chore: patch cves related to emacs, certifi, and and golang (#4631)

evakravi · web-flow · commit b26d29f93036 · 2025-03-11T17:59:40.000-07:00
diff --git a/huggingface/pytorch/training/docker/2.1/py3/sdk2.20.0/Dockerfile.neuronx b/huggingface/pytorch/training/docker/2.1/py3/sdk2.20.0/Dockerfile.neuronx
@@ -14,8 +14,6 @@ ARG DATASETS_VERSION
 ARG GEVENT_VERSION=24.10.3
 ARG PYTHON=python3
 
-RUN apt-get remove -y --purge emacs && \
-apt-get autoremove -y
 
 RUN pip install --upgrade pip
 
@@ -29,6 +27,10 @@ RUN pip install --no-cache-dir \
     peft \
 	gevent==${GEVENT_VERSION}
 
+
+RUN pip uninstall -y certifi
+RUN rm -rf /usr/lib/python3/dist-packages/certifi*
+
 # Pin numpy to version required by neuronx-cc
 # Update Pillow and urllib version to fix high and critical vulnerabilities
 RUN pip install -U \
@@ -44,7 +46,10 @@ RUN pip install -U \
 	boto3 \
 	botocore \
 	google-auth \
-	"urllib3>=1.26.17,<1.27"
+	"urllib3>=1.26.17,<1.27" \
+	certifi
+
+RUN rm -rf /usr/lib/go-*
 
 RUN apt-get update \
  && apt install -y --no-install-recommends \
@@ -55,10 +60,18 @@ RUN apt-get update \
 	libarchive13 \
 	libgstreamer1.0-0 \
 	libgstreamer-plugins-base1.0-0 \
- && apt-get upgrade -y apparmor \
+ && apt-get upgrade -y apparmor golang-go \
  && apt-get clean \
  && rm -rf /var/lib/apt/lists/*
 
+RUN apt-get update && \
+	apt-get install -y golang-1.21 && \
+	update-alternatives --install /usr/bin/go go /usr/lib/go-1.21/bin/go 1 && \
+	update-alternatives --install /usr/bin/gofmt gofmt /usr/lib/go-1.21/bin/gofmt 1
+
+RUN apt-get remove -y --purge emacs emacs-common && \
+	apt-get autoremove -y
+
 RUN HOME_DIR=/root \
  && curl -o ${HOME_DIR}/oss_compliance.zip https://aws-dlinfra-utilities.s3.amazonaws.com/oss_compliance.zip \
  && unzip ${HOME_DIR}/oss_compliance.zip -d ${HOME_DIR}/ \
