[anaconda]-auto install vuln pkgs from conda / pip (#1079)

* [anaconda]-auto install vuln pkgs from conda / pip * Misc change * for test runs fails * misc change * changes requested * minor change * MSG CHANGE * changes suggested * changes acc. to review comments.. * [anaconda] - changes as requested
devcontainers · Jun 11, 2024 · 1459344 · 1459344
1 parent ac4f805
commit 1459344
Show file tree

Hide file tree

Showing 2 changed files with 58 additions and 29 deletions.
diff --git a/src/anaconda/.devcontainer/Dockerfile b/src/anaconda/.devcontainer/Dockerfile
@@ -5,35 +5,9 @@ RUN . /etc/os-release && if [ "${VERSION_CODENAME}" != "bullseye" ]; then exit 1
 
 # Temporary: Upgrade python packages due to mentioned CVEs
 # They are installed by the base image (continuumio/anaconda3) which does not have the patch.
-RUN conda install \
-    # https://github.com/advisories/GHSA-mr82-8j83-vxmv
-    pydantic==2.5.3
-
-RUN python3 -m pip install --upgrade \
-    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21797
-    joblib==1.3.1 \
-    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34749
-    mistune==3.0.1 \
-    # https://github.com/advisories/GHSA-2g68-c3qc-8985
-    werkzeug==3.0.3 \
-    # https://github.com/advisories/GHSA-v68g-wm8c-6x7j
-    transformers==4.36.0 \
-    # https://github.com/advisories/GHSA-44wm-f244-xhp3
-    pillow==10.3.0 \
-    # https://github.com/advisories/GHSA-5h86-8mv2-jq9f
-    aiohttp==3.9.4 \
-    # https://github.com/advisories/GHSA-6vqw-3v5j-54x4
-    cryptography==42.0.4 \
-    # https://github.com/advisories/GHSA-2mqj-m65w-jghx
-    gitpython==3.1.41 \
-    # https://github.com/advisories/GHSA-4qhp-652w-c22x
-    jupyter-lsp==2.2.2 \
-    # https://github.com/advisories/GHSA-jjg7-2v4v-x38h
-    idna==3.7 \ 
-    # https://github.com/advisories/GHSA-h75v-3vvj-5mfj
-    jinja2==3.1.4 \
-    # https://github.com/advisories/GHSA-4qqq-9vqf-3h3f
-    scrapy==2.11.2
+COPY ./apply_security_patches.sh /tmp/apply_security_patches.sh
+RUN chmod +x /tmp/apply_security_patches.sh
+RUN /tmp/apply_security_patches.sh
 
 # Reset and copy updated files with updated privs to keep image size down
 FROM mcr.microsoft.com/devcontainers/base:1-bullseye

diff --git a/src/anaconda/.devcontainer/apply_security_patches.sh b/src/anaconda/.devcontainer/apply_security_patches.sh
@@ -0,0 +1,55 @@
+#!/bin/bash
+
+vulnerable_packages=( "pydantic=2.5.3" "joblib=1.3.1" "mistune=3.0.1" "werkzeug=3.0.3" "transformers=4.36.0" "pillow=10.3.0" "aiohttp=3.9.4" \
+          "cryptography=42.0.4" "gitpython=3.1.41"  "jupyter-lsp=2.2.2" "idna=3.7" "jinja2=3.1.4" "scrapy=2.11.2" )
+
+# Define the number of rows (based on the length of vulnerable_packages)
+rows=${#vulnerable_packages[@]}
+
+# Define the number of columns
+cols=2
+
+# Define the 2D array
+declare -A packages_array
+
+# Fill the 2D array
+for ((i=0; i<rows; i++)); do
+    # Split each element of vulnerable_packages by the '=' sign
+    IFS='=' read -ra parts <<< "${vulnerable_packages[$i]}"
+    # Assign the parts to the 2D array
+    packages_array[$i,0]=${parts[0]}
+    packages_array[$i,1]=${parts[1]}
+done
+
+for ((i=0; i<rows; i++)); do
+    CURRENT_VERSION=$(pip show "${packages_array[$i,0]}" --disable-pip-version-check | grep '^Version:' | awk '{print $2}')
+    REQUIRED_VERSION="${packages_array[$i,1]}"
+    GREATER_VERSION_A=$((echo ${REQUIRED_VERSION}; echo ${CURRENT_VERSION}) | sort -V | tail -1)
+    # Check if the required_version is greater than current_version
+    if [[ $CURRENT_VERSION != $GREATER_VERSION_A ]]; then
+        echo "${packages_array[$i,0]} version v${CURRENT_VERSION} installed by the base image is not greater or equal to the required: v${REQUIRED_VERSION}"
+        # Check whether conda channel has a greater or equal version available, so install from conda, otherwise use pip package manager
+        channel_name="anaconda"
+        CONDA_VERSION=$(conda search --override-channels "${packages_array[$i,0]}" -c "$channel_name" | \
+            grep -E '^[[:alnum:]]' | \
+            awk '{print $2}' | \
+            sort -V | \
+            uniq | \
+            tail -n 2 | \
+            head -n 1)
+        if [[ -z "$CONDA_VERSION" ]]; then
+            echo "No version for ${packages_array[$i,0]} found in conda channel."
+            CONDA_VERSION="0"
+        fi
+        GREATER_VERSION_B=$((echo ${REQUIRED_VERSION}; echo ${CONDA_VERSION}) | sort -V | tail -1)
+        if [[ $CONDA_VERSION == $GREATER_VERSION_B ]]; then
+            echo -e "Found Version v${CONDA_VERSION} in the Conda channel which is greater than or equal to the required version: v${REQUIRED_VERSION}. \n";
+            echo "Installing ${packages_array[$i,0]} from source from conda channel for v${REQUIRED_VERSION}..."
+            conda install "${packages_array[$i,0]}==${CONDA_VERSION}"
+        elif [[ $REQUIRED_VERSION == $GREATER_VERSION_B ]]; then 
+            echo -e "Required version: v${REQUIRED_VERSION} is greater than the version found in the Conda channel v${CONDA_VERSION}. \n";
+            echo "Installing ${packages_array[$i,0]} from source from pip package manager for v${REQUIRED_VERSION}..."
+            python3 -m pip install --upgrade --no-cache-dir "${packages_array[$i,0]}==${REQUIRED_VERSION}"
+        fi
+    fi
+done