2.31.4
curl https://awscli.amazonaws.com/awscli-${AWSCLI_VERSION}.tar.gz | tar -xz
cd awscli-${AWSCLI_VERSION}
./configure --prefix=/opt/aws-cli/ --with-download-deps --with-install-type=portable-exe
make
make install
Excerpts from the build logs:
...
#6 11.61 (47/50) Installing python3 (3.12.11-r0)
#6 11.91 (48/50) Installing python3-pycache-pyc0 (3.12.11-r0)
#6 12.10 (49/50) Installing pyc (3.12.11-r0)
#6 12.10 (50/50) Installing python3-pyc (3.12.11-r0)
...
#6 14.70 checking for a Python interpreter with version >= 3.8... python
#6 14.76 checking for python... /usr/bin/python
#6 14.76 checking for python version... 3.12
#6 14.82 checking for python platform... linux
#6 14.88 checking for GNU default python prefix... ${prefix}
#6 14.88 checking for GNU default python exec_prefix... ${exec_prefix}
#6 14.88 checking for python script directory (pythondir)... ${PYTHON_PREFIX}/lib/python3.12/site-packages
#6 14.96 checking for python extension module directory (pyexecdir)... ${PYTHON_EXEC_PREFIX}/lib/python3.12/site-packages
#6 15.05 checking for sqlite3... yes
#6 15.11 checking for --with-install-type... portable-exe
#6 15.11 checking for --with-download-deps... yes
#6 15.15 configure: creating ./config.status
#6 15.34 config.status: creating Makefile
#6 15.41 PYTHONDONTWRITEBYTECODE=1 "/usr/bin/python" "./backends/build_system" \
#6 15.41 build \
#6 15.41 --artifact "portable-exe" \
#6 15.41 --build-dir "./build" --download-deps
...
#6 19.79 Collecting setuptools==71.1.0 (from -r /awscli-2.31.4/requirements/download-deps/bootstrap-lock.txt (line 17))
#6 19.89 Downloading setuptools-71.1.0-py3-none-any.whl (2.3 MB)
#6 20.02 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.3/2.3 MB 18.9 MB/s eta 0:00:00
#6 20.14 Collecting wheel==0.38.4 (from -r /awscli-2.31.4/requirements/download-deps/bootstrap-lock.txt (line 21))
#6 20.24 Downloading wheel-0.38.4-py3-none-any.whl (36 kB)
#6 20.26 Installing collected packages: wheel, setuptools, pip, flit-core
#6 20.87 Attempting uninstall: pip
#6 20.88 Found existing installation: pip 25.0.1
#6 20.90 Uninstalling pip-25.0.1:
#6 20.90 Successfully uninstalled pip-25.0.1
#6 21.53 Successfully installed flit-core-3.9.0 pip-25.2 setuptools-71.1.0 wheel-0.38.4
...
#6 28.39 Requirement already satisfied: setuptools>=42.0.0 in ./build/venv/lib/python3.12/site-packages (from pyinstaller==6.11.1->-r /awscli-2.31.4/requirements/download-deps/portable-exe-lock.txt (line 89)) (71.1.0)
...
CLI version used
2.31.4
Environment details (OS name and version, etc.)
Alpine 3.22.1