Issue regarding the high CVE Score for the associated packages in the ODD collector Image

[mavenzer]

So we are trying to pull the ODD collector image with the tag 0.1.54, But it has couple of critical CVEs in the image. I'm listing all the critical CVE's and associated security implications.

mlflow:2.7.1

• A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models information. More information here More information here
• Fix : Upgrade mlflow to version like 2.11.3. More Information here

PyArrow:

• Deserialization of Untrusted Data More information here
• Fix : Upgrade pyarrow to version 14.0.1 or higher. More information here

[ValeriyWorld]

We are currently working on bumping our dependency versions for collector. But due to complex cross-dependencies we are forced to do it in multiple packages, so we need some time to do it properly.

[mavenzer]

Understood your points @ValeriyWorld

[ValeriyWorld]

@mavenzer We bumped dependency versions with this PR so I close this issue. Also we bumped our odd-models package and oddrn-generator as odd-collector depends on them.