Anaconda - black - ghsa fj7x q9j7 g6q6 (#1101)

gauravsaini04 · web-flow · commit 4e5c34dc4d77 · 2024-06-18T16:20:03.000-07:00
* [anaconda] - black - GHSA-fj7x-q9j7-g6q6 - patch security vulnerability * patched to found conda version >= required version * removing --override-channels attribute in conda search command as it would only install with pip then
diff --git a/src/anaconda/.devcontainer/apply_security_patches.sh b/src/anaconda/.devcontainer/apply_security_patches.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 vulnerable_packages=( "pydantic=2.5.3" "joblib=1.3.1" "mistune=3.0.1" "werkzeug=3.0.3" "transformers=4.36.0" "pillow=10.3.0" "aiohttp=3.9.4" \
-          "cryptography=42.0.4" "gitpython=3.1.41"  "jupyter-lsp=2.2.2" "idna=3.7" "jinja2=3.1.4" "scrapy=2.11.2" )
+          "cryptography=42.0.4" "gitpython=3.1.41"  "jupyter-lsp=2.2.2" "idna=3.7" "jinja2=3.1.4" "scrapy=2.11.2" "black=24.4.2")
 
 # Define the number of rows (based on the length of vulnerable_packages)
 rows=${#vulnerable_packages[@]}
@@ -30,7 +30,7 @@ for ((i=0; i<rows; i++)); do
         echo "${packages_array[$i,0]} version v${CURRENT_VERSION} installed by the base image is not greater or equal to the required: v${REQUIRED_VERSION}"
         # Check whether conda channel has a greater or equal version available, so install from conda, otherwise use pip package manager
         channel_name="anaconda"
-        CONDA_VERSION=$(conda search --override-channels "${packages_array[$i,0]}" -c "$channel_name" | \
+        CONDA_VERSION=$(conda search "${packages_array[$i,0]}" -c "$channel_name" | \
             grep -E '^[[:alnum:]]' | \
             awk '{print $2}' | \
             sort -V | \
diff --git a/src/anaconda/test-project/test.sh b/src/anaconda/test-project/test.sh
@@ -62,6 +62,7 @@ checkCondaPackageVersion "mpmath" "1.3.0"
 checkCondaPackageVersion "urllib3" "1.26.17"
 checkCondaPackageVersion "pyarrow" "14.0.1"
 checkCondaPackageVersion "pydantic" "2.5.3"
+checkCondaPackageVersion "black" "24.4.2"
 
 check "conda-update-conda" bash -c "conda update -y conda"
 check "conda-install-tensorflow" bash -c "conda create --name test-env -c conda-forge --yes tensorflow"
