Update Docker images to fix resolve vulnerability scan issues

[bandish-shah]

What does this PR do?

This PR fixes the open high severity issue with OpenSSL and other medium/low vulnerability issues that have identified fixes.

This PR fixes critical/high severity issues with the following packages:

• certifi
• ipython
• nodejs
• openssl
• pillow
• urllib3

The following SW packages are removed. Users will need to install these manually or in their own images staged from MosaicML's public images at their own discretion:

• vim

Open Issues

• (Critical) CVE-2023-0286: cryptography can't be upgraded to 39.0.1, OCI requires <39
• (High) CVE-2021-29063: mpmath has not had a release in >2 years, seems to be in maintenance mode. This package is required by onnx-runtime->sympy->mpmath

Docker Hub Scan False Positives

• (High) CVE-2022-23491: certifi package is updated to 2022.12.7, scanner is looking for 2022.12.07
• (High) CVE-2019-5063: opencv-python, we are on 4.5.5.64, other resources claim this vulnerability was fixed in >4.2.0.32
• (High) CVE-2019-9423: opencv-python, we are on 4.5.5.64, other resources claim this vulnerability was fixed in >4.1.1.26

Testing

Vulnerability issues with Docker images are identified by first using the docker scan command locally, which uses Snyk to scan and then generating staged images and looking at the results of scanned images on the Docker Hub mosaicml/ci-staging private repository.

What issue(s) does this change relate to?

CO-1844

Before submitting

• Have you read the contributor guidelines?
• Is this change a documentation change or typo fix? If so, skip the rest of this checklist.
• Was this change discussed/approved in a GitHub issue first? It is much more likely to be merged if so.
• Did you update any related docs and document your change?
• Did you update any related tests and add any new tests related to your change? (see testing)
• Did you run the tests locally to make sure they pass?
• Did you run pre-commit on your change? (see the pre-commit section of prerequisites)

[mvpatel2000]

Looks like there's a duplicate apt package upgrade -- should there only be one?

Should there be a GHA for recurring scanning?

[bandish-shah]

Yea I had put two upgrades bc we install apt packages in the pytorch and pytorch_vision targets. I guess the one in pytorch_vision isn't necessary bc any new packages we're installing there are probably using latest. The upgrade is really addressing pre-installed packages in the staged image, I'll remove that.

No there isn't an accompanying GHA, we'll enable Docker Image scanning in Docker Hub for when the images are pushed.