Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Latest vulnerability fixes #127

Merged
merged 5 commits into from
Apr 9, 2024
Merged

Latest vulnerability fixes #127

merged 5 commits into from
Apr 9, 2024

Conversation

MukuFlash03
Copy link
Contributor

@MukuFlash03 MukuFlash03 commented Apr 5, 2024
edited
Loading

Summary

  1. Frontend dashboard container
  • 1 CRITICAL - ip

Details about how this was handled present in this PR for join repo.

  1. Notebook viz_scripts container
  • 5 HIGH level : 4 (cryptography, libgnutls(2), bash) + 1 (pillow)

Details about how the first four vulnerabilties are handled present in this PR for e-mission-server repo.

Pillow fixed by updating package version manually in viz_scripts/docker/environment36.dashboard.additions.yml.

Latest vulnerability fixes - ip
7391c53 
1. Package ip had vulnerabilities.
Upgrading node-alpine docker image to latest available version.

This node image does not contain the ip package at all.
Additionally, the latest ip version 2.0.1 might not contain the remediation as yet.
@MukuFlash03 MukuFlash03 changed the title Latest vulnerability fixes - ip Latest vulnerability fixes Apr 5, 2024
Mahadik, Mukul Chandrakant and others added 2 commits April 5, 2024 12:23
Updating pillow version
8ff17fe 
Pillow version upgraded in viz_scripts/docker/environment36.dashboard.additions.yml.
@MukuFlash03
Whitespace fix
fe4e3a0
@shankari
Copy link
Contributor

shankari commented Apr 8, 2024

This needs to be updated to be consistent with e-mission/nrel-openpath-join-page#30
Also, the server changes don't (yet) get propagated to the dashboard PRs - you will need to bump up the base server image tag after it is built.

@shankari
Copy link
Contributor

shankari commented Apr 8, 2024

@Abby-Wheelis for visibility into DevOps changes

Updated Docker image tag
9a9cf4c 
Bumped up latest server image used build from as base docker image.
@MukuFlash03
Copy link
Contributor Author

Addressed review comments for related Node image used in join repo here.

Added a commit to update Docker image tag to build from latest server image.

shankari
shankari requested changes Apr 8, 2024
View reviewed changes
viz_scripts/docker/environment36.dashboard.additions.yml Outdated
@@ -7,3 +7,5 @@ dependencies:
- pip:
- nbparameterise==0.6
- devcron==0.4
- pillow==10.3.0
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why are we adding pillow here?
There was no pillow before, so it should not have resulted in a CVE

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, I thought the same when fixing this but AWS listed pillow as a vulnerability in the viz_scripts container.
It's not a CVE though, its a SNYK-PYTHON category.
When I was last saw it, the Status column mentioned SUPPRESSED, while now it says CLOSED.

Screenshot 2024-04-08 at 2 53 08 PM

I've removed the pillow version added here.

Also, I've confirmed that for admin-dash container as well the vulnerability has been marked with status CLOSED.

Screenshot 2024-04-08 at 3 02 12 PM

@shankari
Copy link
Contributor

shankari commented Apr 9, 2024

@MukuFlash03 there are now whitespace changes in viz_scripts/docker/environment36.dashboard.additions.yml
Can you make sure to revert the file properly to avoid messing up the commit history?

Reverted addition of pillow package
7ad5173 
Initially, AWS mentioned it as a SUPPRESSED status vulnerability with HIGH severity. Hence I added it.

However, we don't really use pillow in public-dash viz_scripts and now can observe that the pillow vulnerability status has been changed to CLOSED.
@MukuFlash03
Copy link
Contributor Author

MukuFlash03 commented Apr 9, 2024
edited
Loading

@MukuFlash03 there are now whitespace changes in viz_scripts/docker/environment36.dashboard.additions.yml Can you make sure to revert the file properly to avoid messing up the commit history?

Changes reverted correctly.
For some reason, whitespaces get added when one directly copies contents of a file and git marks them as changes.

To avoid this, fixed correctly by restoring the version of the file to its version before commit that changed it using a git command.
Refer to this stackoverflow post for more details.

@shankari
Copy link
Contributor

shankari commented Apr 9, 2024

@MukuFlash03 @nataliejschultz I am squash-merging the changes to avoid commit churn. Please take into account when pulling.

@shankari shankari merged commit c1639de into e-mission:main Apr 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shankari shankari shankari approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@MukuFlash03 @shankari