fix(sdk): update dependency cryptography to v48 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
cryptography (changelog)	project.dependencies	major	==46.0.7 → ==48.0.1

---

Vulnerable OpenSSL included in cryptography wheels

GHSA-537c-gmf6-5ccf

More information

Details

pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in wheels prior to cryptograph 48.01 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://openssl-library.org/news/secadv/20260609.txt.

If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/pyca/cryptography/security/advisories/GHSA-537c-gmf6-5ccf
• https://openssl-library.org/news/secadv/20260609.txt
• https://github.com/advisories/GHSA-537c-gmf6-5ccf

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

pyca/cryptography (cryptography)

v48.0.1

Compare Source

v48.0.0

Compare Source

v47.0.0

Compare Source

---

Configuration

📅 Schedule: (in timezone Europe/Madrid)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: uv.lock

Command failed: uv lock --upgrade-package cryptography
Using CPython 3.13.14 interpreter at: /opt/containerbase/tools/python/3.13.14/bin/python3
  × No solution found when resolving dependencies for split (markers:
  │ python_full_version == '3.13.*'):
  ╰─▶ Because alibabacloud-tea-openapi==0.4.4 depends on
      cryptography>=3.0.0,<47.0.0 and your project depends on
      alibabacloud-tea-openapi==0.4.4, we can conclude that your project
      depends on cryptography>=3.0.0,<47.0.0.
      And because your project depends on cryptography==48.0.1, we can
      conclude that your project's requirements are unsatisfiable.

[coderabbitai]

📝 Walkthrough

Walkthrough

The pinned version of the cryptography package in pyproject.toml is updated from 46.0.7 to 48.0.1. No other dependencies, tooling configurations, or project settings are modified.

Changes

Dependency Version Bump

Layer / File(s)	Summary
cryptography pin updated to 48.0.1 pyproject.toml	The cryptography dependency in [project].dependencies is changed from ==46.0.7 to ==48.0.1.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly identifies the main change as updating the cryptography dependency to v48 and correctly flags it as a security update.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description comprehensively documents the security update with vulnerability details, CVSS scoring, and release notes, though it lacks explicit context section and review steps required by the template.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch renovate/pypi-cryptography-vulnerability

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

⚠️ Changes detected in the following folders without a corresponding update to the CHANGELOG.md:

• prowler (root dependency files changed)

Please add an entry to the corresponding CHANGELOG.md file to maintain a clear history of changes.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pyproject.toml`:
- Line 71: Update the cryptography dependency version in api/pyproject.toml from
the vulnerable version 46.0.7 to 48.0.1 to match the root pyproject.toml update.
Locate the cryptography pin in the api/pyproject.toml file and change it to
match the newer version shown in the diff, ensuring the API subproject has the
same security remediation applied when resolved or deployed independently.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 4347668f-db41-4ce9-8702-6cbb6fb1cc7d

📥 Commits

Reviewing files that changed from the base of the PR and between 94ce76d and bab812a.

📒 Files selected for processing (1)

• pyproject.toml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify all cryptography pins across pyproject files and detect stale vulnerable versions.
fd -i pyproject.toml -t f -x sh -c '
  echo "== {} ==";
  rg -n "cryptography==|cryptography[<>=~]" "{}" || true;
  echo
'

echo "== Any remaining explicit 46.x pins =="
rg -n 'cryptography==46\.' --iglob '**/pyproject.toml'

Repository: prowler-cloud/prowler

Length of output: 299

---

Update cryptography dependency in api/pyproject.toml to 48.0.1.

Root pyproject.toml was bumped to 48.0.1 for GHSA-537c-gmf6-5ccf remediation, but api/pyproject.toml (line 195) still pins the vulnerable cryptography==46.0.7. If the API subproject is resolved or deployed independently, the vulnerability remains exposed.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pyproject.toml` at line 71, Update the cryptography dependency version in
api/pyproject.toml from the vulnerable version 46.0.7 to 48.0.1 to match the
root pyproject.toml update. Locate the cryptography pin in the
api/pyproject.toml file and change it to match the newer version shown in the
diff, ensuring the API subproject has the same security remediation applied when
resolved or deployed independently.

[coderabbitai]

📝 Walkthrough

Walkthrough

The pinned version of the cryptography package in pyproject.toml is updated from 46.0.7 to 48.0.1. No other dependencies, tooling configurations, or project settings are modified.

Changes

Dependency Version Bump

Layer / File(s)	Summary
cryptography pin updated to 48.0.1 pyproject.toml	The cryptography dependency in [project].dependencies is changed from ==46.0.7 to ==48.0.1.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	PR description includes context (security vulnerability), change summary (version update), and release notes, but lacks detailed review steps and checklist completion as specified in the template.	Add 'Steps to review' section with detailed testing instructions and complete the applicable checklist items (e.g., CHANGELOG.md updates, backport needs) to fully comply with the template.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly identifies the main change as updating the cryptography dependency to v48 and correctly flags it as a security update.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch renovate/pypi-cryptography-vulnerability

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}