Update Docker images to fix resolve vulnerability scan issues (#2007)

bandish-shah · web-flow · commit b0365c82fcbf · 2023-02-28T19:37:20.000-08:00
* Update upgradable packages to resolve Docker scan issues
* Upgrade to nodejs 18.x
* Update Pillow to 9.3.0, Pillow-SIMD to 9.0.0.post1
* Upgrade ipython to 8.11.0
* Upgrade urllib3
* Upgrade certifi package
* Remove vim from docker images
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -34,8 +34,8 @@ ARG TORCHTEXT_VERSION=0.12.0
 # Pillow is also installed (so it won't override it with a future pip install), a Pillow stub is included
 # PILLOW_PSEUDOVERSION is the Pillow version that pip thinks is installed
 # PILLOW_SIMD_VERSION is the actual version of pillow-simd that is installed.
-ARG PILLOW_PSEUDOVERSION=7.0.0
-ARG PILLOW_SIMD_VERSION=7.0.0.post3
+ARG PILLOW_PSEUDOVERSION=9.3.0
+ARG PILLOW_SIMD_VERSION=9.0.0.post1
 
 # Version of the Mellanox Drivers to install (for InfiniBand support)
 # Leave blank for no Mellanox Drivers
@@ -45,6 +45,12 @@ ARG MOFED_VERSION=5.5-1.0.3.2
 # Leave blank for no EFA Drivers
 ARG AWS_OFI_NCCL_VERSION=v1.5.0-aws
 
+# Upgrade certifi to resolve CVE-2022-23491
+ARG CERTIFI_VERSION='>=2022.12.7'
+
+# Upgrade urllib to resolve CVE-2021-33503
+ARG URLLIB3_VERSION='>=1.26.5,<2'
+
 ########################
 # Vision Image Arguments
 ########################
@@ -134,7 +140,6 @@ RUN apt-get update && \
         automake \
         libtool \
         # Development tools
-        vim \
         tmux \
         htop && \
     apt-get autoclean && \
@@ -155,7 +160,7 @@ RUN add-apt-repository ppa:git-core/ppa && \
 # Install NodeJS (for Pyright)
 ##############################
 RUN \
-    curl -fsSL https://deb.nodesource.com/setup_17.x | bash - && \
+    curl -fsSL https://deb.nodesource.com/setup_18.x | bash - && \
     apt-get install -y --no-install-recommends nodejs && \
     apt-get autoclean && \
     apt-get clean && \
@@ -323,6 +328,22 @@ RUN useradd -rm -d /home/mosaicml -s /bin/bash -u 1000 -U -s /bin/bash mosaicml
     usermod -a -G sudo mosaicml && \
     echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
 
+#########################
+# Upgrade apt packages
+#########################
+RUN apt-get update && \
+    apt-get upgrade -y && \
+    apt-get autoclean && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+#########################
+# Upgrade pip packages
+#########################
+RUN pip install --no-cache-dir --upgrade urllib3${URLLIB3_VERSION} \
+        certifi${CERTIFI_VERSION}
+
+
 ######################
 # PyTorch Vision Image
 ######################
diff --git a/meta.yaml b/meta.yaml
@@ -54,7 +54,7 @@ test:
     - fasteners ==0.17.3,<0.18
     - pytest >=7.1.0,<8
     - toml >=0.10.2,<0.11
-    - ipython >=8.4.0,<9
+    - ipython >=8.11.0,<9
     - ipykernel ==6.13.1,<7
     - jupyter >=1.0.0,<2
     - testbook >=0.4.2,<0.5
diff --git a/setup.py b/setup.py
@@ -102,7 +102,7 @@ def package_files(prefix: str, directory: str, extension: str):
     'fasteners==0.18',  # object store tests require fasteners
     'pytest==7.2.1',
     'toml==0.10.2',
-    'ipython==8.8.0',
+    'ipython==8.11.0',
     'ipykernel==6.20.1',
     'jupyter==1.0.0',
     'yamllint==1.28.0',
