Merge branch 'main' into universal_unpin_dotnet_rntime_core_versions

Author: gauravsaini04

src/anaconda/.devcontainer/apply_security_patches.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 vulnerable_packages=( "pydantic=2.5.3" "joblib=1.3.1" "mistune=3.0.1" "werkzeug=3.0.3" "transformers=4.36.0" "pillow=10.3.0" "aiohttp=3.9.4" \
-          "cryptography=42.0.4" "gitpython=3.1.41"  "jupyter-lsp=2.2.2" "idna=3.7" "jinja2=3.1.4" "scrapy=2.11.2" )
+          "cryptography=42.0.4" "gitpython=3.1.41"  "jupyter-lsp=2.2.2" "idna=3.7" "jinja2=3.1.4" "scrapy=2.11.2" "black=24.4.2")
 
 # Define the number of rows (based on the length of vulnerable_packages)
 rows=${#vulnerable_packages[@]}
@@ -30,7 +30,7 @@ for ((i=0; i<rows; i++)); do
         echo "${packages_array[$i,0]} version v${CURRENT_VERSION} installed by the base image is not greater or equal to the required: v${REQUIRED_VERSION}"
         # Check whether conda channel has a greater or equal version available, so install from conda, otherwise use pip package manager
         channel_name="anaconda"
-        CONDA_VERSION=$(conda search --override-channels "${packages_array[$i,0]}" -c "$channel_name" | \
+        CONDA_VERSION=$(conda search "${packages_array[$i,0]}" -c "$channel_name" | \
             grep -E '^[[:alnum:]]' | \
             awk '{print $2}' | \
             sort -V | \

src/anaconda/test-project/test.sh

@@ -62,6 +62,7 @@ checkCondaPackageVersion "mpmath" "1.3.0"
 checkCondaPackageVersion "urllib3" "1.26.17"
 checkCondaPackageVersion "pyarrow" "14.0.1"
 checkCondaPackageVersion "pydantic" "2.5.3"
+checkCondaPackageVersion "black" "24.4.2"
 
 check "conda-update-conda" bash -c "conda update -y conda"
 check "conda-install-tensorflow" bash -c "conda create --name test-env -c conda-forge --yes tensorflow"

src/miniconda/.devcontainer/Dockerfile

@@ -1,15 +1,9 @@
 FROM continuumio/miniconda3 as upstream
 
-# Temporary: Upgrade python packages due to mentioned CVEs
-# They are installed by the base image (continuumio/miniconda3) which does not have the patch.
-RUN conda install \ 
-    # https://github.com/advisories/GHSA-jjg7-2v4v-x38h
-    idna==3.7
-
-# Temporary: Upgrade python packages using pip package manager
-# RUN python3 -m pip install --upgrade \
-    # https://github.com/advisories/
-    # package==version
+# Temporary: Upgrade python packages
+COPY ./apply_security_patches.sh /tmp/apply_security_patches.sh
+RUN chmod +x /tmp/apply_security_patches.sh
+RUN /tmp/apply_security_patches.sh
 
 # Reset and copy updated files with updated privs to keep image size down
 FROM mcr.microsoft.com/devcontainers/base:1-bullseye

src/miniconda/.devcontainer/apply_security_patches.sh

@@ -0,0 +1,56 @@
+#!/bin/bash
+
+# define array of packages for pinning to the patched versions
+# vulnerable_packages=( "package1=version1" "package2=version2" "package3=version3" )
+vulnerable_packages=( "tqdm=4.66.4" )
+
+# Define the number of rows (based on the length of vulnerable_packages)
+rows=${#vulnerable_packages[@]}
+
+# Define the number of columns
+cols=2
+
+# Define the 2D array
+declare -A packages_array
+
+# Fill the 2D array
+for ((i=0; i<rows; i++)); do
+    # Split each element of vulnerable_packages by the '=' sign
+    IFS='=' read -ra parts <<< "${vulnerable_packages[$i]}"
+    # Assign the parts to the 2D array
+    packages_array[$i,0]=${parts[0]}
+    packages_array[$i,1]=${parts[1]}
+done
+
+for ((i=0; i<rows; i++)); do
+    CURRENT_VERSION=$(pip show "${packages_array[$i,0]}" --disable-pip-version-check | grep '^Version:' | awk '{print $2}')
+    REQUIRED_VERSION="${packages_array[$i,1]}"
+    GREATER_VERSION_A=$((echo ${REQUIRED_VERSION}; echo ${CURRENT_VERSION}) | sort -V | tail -1)
+    # Check if the required_version is greater than current_version
+    if [[ $CURRENT_VERSION != $GREATER_VERSION_A ]]; then
+        echo "${packages_array[$i,0]} version v${CURRENT_VERSION} installed by the base image is not greater or equal to the required: v${REQUIRED_VERSION}"
+        # Check whether conda channel has a greater or equal version available, so install from conda, otherwise use pip package manager
+        channel_name="anaconda"
+        CONDA_VERSION=$(conda search "${packages_array[$i,0]}" -c "$channel_name" | \
+            grep -E '^[[:alnum:]]' | \
+            awk '{print $2}' | \
+            sort -V | \
+            uniq | \
+            tail -n 2 | \
+            head -n 1)
+        if [[ -z "$CONDA_VERSION" ]]; then
+            echo "No version for ${packages_array[$i,0]} found in conda channel."
+            CONDA_VERSION="0"
+        fi
+        GREATER_VERSION_B=$((echo ${REQUIRED_VERSION}; echo ${CONDA_VERSION}) | sort -V | tail -1)
+        if [[ $CONDA_VERSION == $GREATER_VERSION_B ]]; then
+            echo -e "Found Version v${CONDA_VERSION} in the Conda channel which is greater than or equal to the required version: v${REQUIRED_VERSION}. \n";
+            echo "Installing ${packages_array[$i,0]} from source from conda channel for v${REQUIRED_VERSION}..."
+            conda install "${packages_array[$i,0]}==${CONDA_VERSION}"
+        elif [[ $REQUIRED_VERSION == $GREATER_VERSION_B ]]; then 
+            echo -e "Required version: v${REQUIRED_VERSION} is greater than the version found in the Conda channel v${CONDA_VERSION}. \n";
+            echo "Installing ${packages_array[$i,0]} from source from pip package manager for v${REQUIRED_VERSION}..."
+            python3 -m pip install --upgrade --no-cache-dir "${packages_array[$i,0]}==${REQUIRED_VERSION}"
+        fi
+    fi
+done

src/miniconda/test-project/test.sh

@@ -28,6 +28,7 @@ checkCondaPackageVersion "wheel" "0.38.1"
 checkCondaPackageVersion "requests" "2.31.0"
 checkCondaPackageVersion "urllib3" "1.26.17"
 checkCondaPackageVersion "idna" "3.7"
+checkCondaPackageVersion "tqdm" "4.66.4"
 
 check "conda-update-conda" bash -c "conda update -y conda"
 check "conda-install-tensorflow" bash -c "conda create --name test-env -c conda-forge --yes tensorflow"