Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update packages with vulnerability #7951

Merged
merged 19 commits into from
May 30, 2024
+13 −10
Merged

Update packages with vulnerability #7951

Show file tree
Hide file tree
Changes from 15 commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
702ec2d
update setuptools
novda May 28, 2024
d359b23
update pip version
novda May 28, 2024
3a5f4ed
update redis version
novda May 28, 2024
3cac8c1
update redis version in base
novda May 28, 2024
211976a
fix redis version
novda May 28, 2024
609aa67
return removed comment
novda May 28, 2024
34fae02
fix http cache location
novda May 28, 2024
dfb28f6
return http cache path to old pip
novda May 28, 2024
b03a6a5
update fakeredis version
novda May 28, 2024
d960149
use master branch on clone smokescreen
novda May 28, 2024
901b66a
update golang version
novda May 28, 2024
2fcdafa
add checkout to particular version
novda May 28, 2024
1cb5f96
update setuptools by pip
novda May 29, 2024
f2db109
Merge branch 'develop' into za/update-packages-with-vulnerability-2
novda May 29, 2024
6351661
downgrade redis version
novda May 29, 2024
9cf8220
remove extra package
novda May 29, 2024
50c5cd2
fix python version
novda May 30, 2024
100193a
return upgrade setuptools by pip
novda May 30, 2024
cfd2845
add comment with reference to bug google-cloud-storage
novda May 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 7 additions & 6 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
ARG PIP_VERSION=22.0.2
ARG PIP_VERSION=24.0
ARG BASE_IMAGE=ubuntu:22.04
SpecLad marked this conversation as resolved.
Show resolved Hide resolved
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider explicitly tagging the base image version.

- ARG BASE_IMAGE=ubuntu:22.04
+ ARG BASE_IMAGE=ubuntu:22.04.1

Committable suggestion was skipped due low confidence.


FROM ${BASE_IMAGE} as build-image-base
Expand Down Expand Up @@ -62,7 +62,7 @@ RUN sed -i '/^av==/!d' /tmp/utils/dataset_manifest/requirements.txt
# Work around https://github.com/PyAV-Org/PyAV/issues/1140
RUN pip install setuptools wheel 'cython<3'

RUN --mount=type=cache,target=/root/.cache/pip/http \
RUN --mount=type=cache,target=/root/.cache/pip/http-v2 \
python3 -m pip wheel --no-binary=av --no-build-isolation \
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tip

Codebase Verification

The old cache directory /root/.cache/pip/http is still present in the Dockerfile. Please update all instances to use the new cache directory /root/.cache/pip/http-v2.

  • Dockerfile: Update /root/.cache/pip/http to /root/.cache/pip/http-v2.
Analysis chain

Ensure the new cache directory http-v2 is correctly used in all relevant RUN commands.

Also applies to: 81-81

Scripts Executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify that the new cache directory `http-v2` is used consistently.

# Test: Search for the old cache directory usage. Expect: No occurrences.
rg --type Dockerfile $'/root/.cache/pip/http'

Length of output: 79

Script:

#!/bin/bash
# Description: Verify that the new cache directory `http-v2` is used consistently.

# Test: Search for the old cache directory usage. Expect: No occurrences.
rg '/root/.cache/pip/http'

Length of output: 227

-r /tmp/utils/dataset_manifest/requirements.txt \
-w /tmp/wheelhouse
Expand All @@ -78,15 +78,15 @@ RUN sed -i '/^av==/d' /tmp/utils/dataset_manifest/requirements.txt

ARG CVAT_CONFIGURATION="production"

RUN --mount=type=cache,target=/root/.cache/pip/http \
RUN --mount=type=cache,target=/root/.cache/pip/http-v2 \
DATUMARO_HEADLESS=1 python3 -m pip wheel --no-deps \
-r /tmp/cvat/requirements/${CVAT_CONFIGURATION}.txt \
-w /tmp/wheelhouse

FROM golang:1.20.5 AS build-smokescreen
FROM golang:1.22.3 AS build-smokescreen

RUN git clone --depth=1 -b v0.0.4 https://github.com/stripe/smokescreen.git
RUN cd smokescreen && go build -o /tmp/smokescreen
RUN git clone --depth=1 https://github.com/stripe/smokescreen.git
RUN cd smokescreen && git checkout eb1ac09 && go build -o /tmp/smokescreen
SpecLad marked this conversation as resolved.
Show resolved Hide resolved

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use WORKDIR instead of cd for changing directories to improve readability and maintainability of the Dockerfile.

- RUN cd smokescreen && git checkout eb1ac09 && go build -o /tmp/smokescreen
+ WORKDIR /smokescreen
+ RUN git checkout eb1ac09 && go build -o /tmp/smokescreen
+ WORKDIR /
Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change
RUN cd smokescreen && git checkout eb1ac09 && go build -o /tmp/smokescreen
WORKDIR /smokescreen
RUN git checkout eb1ac09 && go build -o /tmp/smokescreen
WORKDIR /

FROM ${BASE_IMAGE}

Expand Down Expand Up @@ -161,6 +161,7 @@ RUN if [ "$CLAM_AV" = "yes" ]; then \
# Install wheels from the build image
RUN python3 -m venv /opt/venv
ENV PATH="/opt/venv/bin:${PATH}"
RUN python -m pip install --upgrade setuptools
ARG PIP_VERSION
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Avoid using the cache directory with pip and pin versions to ensure reproducibility and security.

- RUN python -m pip install --upgrade setuptools
+ RUN python -m pip install --no-cache-dir setuptools==<specific_version>

Also applies to: 168-168, 169-169

Committable suggestion was skipped due low confidence.

SpecLad marked this conversation as resolved.
Show resolved Hide resolved
ARG PIP_DISABLE_PIP_VERSION_CHECK=1

Expand Down
2 changes: 1 addition & 1 deletion cvat-cli/requirements/base.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
cvat-sdk~=2.15.0
Pillow>=10.3.0
setuptools>=65.5.1 # not directly required, pinned by Snyk to avoid a vulnerability
setuptools>=70.0.0 # not directly required, pinned by Snyk to avoid a vulnerability
2 changes: 1 addition & 1 deletion cvat/requirements/base.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ psycopg2-binary==2.9.5
python-ldap==3.4.3
python-logstash-async==2.5.0
pyunpack==0.2.1
redis==4.5.4
redis==4.6.0
requests~=2.26
rq-scheduler==0.13.1
rq==1.16.0
Expand Down
2 changes: 1 addition & 1 deletion cvat/requirements/base.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -275,7 +275,7 @@ pyyaml==6.0.1
# drf-spectacular
rcssmin==1.1.1
# via django-compressor
redis==4.5.4
redis==4.6.0
# via
# -r cvat/requirements/base.in
# django-rq
Expand Down
2 changes: 1 addition & 1 deletion cvat/requirements/development.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,5 +63,5 @@ tornado==6.4
# via snakeviz

# The following packages are considered to be unsafe in a requirements file:
setuptools==69.5.1
setuptools==70.0.0
# via astroid
Loading