Skip to content

[anaconda]-auto install vuln pkgs from conda / pip #1079

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 13 commits into from
Jun 11, 2024
+58 −29
Merged

[anaconda]-auto install vuln pkgs from conda / pip #1079

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
99d0dd7
[anaconda]-auto install vuln pkgs from conda / pip
gauravsaini04 May 27, 2024
6df631e
Misc change
gauravsaini04 May 27, 2024
ed3b7c5
for test runs fails
gauravsaini04 May 28, 2024
b315f49
misc change
gauravsaini04 May 28, 2024
68971ba
Merge branch 'devcontainers:main' into anaconda_compare_install_vuln_…
gauravsaini04 May 30, 2024
1a5780a
changes requested
gauravsaini04 May 30, 2024
11ece68
minor change
gauravsaini04 May 30, 2024
3143cef
MSG CHANGE
gauravsaini04 May 30, 2024
9033c15
Merge branch 'devcontainers:main' into anaconda_compare_install_vuln_…
gauravsaini04 May 30, 2024
fd53e10
Merge branch 'devcontainers:main' into anaconda_compare_install_vuln_…
gauravsaini04 Jun 2, 2024
ab8e1d9
changes suggested
gauravsaini04 Jun 3, 2024
13aac29
changes acc. to review comments..
gauravsaini04 Jun 5, 2024
0b913dd
[anaconda] - changes as requested
gauravsaini04 Jun 7, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 7 additions & 30 deletions src/anaconda/.devcontainer/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,37 +3,14 @@ FROM continuumio/anaconda3 as upstream
# Verify OS version is expected one
RUN . /etc/os-release && if [ "${VERSION_CODENAME}" != "bullseye" ]; then exit 1; fi

# Temporary: Upgrade python packages due to mentioned CVEs
# They are installed by the base image (continuumio/anaconda3) which does not have the patch.
RUN conda install \
# https://github.com/advisories/GHSA-mr82-8j83-vxmv
pydantic==2.5.3
# Run vulerable packages script for installation
COPY ./install_vulnerable_packages.sh /tmp/install_vulnerable_packages.sh

RUN python3 -m pip install --upgrade \
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21797
joblib==1.3.1 \
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34749
mistune==3.0.1 \
# https://github.com/advisories/GHSA-2g68-c3qc-8985
werkzeug==3.0.3 \
# https://github.com/advisories/GHSA-v68g-wm8c-6x7j
transformers==4.36.0 \
# https://github.com/advisories/GHSA-44wm-f244-xhp3
pillow==10.3.0 \
# https://github.com/advisories/GHSA-5h86-8mv2-jq9f
aiohttp==3.9.4 \
# https://github.com/advisories/GHSA-6vqw-3v5j-54x4
cryptography==42.0.4 \
# https://github.com/advisories/GHSA-2mqj-m65w-jghx
gitpython==3.1.41 \
# https://github.com/advisories/GHSA-4qhp-652w-c22x
jupyter-lsp==2.2.2 \
# https://github.com/advisories/GHSA-jjg7-2v4v-x38h
idna==3.7 \
# https://github.com/advisories/GHSA-h75v-3vvj-5mfj
jinja2==3.1.4 \
# https://github.com/advisories/GHSA-4qqq-9vqf-3h3f
scrapy==2.11.2
#Make the script execuitable
RUN chmod +x /tmp/install_vulnerable_packages.sh

#Execute the script file
RUN /tmp/install_vulnerable_packages.sh

# Reset and copy updated files with updated privs to keep image size down
FROM mcr.microsoft.com/devcontainers/base:1-bullseye
Expand Down
130 changes: 130 additions & 0 deletions src/anaconda/.devcontainer/install_vulnerable_packages.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,130 @@
#!/bin/bash

# Find and install packages, if required, using conda channel or using pip package manager
vulnerable_packages=( "pydantic=2.5.3" "joblib=1.3.1" "mistune=3.0.1" "werkzeug=3.0.3" "transformers=4.36.0" "pillow=10.3.0" "aiohttp=3.9.4" \
"cryptography=42.0.4" "gitpython=3.1.41" "jupyter-lsp=2.2.2" "idna=3.7" "jinja2=3.1.4" "scrapy=2.11.2" )

# Define the number of rows (based on the length of vulnerable_packages)
rows=${#vulnerable_packages[@]}

# Define the number of columns
cols=4

# Define the 2D array
declare -A packages_array

# Fill the 2D array
for ((i=0; i<rows; i++)); do
# Split each element of vulnerable_packages by the '=' sign
IFS='=' read -ra parts <<< "${vulnerable_packages[$i]}"
# Assign the parts to the 2D array
packages_array[$i,0]=${parts[0]}
packages_array[$i,1]=${parts[1]}
done

value=0
insert_in_2D_array() {
local package_name=$1
local channel_name="anaconda"

echo "Running conda search for package '$package_name' in channel '$channel_name'..."

# Capture the conda search output and process it
latest_version=$(conda search "$package_name" -c "$channel_name" | \
grep -E '^[[:alnum:]]' | \
awk '{print $2}' | \
sort -V | \
uniq | \
tail -n 2 | \
head -n 1)

found_version=$(pip show $package_name | grep '^Version:' | awk '{print $2}')
if [[ -z "$latest_version" ]]; then
echo "No version found in anaconda channel."
latest_version="0"
fi
if [[ -z "$found_version" ]]; then
echo "No package version found in upstream."
found_version="0"
fi
echo "Latest version of $package_name on Conda Channel: $latest_version"
packages_array[$i,2]="$found_version"
packages_array[$i,3]="$latest_version"
((value++))
}

# store found package versions in upstream as 3rd column element in 2D array
check_packages_anaconda_channel() {
for ((i=0; i<rows; i++)); do
PACKAGE_NAME=${packages_array[$i,0]}
echo "Package Name $i: $PACKAGE_NAME"
insert_in_2D_array $PACKAGE_NAME
done
}

compare_and_install_packages() {
check_packages_anaconda_channel
printf "%-10s %-10s %-10s %-10s\n" "Package Name," "Version needed," "Version Present," "Conda channel version"
echo "---------------------------------------------------------------------------------"
for ((i=0; i<rows; i++)); do
for ((j=0; j<cols; j++)); do
echo -n "${packages_array[$i,$j]} "
done
echo
done
for ((i=0; i<rows; i++)); do
echo -e "\nComparing semver versions between required and present currently for ${packages_array[$i,0]}"
comparison_result=$(compare_semver "${packages_array[$i,1]}" "${packages_array[$i,2]}")
if [[ $comparison_result == "greater" ]]; then
echo -e "\n${packages_array[$i,0]} : ${packages_array[$i,1]} > ${packages_array[$i,2]}"
echo -e "\nComparing semver versions between required and available through conda channel for ${packages_array[$i,0]}"
comparison_result2=$(compare_semver "${packages_array[$i,1]}" "${packages_array[$i,3]}")
if [[ $comparison_result2 == "greater" ]]; then
echo -e "\n${packages_array[$i,0]} : ${packages_array[$i,1]} > ${packages_array[$i,3]}"
echo -e "\nInstalling ${packages_array[$i,0]} using pip"
python3 -m pip install --upgrade "${packages_array[$i,0]}==${packages_array[$i,1]}"
else
echo -e "\n${packages_array[$i,0]} : ${packages_array[$i,1]} < ${packages_array[$i,3]}"
echo -e "\nInstalling ${packages_array[$i,0]} using conda channel"
conda install "${packages_array[$i,0]}==${packages_array[$i,3]}"
fi
else
echo -e "No need to update ${packages_array[$i,0]}";
fi
done
}

# Function to compare semver versions
compare_semver() {
# Split versions into arrays
IFS='.' read -r -a version1 <<< "$1"
IFS='.' read -r -a version2 <<< "$2"

comparison=""
# Compare MAJOR version
if (( ${version1[0]} > ${version2[0]} )); then
comparison="greater"
elif (( ${version1[0]} < ${version2[0]} )); then
comparison="lesser"
else
# Compare MINOR version
if (( ${version1[1]} > ${version2[1]} )); then
comparison="greater"
elif (( ${version1[1]} < ${version2[1]} )); then
comparison="lesser"
else
# Compare PATCH version
if (( ${version1[2]} > ${version2[2]} )); then
comparison="greater"
elif (( ${version1[2]} < ${version2[2]} )); then
comparison="lesser"
else
comparison="equal"
fi
fi
fi

echo $comparison
}

compare_and_install_packages