Closed collinss-jpl closed 1 month ago
Would like to quickly note that I found that all the above vulnerabilities come from the SAS image:
[rileykk@opera-pge-ci ~]$ grype --only-fixed artifactory-fn.jpl.nasa.gov:16001/gov/nasa/jpl/opera/adt/opera/dswx-s1:final_1.0
✔ Vulnerability DB [updated]
✔ Pulled image
✔ Loaded image artifactory-fn.jpl.nasa.gov:16001/gov/nasa/jpl/opera/adt/opera/dswx-s1:final_1.0
✔ Parsed image sha256:5d69346f9b606174169791e71e734e4017385c5fe7dff8bf6bd7b09f2f1cee3b
✔ Cataloged packages [339 packages]
✔ Scanned for vulnerabilities [54 vulnerabilities]
├── 1 critical, 16 high, 31 medium, 5 low, 0 negligible (1 unknown)
└── 28 fixed
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
Fiona 1.9.4 1.10b1 python GHSA-q5fm-55c2-v6j9 Critical
Fiona 1.9.4 1.10b2 python GHSA-g4m4-9q4c-mfw6 High
Jinja2 3.1.2 3.1.4 python GHSA-h75v-3vvj-5mfj Medium
Jinja2 3.1.2 3.1.3 python GHSA-h5c8-rqwp-cp95 Medium
Pillow 10.0.1 10.2.0 python GHSA-3f63-hfp8-52jq High
Pillow 10.0.1 10.3.0 python GHSA-44wm-f244-xhp3 Medium
certifi 2023.7.22 2024.07.04 python GHSA-248v-346w-9cwc Low
certifi 2024.6.2 2024.07.04 python GHSA-248v-346w-9cwc Low
debug 3.2.6 3.2.7 npm GHSA-gxpj-cx7g-858c Low
gnutls 3.6.16-8.el8_9.3 10:3.6.16-8.el8_9.3_fips rpm ELSA-2024-1784 Medium
gnutls 3.6.16-8.el8_9.3 10:3.6.16-8.el8_9.1_fips rpm ELSA-2024-12135 Medium
gnutls 3.6.16-8.el8_9.3 10:3.6.16-4.0.1.el8_fips rpm ELSA-2022-9221 Medium
idna 3.4 3.7 python GHSA-jjg7-2v4v-x38h Medium
libgcrypt 1.8.5-7.el8_6 10:1.8.5-7.el8_6_fips rpm ELSA-2022-9564 High
libgcrypt 1.8.5-7.el8_6 10:1.8.5-6.el8_fips rpm ELSA-2022-9263 Medium
pip 23.2.1 23.3 python GHSA-mq26-g339-26xf Medium
requests 2.31.0 2.32.0 python GHSA-9wx4-h78v-vm56 Medium
scikit-learn 1.3.1 1.5.0 python GHSA-jw8x-6495-233v Medium
setuptools 39.2.0 65.5.1 python GHSA-r9hx-vwmv-q579 High
setuptools 39.2.0 70.0.0 python GHSA-cx63-2mw6-8hw5 High
setuptools 68.2.2 70.0.0 python GHSA-cx63-2mw6-8hw5 High
setuptools 69.5.1 70.0.0 python GHSA-cx63-2mw6-8hw5 High
tornado 6.3.3 6.4.1 python GHSA-w235-7p84-xx57 Medium
tornado 6.3.3 6.4.1 python GHSA-753j-mpmx-qq6g Medium
urllib3 2.0.5 2.0.6 python GHSA-v845-jxx5-vc9f Medium
urllib3 2.0.5 2.0.7 python GHSA-g4mx-q9vg-27p4 Medium
urllib3 2.0.5 2.2.2 python GHSA-34jh-p97f-mpxf Medium
zipp 3.17.0 3.19.1 python GHSA-jfmj-5v4g-7637 Medium
0.79.4
Closed by #477
Work on this by @RKuttruff has been sufficient to demonstrate ways we can influence the Grype vulnerability report at PGE build time. Further work to address existing vulnerabilities is on hold until we determine whether ADT will prefer to integrate vulnerability scanning into their release workflow.
Now that we can generate container vulnerability reports via Grype, the next step is to experiment with ways to resolve said findings at time of PGE container creation.
Looking at a sample (abbreviated) vulnerability report, the following findings look like good candidates for testing an initial approach:
So the goal of this ticket will be to modify the container build script for a single PGE (for this go-around lets use DSWx-S1) such that we install the newest "Fixed" version of Fiona/Jinja2/Pillow into the container's conda environment. We should then be able to rerun the Grype scan (via the integration test pipeline) to see if we've removed the above findings from the Grype report. The results of the integration test should also tell us if we've broken anything by introducing the newer package versions.