[miniconda] - tqdm - GHSA-g7vv-2v7x-gj9p vulnerability (#1059)

* [miniconda] - tqdm - GHSA-g7vv-2v7x-gj9p vulnerability * Update Dockerfile * Update test.sh * update files for pinning to required version * Update apply_security_patches.sh
devcontainers · Jun 18, 2024 · 018b799 · 018b799
1 parent 4e5c34d
commit 018b799
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 6 deletions.
diff --git a/src/miniconda/.devcontainer/Dockerfile b/src/miniconda/.devcontainer/Dockerfile
@@ -1,9 +1,9 @@
 FROM continuumio/miniconda3 as upstream
 
 # Temporary: Upgrade python packages
-# COPY ./apply_security_patches.sh /tmp/apply_security_patches.sh
-# RUN chmod +x /tmp/apply_security_patches.sh
-# RUN /tmp/apply_security_patches.sh
+COPY ./apply_security_patches.sh /tmp/apply_security_patches.sh
+RUN chmod +x /tmp/apply_security_patches.sh
+RUN /tmp/apply_security_patches.sh
 
 # Reset and copy updated files with updated privs to keep image size down
 FROM mcr.microsoft.com/devcontainers/base:1-bullseye

diff --git a/src/miniconda/.devcontainer/apply_security_patches.sh b/src/miniconda/.devcontainer/apply_security_patches.sh
@@ -2,7 +2,7 @@
 
 # define array of packages for pinning to the patched versions
 # vulnerable_packages=( "package1=version1" "package2=version2" "package3=version3" )
-vulnerable_packages=( "" )
+vulnerable_packages=( "tqdm=4.66.4" )
 
 # Define the number of rows (based on the length of vulnerable_packages)
 rows=${#vulnerable_packages[@]}
@@ -31,7 +31,7 @@ for ((i=0; i<rows; i++)); do
         echo "${packages_array[$i,0]} version v${CURRENT_VERSION} installed by the base image is not greater or equal to the required: v${REQUIRED_VERSION}"
         # Check whether conda channel has a greater or equal version available, so install from conda, otherwise use pip package manager
         channel_name="anaconda"
-        CONDA_VERSION=$(conda search --override-channels "${packages_array[$i,0]}" -c "$channel_name" | \
+        CONDA_VERSION=$(conda search "${packages_array[$i,0]}" -c "$channel_name" | \
             grep -E '^[[:alnum:]]' | \
             awk '{print $2}' | \
             sort -V | \
@@ -53,4 +53,4 @@ for ((i=0; i<rows; i++)); do
             python3 -m pip install --upgrade --no-cache-dir "${packages_array[$i,0]}==${REQUIRED_VERSION}"
         fi
     fi
-done
+done
diff --git a/src/miniconda/test-project/test.sh b/src/miniconda/test-project/test.sh
@@ -28,6 +28,7 @@ checkCondaPackageVersion "wheel" "0.38.1"
 checkCondaPackageVersion "requests" "2.31.0"
 checkCondaPackageVersion "urllib3" "1.26.17"
 checkCondaPackageVersion "idna" "3.7"
+checkCondaPackageVersion "tqdm" "4.66.4"
 
 check "conda-update-conda" bash -c "conda update -y conda"
 check "conda-install-tensorflow" bash -c "conda create --name test-env -c conda-forge --yes tensorflow"