aws-cli built from source gets flagged for CVE-2025-47273

[jesun-cisco]

Describe the issue

When aws-cli is built from source, it gets flagged for CVE-2025-47273. This is because the setuptools is pinned at 71.1.0. Could you update that pin to 78.1.1 or higher?

Additional Information/Context

    AWSCLI_VERSION=2.31.4
    curl https://awscli.amazonaws.com/awscli-${AWSCLI_VERSION}.tar.gz | tar -xz 
    cd awscli-${AWSCLI_VERSION} 
    ./configure --prefix=/opt/aws-cli/ --with-download-deps --with-install-type=portable-exe 
    make 
    make install

Excerpts from the build logs:

...
#6 11.61 (47/50) Installing python3 (3.12.11-r0)
#6 11.91 (48/50) Installing python3-pycache-pyc0 (3.12.11-r0)
#6 12.10 (49/50) Installing pyc (3.12.11-r0)
#6 12.10 (50/50) Installing python3-pyc (3.12.11-r0)
...
#6 14.70 checking for a Python interpreter with version >= 3.8... python
#6 14.76 checking for python... /usr/bin/python
#6 14.76 checking for python version... 3.12
#6 14.82 checking for python platform... linux
#6 14.88 checking for GNU default python prefix... ${prefix}
#6 14.88 checking for GNU default python exec_prefix... ${exec_prefix}
#6 14.88 checking for python script directory (pythondir)... ${PYTHON_PREFIX}/lib/python3.12/site-packages
#6 14.96 checking for python extension module directory (pyexecdir)... ${PYTHON_EXEC_PREFIX}/lib/python3.12/site-packages
#6 15.05 checking for sqlite3... yes
#6 15.11 checking for --with-install-type... portable-exe
#6 15.11 checking for --with-download-deps... yes
#6 15.15 configure: creating ./config.status
#6 15.34 config.status: creating Makefile
#6 15.41 PYTHONDONTWRITEBYTECODE=1 "/usr/bin/python" "./backends/build_system" \
#6 15.41 	build \
#6 15.41 	--artifact "portable-exe" \
#6 15.41 	--build-dir "./build" --download-deps
...
#6 19.79 Collecting setuptools==71.1.0 (from -r /awscli-2.31.4/requirements/download-deps/bootstrap-lock.txt (line 17))
#6 19.89   Downloading setuptools-71.1.0-py3-none-any.whl (2.3 MB)
#6 20.02      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.3/2.3 MB 18.9 MB/s eta 0:00:00
#6 20.14 Collecting wheel==0.38.4 (from -r /awscli-2.31.4/requirements/download-deps/bootstrap-lock.txt (line 21))
#6 20.24   Downloading wheel-0.38.4-py3-none-any.whl (36 kB)
#6 20.26 Installing collected packages: wheel, setuptools, pip, flit-core
#6 20.87   Attempting uninstall: pip
#6 20.88     Found existing installation: pip 25.0.1
#6 20.90     Uninstalling pip-25.0.1:
#6 20.90       Successfully uninstalled pip-25.0.1
#6 21.53 Successfully installed flit-core-3.9.0 pip-25.2 setuptools-71.1.0 wheel-0.38.4
...
#6 28.39 Requirement already satisfied: setuptools>=42.0.0 in ./build/venv/lib/python3.12/site-packages (from pyinstaller==6.11.1->-r /awscli-2.31.4/requirements/download-deps/portable-exe-lock.txt (line 89)) (71.1.0)
...

CLI version used

2.31.4

Environment details (OS name and version, etc.)

Alpine 3.22.1

[RyanFitzSimmonsAK]

Hi @jesun-cisco, thanks for bringing this up. We're going to take a look at this, and in the meantime, if you manage your dependencies yourself, you should be able to install the CLI without setuptools.