[universal] Address GHSA-jm77-qphf-c4w8 and GHSA-r9hx-vwmv-q579 vulnerabilities (#753)

alexander-smolyakov · web-flow · commit 98e790445bd1 · 2023-09-14T09:05:57.000-07:00
* Patch GHSA-jm77-qphf-c4w8 * Patch GHSA-r9hx-vwmv-q579 * Update tests - Update check for `cryptography` package; - Rename tests to make them more explicit; - Update tests to use a separate conda's environment; * Restart checks * Restart checks
diff --git a/src/universal/.devcontainer/local-features/patch-conda/install.sh b/src/universal/.devcontainer/local-features/patch-conda/install.sh
@@ -50,9 +50,10 @@ sudo_if /opt/conda/bin/python3 -m pip install --upgrade pip
 # Temporary: Upgrade python packages due to security vulnerabilities
 # They are installed by the conda feature and Conda distribution does not have the patches.
 
-# https://github.com/advisories/GHSA-5cpq-8wj7-hf2v
+# pyopenssl should be updated to be compatible with latest version of cryptography
 update_conda_package pyopenssl "23.2.0"
-update_conda_package cryptography "41.0.2"
+# https://github.com/advisories/GHSA-jm77-qphf-c4w8
+update_conda_package cryptography "41.0.3"
 
 # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32681
 update_conda_package requests "2.31.0"
diff --git a/src/universal/.devcontainer/local-features/patch-python/install.sh b/src/universal/.devcontainer/local-features/patch-python/install.sh
@@ -34,7 +34,7 @@ update_package() {
     PACKAGE=$2
 
     sudo_if "$PYTHON_PATH -m pip uninstall --yes $PACKAGE"
-    sudo_if "$PYTHON_PATH -m pip install --user --upgrade --no-cache-dir $PACKAGE"
+    sudo_if "$PYTHON_PATH -m pip install --upgrade --no-cache-dir $PACKAGE"
 }
 
 # Temporary: Upgrade python packages due to security vulnerabilities
diff --git a/src/universal/test-project/test.sh b/src/universal/test-project/test.sh
@@ -196,13 +196,13 @@ checkPythonPackageVersion "/usr/local/python/3.9.*/bin/python" "setuptools" "65.
 
 ## Conda Python
 checkCondaPackageVersion "requests" "2.31.0"
-checkCondaPackageVersion "cryptography" "41.0.2"
+checkCondaPackageVersion "cryptography" "41.0.3"
 checkCondaPackageVersion "pyopenssl" "23.2.0"
 
 ## Test Conda
 check "conda-update-conda" bash -c "conda update -y conda"
-check "conda-install" bash -c "conda install -c conda-forge --yes tensorflow"
-check "conda-install" bash -c "conda install -c conda-forge --yes pytorch"
+check "conda-install-tensorflow" bash -c "conda create --name test-env -c conda-forge --yes tensorflow"
+check "conda-install-pytorch" bash -c "conda create --name test-env -c conda-forge --yes pytorch"
 
 # Report result
 reportResults

Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,7 @@ update_package() {`
`34`	`34`	`PACKAGE=$2`
`35`	`35`
`36`	`36`	`sudo_if "$PYTHON_PATH -m pip uninstall --yes $PACKAGE"`
`37`		`- sudo_if "$PYTHON_PATH -m pip install --user --upgrade --no-cache-dir $PACKAGE"`
	`37`	`+ sudo_if "$PYTHON_PATH -m pip install --upgrade --no-cache-dir $PACKAGE"`
`38`	`38`	`}`
`39`	`39`
`40`	`40`	`# Temporary: Upgrade python packages due to security vulnerabilities`