BB2-2590 Upgrade Cryptography and Certifi packages

[dtisza1]

JIRA Ticket:
BB2-2532
BB2-2590

User Story or Bug Summary:

This upgrades the cryptography package to version 41.0.3 (per BB2-2532) and certifi to 2023.7.22 (per BB2-2590).

What Does This PR Do?

What Should Reviewers Watch For?

Review the deployment to the TEST environment that is using Amazon Linux 2.

What Security Implications Does This PR Have?

Submitters should complete the following questionnaire:

• If the answer to any of the questions below is Yes, then here's a link to the associated Security Impact Assessment (SIA), security checklist, or other similar document in Confluence: N/A.
  • Does this PR add any new software dependencies? No.
  • Does this PR modify or invalidate any of our security controls? No.
  • Does this PR store or transmit data that was not stored or transmitted before? No.
• If the answer to any of the questions below is Yes, then please add StewGoin as a reviewer, and note that this PR should not be merged unless/until he also approves it.
  • Do you think this PR requires additional review of its security implications for other reasons? No.

What Needs to Be Merged and Deployed Before this PR?

I have gone through and verified that...:

• This PR is reasonably limited in scope, to help ensure that:
  1. It doesn't unnecessarily tie a bunch of disparate features, fixes, refactorings, etc. together.
  2. There isn't too much of a burden on reviewers.
  3. Any problems it causes have a small "blast radius".
  4. It'll be easier to rollback if that becomes necessary.
• I have named this PR and its branch such that they'll be automatically be linked to the (most) relevant Jira issue, per: https://confluence.atlassian.com/adminjiracloud/integrating-with-development-tools-776636216.html.
• This PR includes any required documentation changes, including README updates and changelog / release notes entries.
• All new and modified code is appropriately commented, such that the what and why of its design would be reasonably clear to engineers, preferably ones unfamiliar with the project.
• All tech debt and/or shortcomings introduced by this PR are detailed in TODO and/or FIXME comments, which include a JIRA ticket ID for any items that require urgent attention.
• Reviews are requested from both:
  • At least two other engineers on this project, at least one of whom is a senior engineer or owns the relevant component(s) here.
  • Any relevant engineers on other projects (e.g. BFD, SLS, etc.).
• Any deviations from the other policies in the DASG Engineering Standards are specifically called out in this PR, above.
  • Please review the standards every few months to ensure you're familiar with them.

[dtisza1]

NOTE: This deployed out to our TEST environment OK.

For getting a working "cryptography" package, I used the following command to download the package file:

docker-compose exec web pip download --dest vendor --platform manylinux2014_x86_64 --abi cp38 --no-deps cryptography==41.0.3

This downloaded the following package file: "cryptography-41.0.3-cp37-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl"

This also tested out OK locally for me too. Tests all passed.

[dtisza1]

@ajshred @oragame I made the following change to the Makefile for the downloads. It included 3 additional package updates. I'm about to test a deploy of this to our TEST environment next.

Changed the following PIP options in the Makefile:

FROM:

	pip download -r requirements/requirements.dev.txt --dest vendor --platform linux_x86_64 --no-deps

TO:

	pip download -r requirements/requirements.dev.txt --dest vendor --platform manylinux2014_x86_64 --abi cp38 --no-deps

Does the above look OK related to getting the right package versions when using the make reqs-download command?

[dtisza1]

@oragame @ajshred This testied out OK in our TEST environment with the Makefile change and additional package updates. This worked locally as well with all tests passing.

This is ready for review. TY!

[ajshred]

Looks good Dave!

[oragame]

Looks good, Dave - thanks for the makefile update, this should help going forward!