Address High vulnerabilities in ModelMesh SNYK reports

[heyselbi]

Address 14 high vulnerabilities in MM repos, upstream first. There are no critical vulnerabilities.

• [ ] 5 in modelmesh-runtime-adapter
• [x] 3 in modelmesh-serving
• [x] 1 in modelmesh
• [x] 4 in odh-model-controller
• [x] 1 in rest-proxy

(highly recommended but not required) Address quay.io vulnerabilities:

• [x] 4 high in modelmesh-controller
• [x] 1 critical in modelmesh
• [x] 7 high in odh-model-controller

[spolti]

rest-proxy (community):

• depends on:
  • https://github.com/kserve/modelmesh-serving/issues/481
    • About this one, we have changed the apimachinery dependency on community, will apply the same on odh when we get it approved on comommunity.
  • https://github.com/kserve/rest-proxy/pull/28
  • https://github.com/kserve/rest-proxy/pull/30 - will address github.com/elazarl/goproxy Denial of Service (DoS).

rest-proxy (odh):

• github.com/elazarl/goproxy Denial of Service (DoS) -https://github.com/opendatahub-io/rest-proxy/pull/24

[spolti]

Modelmesh updates:

• bump ubi8 tag
  • community: https://github.com/kserve/modelmesh/pull/121
  • odh: https://github.com/opendatahub-io/modelmesh/pull/45
• org.bouncycastle:bcprov-jdk15on:1.70
  • community: https://github.com/kserve/modelmesh/pull/122
  • odh: https://github.com/opendatahub-io/modelmesh/pull/46
• Zookeper
  • Depends on:
    • https://github.com/IBM/litelinks-core/pull/13
  • Needs to cherry-pick to odh: https://github.com/kserve/modelmesh/pull/128
    • Sync: https://github.com/opendatahub-io/modelmesh/pull/47
      • this will also address the Quay report.
      • quay report is now green.
• Netty: There is no patch for https://app.snyk.io/vuln/SNYK-JAVA-IONETTY-1042268, the suggested fix is to enable hostname verification by default (already done on netty 5).
  • I am in touch with Nick, litelinks maintainer to see what can we do.

[spolti]

odh-model-controller:

• github.com/openshift/api Authentication Bypass Using an Alternate Path or Channel

  • there is not fix for it, however there is a workaround:
  • Remove the permissions to update, patch the pods/ephemeralcontainers subresource from any low-privileged users, if there are any that currently hold it.
  • We are good since the odh-model-controller does not expose the given resource through rbac.

• github.com/elazarl/goproxy Denial of Service (DoS)

  • https://github.com/opendatahub-io/odh-model-controller/pull/120

• Container Image:

  • https://quay.io/repository/opendatahub/odh-model-controller/manifest/sha256:af7a6ba1b3a81c105aa77af12afbc8e439704496ea74254c4b758a0de4d8e3a2?tab=vulnerabilities

• otelhttp fixes:

  • https://github.com/opendatahub-io/odh-model-controller/pull/123

[spolti]

Modelmesh-controller, alerts fixed:

• https://quay.io/repository/opendatahub/modelmesh-controller/manifest/sha256:53149f2b1c4f3b44c9584105cd576988100eb528c870f79cc4ccacf1a0c3bd4a?tab=vulnerabilities

[spolti]

modelmesh-serving:

• odh: https://github.com/opendatahub-io/modelmesh-serving/pull/254
• community: https://github.com/kserve/modelmesh-serving/pull/459

[spolti]

modelmesh-runtime-adapter:

• odh: https://github.com/opendatahub-io/modelmesh-runtime-adapter/pull/37
• community: WIP

Migrated to https://github.com/opendatahub-io/modelmesh-serving/issues/256 As it depends on https://github.com/kserve/modelmesh-runtime-adapter/pull/68