sramakintel commented 3 weeks ago

Description

Fix vulnerabilities in serve container

Related Issue

Changes Made

[x] The code follows the project's coding standards.
[x] No Intel Internal IP is present within the changes.
[x] The documentation has been updated to reflect any changes in functionality.

Validation

[x] I have tested any changes in container groups locally with test_runner.py with all existing tests passing, and I have added new tests where applicable.

github-actions[bot] commented 3 weeks ago

Dependency Review

The following issues were found:

✅ 0 vulnerable package(s)
✅ 0 package(s) with incompatible licenses
✅ 0 package(s) with invalid SPDX license definitions
⚠️ 3 package(s) with unknown licenses.

See the Details below.

License Issues

pytorch/venv-requirements.txt

Package	Version	License	Issue Type
intel-openmp	2024.2.1	Null	Unknown License
mkl-include	2024.2.1	Null	Unknown License
mkl	2024.2.1	Null	Unknown License

OpenSSF Scorecard

Package

Version

Score

Details

pip/numpy

2.1.1

:green_circle: 7.9

Details

Check	Score	Reason
Binary-Artifacts	:green_circle: 10	no binaries found in the repo
Branch-Protection	:green_circle: 3	branch protection is not maximal on development and all release branches
CI-Tests	:green_circle: 10	13 out of 13 merged PRs checked by a CI test -- score normalized to 10
CII-Best-Practices	:warning: 0	no effort to earn an OpenSSF best practices badge detected
Code-Review	:green_circle: 10	all changesets reviewed
Contributors	:green_circle: 10	project has 93 contributing companies or organizations
Dangerous-Workflow	:green_circle: 10	no dangerous workflow patterns detected
Dependency-Update-Tool	:green_circle: 10	update tool detected
Fuzzing	:green_circle: 10	project is fuzzed
License	:green_circle: 9	license file detected
Maintained	:green_circle: 10	30 commit(s) and 18 issue activity found in the last 90 days -- score normalized to 10
Packaging	:warning: -1	packaging workflow not detected
Pinned-Dependencies	:green_circle: 3	dependency not pinned by hash detected -- score normalized to 3
SAST	:green_circle: 9	SAST tool detected but not run on all commits
Security-Policy	:green_circle: 9	security policy file detected
Signed-Releases	:warning: 0	Project has not signed or included provenance with any releases.
Token-Permissions	:green_circle: 9	detected GitHub workflow tokens with excessive permissions
Vulnerabilities	:green_circle: 10	0 existing vulnerabilities detected

pip/intel-openmp

2024.2.1

Unknown

pip/mkl

2024.2.1

Unknown

pip/mkl-include

2024.2.1

Unknown

pip/psutil

6.0.0

:green_circle: 5.8

Details

Check	Score	Reason
Maintained	:green_circle: 10	6 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10
Code-Review	:warning: 2	Found 8/30 approved changesets -- score normalized to 2
CII-Best-Practices	:warning: 0	no effort to earn an OpenSSF best practices badge detected
License	:green_circle: 10	license file detected
Signed-Releases	:warning: -1	no releases found
Security-Policy	:green_circle: 10	security policy file detected
Token-Permissions	:warning: 0	detected GitHub workflow tokens with excessive permissions
Dangerous-Workflow	:green_circle: 10	no dangerous workflow patterns detected
Packaging	:warning: -1	packaging workflow not detected
Branch-Protection	:warning: 0	branch protection not enabled on development/release branches
Binary-Artifacts	:green_circle: 10	no binaries found in the repo
Pinned-Dependencies	:warning: 0	dependency not pinned by hash detected -- score normalized to 0
Fuzzing	:green_circle: 10	project is fuzzed
Vulnerabilities	:green_circle: 10	0 existing vulnerabilities detected
SAST	:warning: 0	SAST tool is not run on all commits -- score normalized to 0

pip/setuptools

>= 70.0.0

:green_circle: 4.9

Details

Check	Score	Reason
Code-Review	:warning: 0	Found 1/12 approved changesets -- score normalized to 0
Maintained	:green_circle: 10	30 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices	:warning: 0	no effort to earn an OpenSSF best practices badge detected
License	:green_circle: 10	license file detected
Signed-Releases	:warning: -1	no releases found
Packaging	:warning: -1	packaging workflow not detected
Security-Policy	:green_circle: 10	security policy file detected
Dangerous-Workflow	:green_circle: 10	no dangerous workflow patterns detected
Token-Permissions	:warning: 0	detected GitHub workflow tokens with excessive permissions
Branch-Protection	:warning: 0	branch protection not enabled on development/release branches
Binary-Artifacts	:warning: 2	binaries present in source code
Vulnerabilities	:green_circle: 10	0 existing vulnerabilities detected
Pinned-Dependencies	:warning: 0	dependency not pinned by hash detected -- score normalized to 0
Fuzzing	:green_circle: 10	project is fuzzed
SAST	:warning: 0	SAST tool is not run on all commits -- score normalized to 0

Scanned Manifest Files

pytorch/serving/torchserve-xpu-requirements.txt

numpy@2.1.1
numpy@1.26.4

pytorch/venv-requirements.txt

intel-openmp@2024.2.1
mkl@2024.2.1
mkl-include@2024.2.1
psutil@6.0.0
setuptools@>= 70.0.0

github-advanced-security[bot] commented 3 weeks ago

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

intel / ai-containers

update setuptools and pip to resolve trivy vulnerabilities #380

Description

Related Issue

Changes Made

Validation

Dependency Review

License Issues

pytorch/venv-requirements.txt

OpenSSF Scorecard

Scanned Manifest Files