fix(security): dependency confusion, bare excepts, MD5 deprecation#352
Merged
imran-siddique merged 18 commits intomicrosoft:mainfrom Mar 23, 2026
Merged
Conversation
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Add EU AI Act, Colorado AI Act, and GPAI obligations timeline with AGT coverage mapping. Reference Microsoft Purview DSPM for AI as complementary data governance layer. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The Scorecard API rejects workflows with write permissions at the workflow level. id-token: write and security-events: write must be scoped to the job level only. Restores permissions: read-all at workflow level while keeping job-level write permissions intact. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…ft#324) Add Google-style docstrings with Args, Returns, Raises, Attributes, and Example sections to MCPMessageType, MCPAdapter, and MCPServer classes. Also enhances docstrings for key methods including handle_message, _handle_tools_call, _handle_resources_read, and _map_tool_to_action. Fixes microsoft#316
Co-authored-by: Matt Van Horn <455140+mvanhorn@users.noreply.github.com>
…s (dependency confusion) (microsoft#325) - Replace !pip install agent-os with !pip install -e ../.. in all 6 notebooks; agent-os is not on PyPI and installing it from PyPI is a dependency confusion vector - Replace zendesk-sdk/freshdesk-sdk with zenpy/freshdesk (the real published SDKs) in customer-service/requirements.txt - Remove hashlib-compat from healthcare-hipaa/requirements.txt; hashlib is stdlib and hashlib-compat is not a real PyPI package
…stall agent-os with agent-os-kernel Replace all remaining instances of `pip install agent-os` (unregistered on PyPI) with `pip install agent-os-kernel` (the actual package) across docs, examples, TypeScript extensions, CLI source, tests, and SVG assets. Also fixes `pip install emk` references to point to `agent-os-kernel[full]` since emk is a submodule, not a standalone PyPI package. Completes the fix started in PR microsoft#325 which only covered notebooks. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Dify 65K→133K, AutoGen 42K→55K, CrewAI 28K→46K, Semantic Kernel 24K→27K, LangGraph 24K→27K, Haystack 22K→24K, Agent Framework 7.6K→8K. Added star counts for OpenAI Agents SDK (20K) and Google ADK (18K). Sorted by stars descending. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…it CI - scripts/check_dependency_confusion.py: Pre-commit hook that scans for pip install commands referencing unregistered PyPI packages. Maintains an allowlist of known registered packages. - .github/workflows/weekly-security-audit.yml: Weekly CI job running dependency confusion scan, security skills scan, and weak crypto check. Uploads reports as artifacts with 90-day retention. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…icrosoft#349) * docs: add testing guide for external testers and customers Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: add regulatory alignment table and Purview positioning to README Add EU AI Act, Colorado AI Act, and GPAI obligations timeline with AGT coverage mapping. Reference Microsoft Purview DSPM for AI as complementary data governance layer. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): restore read-all at workflow level for Scorecard verification The Scorecard API rejects workflows with write permissions at the workflow level. id-token: write and security-events: write must be scoped to the job level only. Restores permissions: read-all at workflow level while keeping job-level write permissions intact. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: add comprehensive docstrings to mcp_adapter.py classes (microsoft#324) Add Google-style docstrings with Args, Returns, Raises, Attributes, and Example sections to MCPMessageType, MCPAdapter, and MCPServer classes. Also enhances docstrings for key methods including handle_message, _handle_tools_call, _handle_resources_read, and _map_tool_to_action. Fixes microsoft#316 * ci: add markdown link checker workflow (microsoft#323) Co-authored-by: Matt Van Horn <455140+mvanhorn@users.noreply.github.com> * feat: add policy evaluation heatmap to SRE dashboard (microsoft#309) (microsoft#326) * fix: remove unregistered PyPI packages from notebooks and requirements (dependency confusion) (microsoft#325) - Replace !pip install agent-os with !pip install -e ../.. in all 6 notebooks; agent-os is not on PyPI and installing it from PyPI is a dependency confusion vector - Replace zendesk-sdk/freshdesk-sdk with zenpy/freshdesk (the real published SDKs) in customer-service/requirements.txt - Remove hashlib-compat from healthcare-hipaa/requirements.txt; hashlib is stdlib and hashlib-compat is not a real PyPI package * fix(security): complete dependency confusion fix — replace all pip install agent-os with agent-os-kernel Replace all remaining instances of `pip install agent-os` (unregistered on PyPI) with `pip install agent-os-kernel` (the actual package) across docs, examples, TypeScript extensions, CLI source, tests, and SVG assets. Also fixes `pip install emk` references to point to `agent-os-kernel[full]` since emk is a submodule, not a standalone PyPI package. Completes the fix started in PR microsoft#325 which only covered notebooks. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: update framework star counts to current values Dify 65K→133K, AutoGen 42K→55K, CrewAI 28K→46K, Semantic Kernel 24K→27K, LangGraph 24K→27K, Haystack 22K→24K, Agent Framework 7.6K→8K. Added star counts for OpenAI Agents SDK (20K) and Google ADK (18K). Sorted by stars descending. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Parsa Faraji Alamouti <165321600+parsa-faraji@users.noreply.github.com> Co-authored-by: Matt Van Horn <mvanhorn@users.noreply.github.com> Co-authored-by: Matt Van Horn <455140+mvanhorn@users.noreply.github.com> Co-authored-by: Zeel Desai <72783325+zeel2104@users.noreply.github.com> Co-authored-by: Xavier Garceau-Aranda <xavier.garceau-aranda@posteo.net>
- agentmesh → agentmesh-platform (5 files) - agentmesh-governance → agent-governance-toolkit - agent-os-observability → agent-os-kernel[observability] - hashlib.md5 → hashlib.sha256 (3 files) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…MD5 deprecation CRITICAL: quickstart.ps1 referenced unregistered 'agent-os' PyPI name instead of 'agent-os-kernel'. Fixed to prevent supply chain attack. HIGH: 4 bare except: blocks in graph_debugger.py (2 duplicate files) replaced with specific exception types + logging. MEDIUM: MD5 and SHA1 deprecated with warning in text_tool.py hash algorithm selection. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
🤖 AI Agent: code-reviewer
Review Summary
This pull request addresses three security concerns: dependency confusion, bare except blocks, and the use of deprecated hash algorithms. The changes are well-targeted and improve the security posture of the repository. Below is a detailed review of each change.
🔴 CRITICAL: Dependency Confusion in quickstart.ps1
Issue: The script referenced an unregistered PyPI package (agent-os) instead of the correct package (agent-os-kernel). This posed a supply chain attack vector.
Fix: The reference was updated to agent-os-kernel.
Review:
- ✅ The fix eliminates the dependency confusion vulnerability.
- 💡 Suggestion: Consider adding a validation step in CI/CD to verify that all referenced PyPI packages are registered and owned by trusted accounts. This would prevent similar issues in the future.
HIGH: Bare except Blocks in graph_debugger.py
Issue: Bare except blocks were used in two files, which could mask unexpected exceptions and make debugging harder.
Fix: The bare except blocks were replaced with specific exception types (ValueError, RuntimeError) and added logging for better traceability.
Review:
- ✅ The fix improves error handling and makes debugging easier.
- 💡 Suggestion: Consider using
Exceptionas a fallback if the exact exception types are not known. This ensures that unexpected errors are still caught while avoiding bareexcept. - 💡 Suggestion: Add unit tests to verify that the new exception handling logic works as intended, especially for cases where
spring_layoutfails.
MEDIUM: MD5/SHA1 Deprecation in text_tool.py
Issue: MD5 and SHA1 algorithms were still allowed for hashing, despite being deprecated due to known vulnerabilities (CWE-328).
Fix: A deprecation warning was added to discourage their use.
Review:
- ✅ The warning is a good step toward discouraging insecure algorithms.
- 🔴 Critical Suggestion: Emit a runtime exception instead of a warning for MD5/SHA1 usage. Allowing these algorithms to run, even with a warning, could lead to security bypasses if developers ignore the warning.
- 💡 Suggestion: Update the documentation to explicitly state that MD5 and SHA1 are deprecated and should not be used.
General Feedback
Logging
- 💡 Suggestion: Ensure that all logging calls use consistent log levels (
debug,info,warning,error,critical) across the repository. This will make logs easier to parse and analyze.
Type Safety
- 💡 Suggestion: Add type annotations for all functions modified in this PR. For example, the
hashmethod inTextToolcould benefit from stricter type annotations foralgorithm.
Backward Compatibility
- 🟡 Warning: The deprecation warning for MD5/SHA1 may break workflows that rely on these algorithms. Consider providing a migration guide or a grace period before enforcing stricter measures.
OWASP Agentic Top 10 Compliance
- 🔴 Critical Suggestion: Conduct a full audit of cryptographic operations across the repository to ensure compliance with OWASP Agentic Top 10 guidelines. This includes verifying that all cryptographic algorithms are secure and properly implemented.
Actionable Recommendations
- Dependency Validation: Add a CI/CD step to verify that all referenced PyPI packages are registered and trusted.
- MD5/SHA1 Enforcement: Replace the deprecation warning with a runtime exception for MD5/SHA1 usage.
- Unit Tests: Add tests to validate exception handling logic in
graph_debugger.py. - Documentation: Update documentation to reflect the deprecation of MD5/SHA1 and provide migration guidance.
- Type Annotations: Add type annotations to all modified functions for better type safety.
- Cryptographic Audit: Perform a comprehensive audit of cryptographic operations to ensure OWASP compliance.
Final Assessment
- Security: The PR addresses critical and high-priority security issues effectively. However, MD5/SHA1 usage should be blocked entirely, not just warned against.
- Code Quality: The changes improve error handling and logging but could benefit from additional type annotations and tests.
- Backward Compatibility: The MD5/SHA1 deprecation warning may cause issues for existing users. A migration guide is recommended.
Overall, this PR is a significant improvement but requires additional measures to fully address security concerns.
🤖 AI Agent: security-scanner — Findings and RecommendationsFindings and Recommendations1. Supply Chain Attack Vector in
|
| Issue | Severity | Fix Implemented | Recommendation |
|---|---|---|---|
Dependency confusion in quickstart.ps1 |
🔴 CRITICAL | ✅ Fixed | Use automated dependency validation tools and ensure all dependencies are trusted. |
Bare except: blocks in graph_debugger.py |
🟠 HIGH | ✅ Fixed | Avoid bare except: blocks and ensure proper logging and exception handling. |
MD5/SHA1 deprecation in text_tool.py |
🟡 MEDIUM | ✅ Fixed | Plan for complete removal of insecure algorithms in future releases. |
Overall, this PR addresses critical and high-severity issues effectively. However, further steps are recommended to enhance security and maintainability.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security re-audit on March 23 verified all 24 previous fixes held (zero regressions). Found 3 new items:
CRITICAL: quickstart.ps1 referenced unregistered PyPI name agent-os instead of agent-os-kernel. Supply chain attack vector — fixed.
HIGH: 4 bare except: blocks in graph_debugger.py (2 duplicate files) replaced with specific exception types + logging.
MEDIUM: MD5/SHA1 in text_tool.py hash selection now emit deprecation warning citing CWE-328.
4 files changed.