[BUG] CVEs in conda release

[lmeyerov]

What happened:

Running Grype on DaskSQL.jar from the latest conda release (dask-sql=2022.1) returned 6 fixable CVEs

grype graphistry/graphistry-nvidia:v2.39.7-11.4 \
    --only-fixed \
    -o template \
    -t grype.friendly.tmpl

with template grype.friendly.tmpl

"Package","Version Installed","Vulnerability ID","Severity","Location",
{{- range .Matches}}
"{{.Artifact.Name}}","{{.Artifact.Version}}","{{.Vulnerability.ID}}","{{.Vulnerability.Severity}}","{{.Artifact.Locations}}"
{{- end}}

=>

...
jackson-databind","2.10.0","GHSA-57j2-w4cx-62h2","High","[Location<RealPath="/opt/conda/envs/rapids/lib/python3.8/site-packages/dask_sql/jar/DaskSQL.jar" Layer="sha256:5c80fa32eb12dd95d387ae9121c3a8ba9713207626bbc7b849613b4bb0eb3586">]"
"httpclient","4.5.9","GHSA-7r82-7xv7-xcpj","Medium","[Location<RealPath="/opt/conda/envs/rapids/lib/python3.8/site-packages/dask_sql/jar/DaskSQL.jar" Layer="sha256:5c80fa32eb12dd95d387ae9121c3a8ba9713207626bbc7b849613b4bb0eb3586">]"
"json-smart","2.3","GHSA-fg2v-w576-w4v3","High","[Location<RealPath="/opt/conda/envs/rapids/lib/python3.8/site-packages/dask_sql/jar/DaskSQL.jar" Layer="sha256:5c80fa32eb12dd95d387ae9121c3a8ba9713207626bbc7b849613b4bb0eb3586">]"
"commons-io","2.4","GHSA-gwrp-pvrq-jmwv","Medium","[Location<RealPath="/opt/conda/envs/rapids/lib/python3.8/site-packages/dask_sql/jar/DaskSQL.jar" Layer="sha256:5c80fa32eb12dd95d387ae9121c3a8ba9713207626bbc7b849613b4bb0eb3586">]"
"snakeyaml","1.24","GHSA-rvwf-54qp-4r6v","High","[Location<RealPath="/opt/conda/envs/rapids/lib/python3.8/site-packages/dask_sql/jar/DaskSQL.jar" Layer="sha256:5c80fa32eb12dd95d387ae9121c3a8ba9713207626bbc7b849613b4bb0eb3586">]"
"json-smart","2.3","GHSA-v528-7hrm-frqp","Critical","[Location<RealPath="/opt/conda/envs/rapids/lib/python3.8/site-packages/dask_sql/jar/DaskSQL.jar" Layer="sha256:5c80fa32eb12dd95d387ae9121c3a8ba9713207626bbc7b849613b4bb0eb3586">]

What you expected to happen:

The latest stable release should ideally have no fixable CVEs

Minimal Complete Verifiable Example:

See above

Anything else we need to know?:

Environment:

• dask-sql version: 2022.01
• Python version: Any
• Operating System: Any (Ubuntu container)
• Install method (conda, pip, source): Conda

[quasiben]

Is it possible to get links to the CVEs ? For example, when I search for jackson-databind I see CVEs for 2.9 but dask-sql depends on 2.10

[charlesbluca]

Did some digging and found links for all of them:

• jackson-databind: https://vulners.com/github/GHSA-57J2-W4CX-62H2
• httpclient: https://vulners.com/github/GHSA-7R82-7XV7-XCPJ
• json-smart:
  • https://vulners.com/github/GHSA-FG2V-W576-W4V3
  • https://vulners.com/github/GHSA-V528-7HRM-FRQP
• common-io: https://vulners.com/github/GHSA-GWRP-PVRQ-JMWV
• snakeyaml: https://vulners.com/github/GHSA-RVWF-54QP-4R6V

[lmeyerov]

Quick update: dask_sql is now the remaining source of fixable CVEs in RAPIDS ( rapidsai/docker#442 )

grype rapidsai/rapidsai:22.02-cuda11.0-runtime-ubuntu18.04-py3.8 --only-fixed -o template -t .grype/grype.friendly.tmpl

=>

"Package","Version Installed","Vulnerability ID","Severity","Location",
"jackson-databind","2.10.0","GHSA-57j2-w4cx-62h2","High","https://github.com/advisories/GHSA-57j2-w4cx-62h2","github:java","fixed","[Location<RealPath="/opt/conda/envs/rapids/lib/python3.8/site-packages/dask_sql/jar/DaskSQL.jar" Layer="sha256:2f23f14990dc0628ba561ebf15093e31b48bef5849a409703c3d9a3df1b55b51">]"
"httpclient","4.5.9","GHSA-7r82-7xv7-xcpj","Medium","https://github.com/advisories/GHSA-7r82-7xv7-xcpj","github:java","fixed","[Location<RealPath="/opt/conda/envs/rapids/lib/python3.8/site-packages/dask_sql/jar/DaskSQL.jar" Layer="sha256:2f23f14990dc0628ba561ebf15093e31b48bef5849a409703c3d9a3df1b55b51">]"
"json-smart","2.3","GHSA-fg2v-w576-w4v3","High","https://github.com/advisories/GHSA-fg2v-w576-w4v3","github:java","fixed","[Location<RealPath="/opt/conda/envs/rapids/lib/python3.8/site-packages/dask_sql/jar/DaskSQL.jar" Layer="sha256:2f23f14990dc0628ba561ebf15093e31b48bef5849a409703c3d9a3df1b55b51">]"
"commons-io","2.4","GHSA-gwrp-pvrq-jmwv","Medium","https://github.com/advisories/GHSA-gwrp-pvrq-jmwv","github:java","fixed","[Location<RealPath="/opt/conda/envs/rapids/lib/python3.8/site-packages/dask_sql/jar/DaskSQL.jar" Layer="sha256:2f23f14990dc0628ba561ebf15093e31b48bef5849a409703c3d9a3df1b55b51">]"
"snakeyaml","1.24","GHSA-rvwf-54qp-4r6v","High","https://github.com/advisories/GHSA-rvwf-54qp-4r6v","github:java","fixed","[Location<RealPath="/opt/conda/envs/rapids/lib/python3.8/site-packages/dask_sql/jar/DaskSQL.jar" Layer="sha256:2f23f14990dc0628ba561ebf15093e31b48bef5849a409703c3d9a3df1b55b51">]"
"json-smart","2.3","GHSA-v528-7hrm-frqp","Critical","https://github.com/advisories/GHSA-v528-7hrm-frqp","github:java","fixed","[Location<RealPath="/opt/conda/envs/rapids/lib/python3.8/site-packages/dask_sql/jar/DaskSQL.jar" Layer="sha256:2f23f14990dc0628ba561ebf15093e31b48bef5849a409703c3d9a3df1b55b51">]"

It may be a good idea to have a github workflow to run something like that above daily on the latest conda release, where you'd only need to add --fail-on high

[charlesbluca]

To update this, it looks like the following CVEs are resolvable right now:

• json-smart
• commons-io
• snakeyaml

While the following are currently blocked:

• jackson-databind (currently waiting on a new release to resolve)
• httpclient (a dependency of Calcite Avatica 1.20.0, waiting on a new release to resolve)

IIUC, the primary exposure for these CVEs in dask-sql is through its server implementation - we were considering releasing with with warnings added around server usage, or with it disabled altogether, as it isn't 100% clear how long it will be for the above CVEs to get resolved.

It may be a good idea to have a github workflow to run something like that above daily on the latest conda release, where you'd only need to add --fail-on high

That is a good idea 🙂 will look into getting that set up here, assuming there isn't a larger push within RAPIDS to have these checks run on our images containing dask-sql

[lmeyerov]

Great! RAPIDS 2022.02 updated last week, guessing they may wait for the coming 2022.04 burndown for the next, not sure of landing date

[charlesbluca]

To give a general update on the ongoing work to resolve these CVEs:

• Update versions of Java dependencies #445 has resolved the CVEs in json-smart, commons-io, and snakeyaml
• Update jackson databind version #449 should resolve the jackson-databind CVE
• still waiting on a new Calcite Avatica release to resolve the httpclient CVE, in the meantime we will disable our SQL server in Disable SQL server functionality #448 until that CVE can be resolved

[lmeyerov]

Thanks -- we've been disabling dask_sql.jar in our scans, if there's a conda release we should run again, lmk

[charlesbluca]

Turns out the httpclient CVE was easier to resolve than once thought 🙂 merged in #453 and did patch release 2022.4.1 with the fix - on my end there are no longer any fixable CVEs detected by grype - @lmeyerov if you get a chance can you confirm?

[lmeyerov]

Super exciting! Will kick off a build & scan

[lmeyerov]

... Confirmed, thank you!

It took a bit because it required an unexpectedly early upgrade to rapids 22.04

If helpful, it's now part of our daily scans