[Miniconda] Address CVE-2022-40897 and CVE-2022-40898 vulnerabilities (#510)

alexander-smolyakov · web-flow · commit 8c5390b72004 · 2023-03-30T09:25:45.000-07:00
* [Miniconda] Address CVE-2022-40898 and CVE-2022-40897 vulnerabilities - Updated Dockerfile to install updated versions of `wheel` and `setuptools` packages - Added tests to verify `wheel` and `setuptools` minimum version - Updated manifest to include info about `wheel` and `setuptools packages * Dockerfile: Update comments
diff --git a/src/miniconda/.devcontainer/Dockerfile b/src/miniconda/.devcontainer/Dockerfile
@@ -49,9 +49,15 @@ RUN if [ -f "/tmp/conda-tmp/environment.yml" ]; then umask 0002 && /opt/conda/bi
 
 USER vscode
 
-# Temporary: Upgrade 'cryptography' due to https://github.com/advisories/GHSA-39hc-v87j-747x
-# 'cryptography' is installed by the base image (continuumio/miniconda3) which does not have the patch.
-RUN python3 -m conda update -y cryptography
+# Temporary: Upgrade python packages due to mentioned CVEs
+# They are installed by the base image (continuumio/miniconda3) which does not have the patch.
+RUN python3 -m conda update -y \
+    # https://github.com/advisories/GHSA-39hc-v87j-747x
+    cryptography \
+    # https://github.com/advisories/GHSA-r9hx-vwmv-q579
+    setuptools \
+    # https://github.com/advisories/GHSA-qwmp-2cf2-g9g6
+    wheel
 
 # [Optional] Uncomment this section to install additional OS packages.
 # RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
diff --git a/src/miniconda/manifest.json b/src/miniconda/manifest.json
@@ -39,7 +39,9 @@
 		"pip": [
 			"certifi",
 			"cryptography",
-			"pyOpenssl"
+			"pyOpenssl",
+			"setuptools",
+			"wheel"
 		],
 		"other": {
 			"git": {},
diff --git a/src/miniconda/test-project/test.sh b/src/miniconda/test-project/test.sh
@@ -23,5 +23,11 @@ check-version-ge "cryptography-requirement" "${cryptography_version}" "38.0.3"
 
 check "conda-update-conda" bash -c "conda update -y conda"
 
+setuptools_version=$(python -c "import setuptools; print(setuptools.__version__)")
+check-version-ge "setuptools-requirement" "${setuptools_version}" "65.5.1"
+
+wheel_version=$(python -c "import wheel; print(wheel.__version__)")
+check-version-ge "wheel-requirement" "${wheel_version}" " 0.38.1"
+
 # Report result
 reportResults
