Multiple CVEs in Ray's compiled dependencies

[AlessandroPomponio]

Hello,

When running Twistlock scans on container images built on top of rayproject/ray:latest-py310-cpu and rayproject/ray:latest-py310-cu121 we saw the following vulnerability reports tracing back to https://github.com/ray-project/ray/blob/master/python/requirements_compiled.txt:

protobuf

ref: https://github.com/ray-project/ray/blob/master/python/requirements_compiled.txt#L1541-L1564

Relevant Twistlock output:

Issue: GHSA-8qvm-5x2c-j2w7
Description: high Vulnerability identified in protobuf

Package: protobuf
Package path: /home/ray/anaconda3/lib/python3.10/site-packages/protobuf-3.20.3.dist-info
Platform: linux:amd64
Remediation: 6.31.1
Severity: high

redis

ref: https://github.com/ray-project/ray/blob/master/python/requirements_compiled.txt#L1864-L1865

Relevant Twistlock output:

Issue: GHSA-8fww-64cx-x8p5
CVSS Score: 6.5
Description: high Vulnerability identified in redis

Package: redis
Package path: /home/ray/anaconda3/lib/python3.10/site-packages/redis-4.4.2.dist-info
Platform: linux:amd64
Remediation: 4.5.4
Severity: high

setuptools

I wasn't able to find this in the compiled requirements but it's in the base image:

docker run --rm rayproject/ray:latest-py310-cu121 pip show setuptools

==========
== CUDA ==
==========

CUDA Version 12.1.1

Container image Copyright (c) 2016-2023, NVIDIA CORPORATION & AFFILIATES. All rights reserved.

This container image and its contents are governed by the NVIDIA Deep Learning Container License.
By pulling and using the container, you accept the terms and conditions of this license:
https://developer.nvidia.com/ngc/nvidia-deep-learning-container-license

A copy of this license is made available in this container at /NGC-DL-CONTAINER-LICENSE for your convenience.

WARNING: The NVIDIA Driver was not detected.  GPU functionality will not be available.
   Use the NVIDIA Container Toolkit to start this container with GPU support; see
   https://docs.nvidia.com/datacenter/cloud-native/ .

Name: setuptools
Version: 71.1.0
Summary: Easily download, build, install, upgrade, and uninstall Python packages
Home-page: 
Author: 
Author-email: Python Packaging Authority <distutils-sig@python.org>
License: 
Location: /home/ray/anaconda3/lib/python3.10/site-packages
Requires: 
Required-by: conda

Relevant Twistlock output:

Issue: GHSA-5rjg-fvgr-3xxf
CVSS Score: 8.8
Description: high Vulnerability identified in setuptools

Package: setuptools
Package path: /home/ray/anaconda3/lib/python3.10/site-packages/setuptools-71.1.0.dist-info
/home/ray/anaconda3/pkgs/setuptools-75.8.0-pyhff2d567_0/site-packages/setuptools-75.8.0-py3.9.egg-info
Platform: linux:amd64
Remediation: 78.1.1
Severity: high

[AlessandroPomponio]

As an additional piece of information - unrelated to the three dependencies above - the NVIDIA image that the cu121 image is being built on top of is shipping an old (and unsupported) Python 3.8 installation in:

/opt/nvidia/nsight-compute/2023.1.1/host/target-linux-x64/python/bin/python