[anaconda] Address GHSA-47fc-vmwq-366v, GHSA-282v-666c-3fvg, GHSA-mrwq-x4v8-fh7p vulnerabilities (#690)

alexander-smolyakov · samruddhikhandale · web-flow · commit 5f5cfbcfe6d0 · 2023-08-14T10:08:34.000-07:00
* Address GHSA-47fc-vmwq-366v, GHSA-282v-666c-3fvg, GHSA-mrwq-x4v8-fh7p * Add tests * Update manifest * Bump `pygments` version * Test: Remove `conda` group * Restart checks * Test: Reorg Dockerfile * Revert "Test: Reorg Dockerfile" This reverts commit 2cc4085. * Revert "Test: Remove `conda` group" This reverts commit 4401785. * Use latest version of `continuumio/anaconda3` image - Remove version lock for `continuumio/anaconda3` image; - Remove patches for `torch` and `pygments` * Update tests * Update patch - Lock packages versions; - Clean up `manifest.json`; * Update README.md * Update src/anaconda/README.md Co-authored-by: Samruddhi Khandale <samruddhikhandale@github.com> * Revert changes for manifest --------- Co-authored-by: Samruddhi Khandale <samruddhikhandale@github.com>
diff --git a/src/anaconda/.devcontainer/Dockerfile b/src/anaconda/.devcontainer/Dockerfile
@@ -1,25 +1,27 @@
-FROM continuumio/anaconda3:2023.03-1 as upstream
+FROM continuumio/anaconda3 as upstream
 
 # Verify OS version is expected one
 RUN . /etc/os-release && if [ "${VERSION_CODENAME}" != "bullseye" ]; then exit 1; fi
 
 # Temporary: Upgrade python packages due to mentioned CVEs
 # They are installed by the base image (continuumio/anaconda3) which does not have the patch.
-RUN python3 -m pip install \
+RUN python3 -m pip install --upgrade \
     # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21797
-    --upgrade joblib \
+    joblib==1.3.1 \
     # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24065
-    cookiecutter \
+    cookiecutter==2.2.3 \
     # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34749
-    mistune \
+    mistune==3.0.1 \
     # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34141
-    numpy \
+    numpy==1.25.2 \
     # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25577
-    werkzeug \
+    werkzeug==2.3.6 \
     # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32862
-    nbconvert \
-   # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28370
-    tornado
+    nbconvert==7.7.3 \
+    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28370
+    tornado==6.3.2 \
+    # https://github.com/advisories/GHSA-282v-666c-3fvg
+    transformers==4.30.0
 
 RUN conda install \ 
     # https://github.com/advisories/GHSA-5cpq-8wj7-hf2v
diff --git a/src/anaconda/README.md b/src/anaconda/README.md
@@ -37,6 +37,7 @@ See [history](history) for information on the contents of each version and [here
 Alternatively, you can use the contents of `Dockerfile` to fully customize your container's contents or to build it for a container host architecture not supported by the image.
 
 ### Using Conda
+
 This dev container and its associated image includes [the `conda` package manager](https://aka.ms/vscode-remote/conda/about). Additional packages installed using Conda will be downloaded from Anaconda or another repository if you configure one. To reconfigure Conda in this container to access an alternative repository, please see information on [configuring Conda channels here](https://aka.ms/vscode-remote/conda/channel-setup).
 
 Access to the Anaconda repository is covered by the [Anaconda Terms of Service](https://aka.ms/vscode-remote/conda/terms), which may require some organizations to obtain a commercial license from Anaconda. **However**, when this dev container or its associated image is used with GitHub Codespaces or GitHub Actions, **all users are permitted** to use the Anaconda Repository through the service, including organizations normally required by Anaconda to obtain a paid license for commercial activities. Note that third-party packages may be licensed by their publishers in ways that impact your intellectual property, and are used at your own risk.
@@ -51,7 +52,6 @@ By default, frameworks like Flask only listens to localhost inside the container
 
 The `appPort` property [publishes](https://docs.docker.com/config/containers/container-networking/#published-ports) rather than forwards the port, so applications need to listen to `*` or `0.0.0.0` for the application to be accessible externally. This conflicts with the defaults of some Python frameworks, but fortunately the `forwardPorts` property does not have this limitation.
 
-
 #### Installing Node.js
 
 Given JavaScript front-end web client code written for use in conjunction with a Python back-end often requires the use of Node.js-based utilities to build, you can use a [Node feature](https://github.com/devcontainers/features/tree/main/src/node) to install any version of Node by adding the following to `devcontainer.json`:
@@ -66,6 +66,14 @@ Given JavaScript front-end web client code written for use in conjunction with a
 }
 ```
 
+#### Using different Conda channels
+
+This image is based on the `ContinuumIO/anaconda3` docker image, which has all the `anaconda3` packages from defaults installed into the base conda's environment. It is recommended not to install packages from different channels in one environment since it could cause conflicts. When installing a package from a different channel (e.g., `conda-forge`) is required, the better approach is to create a new conda environment.
+
+```bash
+conda create --name <env_name> -c <channel> --yes <package_name>
+```
+
 #### Installing a different version of Python
 
 As covered in the [user FAQ](https://docs.anaconda.com/anaconda/user-guide/faq) for Anaconda, you can install different versions of Python than the one in this image by running the following from a terminal:
diff --git a/src/anaconda/manifest.json b/src/anaconda/manifest.json
@@ -36,9 +36,10 @@
 			"nbconvert",
 			"py",
 			"pyOpenssl",
-			"werkzeug",
+			"Werkzeug",
 			"requests",
-			"tornado"
+			"tornado",
+			"transformers"
 		],
 		"other": {
 			"git": {},
diff --git a/src/anaconda/test-project/test.sh b/src/anaconda/test-project/test.sh
@@ -42,6 +42,8 @@ checkPythonPackageVersion "werkzeug" "2.2.3"
 checkPythonPackageVersion "certifi" "2022.12.07"
 checkPythonPackageVersion "requests" "2.31.0"
 checkPythonPackageVersion "cryptography" "41.0.2"
+checkPythonPackageVersion "torch" "1.13.1"
+checkPythonPackageVersion "transformers" "4.30.0"
 
 # The `tornado` package doesn't have the `__version__` attribute so we can use the `version` attribute.
 tornado_version=$(python -c "import tornado; print(tornado.version)")
@@ -50,10 +52,11 @@ check-version-ge "tornado-requirement" "${tornado_version}" "6.3.2"
 checkCondaPackageVersion "pyopenssl" "23.2.0"
 checkCondaPackageVersion "cryptography" "41.0.2"
 checkCondaPackageVersion "requests" "2.31.0"
+checkCondaPackageVersion "pygments" "2.15.1"
 
 check "conda-update-conda" bash -c "conda update -y conda"
-check "conda-install-tensorflow" bash -c "conda install -c conda-forge --yes tensorflow"
-check "conda-install-pytorch" bash -c "conda install -c conda-forge --yes pytorch"
+check "conda-install-tensorflow" bash -c "conda create --name test-env -c conda-forge --yes tensorflow"
+check "conda-install-pytorch" bash -c "conda create --name test-env -c conda-forge --yes pytorch"
 
 # Report result
 reportResults
