Anaconda: Update 'joblib' python package due to CVE-2022-21797 (#237)

samruddhikhandale · web-flow · commit ed10399ce4b6 · 2022-12-12T16:13:01.000-08:00
* Anaconda: Patch

* update utils
diff --git a/src/anaconda/.devcontainer/Dockerfile b/src/anaconda/.devcontainer/Dockerfile
@@ -52,6 +52,10 @@ RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
     && usermod -aG conda ${USERNAME} \
     && apt-get clean -y && rm -rf /var/lib/apt/lists/* /tmp/library-scripts/add-notice.sh
 
+# Temporary: Upgrade 'joblib' due to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21797
+# 'joblib' is installed by the base image (continuumio/anaconda3) which does not have the patch.
+RUN python3 -m pip install --upgrade joblib
+
 # Copy environment.yml (if found) to a temp locaition so we update the environment. Also
 # copy "noop.txt" so the COPY instruction does not fail if no environment.yml exists.
 # COPY environment.yml* .devcontainer/noop.txt /tmp/conda-tmp/
diff --git a/src/anaconda/manifest.json b/src/anaconda/manifest.json
@@ -23,6 +23,9 @@
 		"git": {
 			"Oh My Zsh!": "/home/vscode/.oh-my-zsh"
 		},
+		"pip": [
+			"joblib"
+		],
 		"other": {
 			"conda": {
 				"cgIgnore": true,
diff --git a/src/anaconda/test-project/test-utils.sh b/src/anaconda/test-project/test-utils.sh
@@ -27,6 +27,23 @@ check() {
     fi
 }
 
+check-version-ge() {
+    LABEL=$1
+    CURRENT_VERSION=$2
+    REQUIRED_VERSION=$3
+    shift
+    echo -e "\n🧪 Testing $LABEL: '$CURRENT_VERSION' is >= '$REQUIRED_VERSION'"
+    local GREATER_VERSION=$((echo ${CURRENT_VERSION}; echo ${REQUIRED_VERSION}) | sort -V | tail -1)
+    if [ "${CURRENT_VERSION}" == "${GREATER_VERSION}" ]; then
+        echo "✅  Passed!"
+        return 0
+    else
+        echoStderr "❌ $LABEL check failed."
+        FAILED+=("$LABEL")
+        return 1
+    fi
+}
+
 checkMultiple() {
     PASSED=0
     LABEL="$1"
diff --git a/src/anaconda/test-project/test.sh b/src/anaconda/test-project/test.sh
@@ -16,14 +16,14 @@ check "yapf" yapf --version
 check "pydocstyle" pydocstyle --version
 check "pycodestyle" pycodestyle --version
 check "nvm" bash -c ". /usr/local/share/nvm/nvm.sh && nvm --version"
-check "git" git --version
 
-git_version_satisfied=false
-if (echo a version 2.38.1; git --version) | sort -Vk3 | tail -1 | grep -q git; then
-    git_version_satisfied=true
-fi
+git_version=$(git --version)
+check "git" bash -c "echo ${git_version}" 
+check-version-ge "git-requirement" "${git_version}" "git version 2.38.1"
 
-check "git version satisfies requirement" echo $git_version_satisfied | grep "true"
+joblib_version=$(python -c "import joblib; print(joblib.__version__)")
+check "joblib" bash -c "echo ${joblib_version}" 
+check-version-ge "joblib-requirement" "${joblib_version}" "1.2.0"
 
 # Report result
 reportResults
