search

foundation-model-stack / fms-hf-tuning

🚀 Collection of tuning recipes with HuggingFace SFTTrainer and PyTorch FSDP.
Apache License 2.0
28 stars 48 forks source link

Always update setuptools to latest #288

Closed jbusche closed 3 months ago

jbusche commented 3 months ago

Description of the change

I'm noticing a high security vulnerability with setuptools.

severityCHML cvss riskFactors cve link hasFix status packageType packageName packageVersion packageLicense packageBinaryPkgs packagePath
H 8.8 Attack complexity: low,Attack vector: network,DoS - High,Has fix,High severity,Recent vulnerability,Remote execution CVE-2024-6345 https://nvd.nist.gov/vuln/detail/CVE-2024-6345 Y fixed in 70.0.0 python setuptools 65.5.1     /usr/local/lib/python3.11/site-packages/setuptools-65.5.1.dist-info

So I'm adding a line to the DockerFile to force an update to setuptools.

Related issue number

Closes 1176 https://github.ibm.com/ai-foundation/watson-fm-stack-tracker/issues/1176

How to verify the PR

I clone my branch:

git clone https://github.com/jbusche/fms-hf-tuning/ -b jb-setuptools-update
cd fms-hf-tuning

Then I build the image:

docker build --progress=plain -t fms-hf-tuning:jim-updatesetuptools . -f build/Dockerfile

and I get: Successfully tagged localhost/fms-hf-tuning:jim-updatesetuptools

Now I can run the image locally and look at the setuptools version:

podman run --rm -it localhost/fms-hf-tuning:jim-updatesetuptools /bin/bash

pip list |grep setup
setuptools               72.1.0

I also used Twistlock to scan the image and it came up clean for setuptools.

Was the PR tested

jbusche commented 3 months ago

I deployed the image with a pytorchjob on a FIPS OC 4.16.2 cluster, and it succeeded:

oc get pytorchjobs,pods -n default                                                                    api.jim416fips.cp.fyre.ibm.com: Wed Aug  7 09:46:05 2024

NAME                                   STATE       AGE
pytorchjob.kubeflow.org/ted-kfto-sft   Succeeded   19m

NAME                        READY   STATUS  RESTARTS   AGE
pod/ted-kfto-sft-master-0   0/1     Completed   0          19m

and the image:

oc describe pod -n default |grep Image;
    Image:         quay.io/jbusche/fms-hf-tuning:jim-updatesetuptools
    Image ID:      quay.io/jbusche/fms-hf-tuning@sha256:345be77ff52f70eebc3de98507d9e57cdcb62c2e9fe66efad40f1ab6ae7e4098