broadinstitute · dpark01 · Mar 31, 2026 · Mar 31, 2026 · Mar 31, 2026 · Copilot
diff --git a/docker/Dockerfile.assemble b/docker/Dockerfile.assemble
@@ -20,7 +20,7 @@

 # Workaround: add sequip lib directory to PERL5LIB
 # NOTE: sequip version here must match the version in requirements/assemble.txt
 ENV PERL5LIB=$PERL5LIB:/opt/conda/share/sequip-0.11/lib

 # Copy requirements and dependency installation script
 COPY docker/requirements/baseimage.txt docker/requirements/core.txt docker/requirements/assemble.txt docker/requirements/assemble-x86.txt /tmp/requirements/
@@ -28,11 +28,16 @@
 
 # Install conda dependencies (assembly tools)
 # All files resolved together in single micromamba call; x86-only files skipped on ARM
-# Remove mafft's dash_client (Go 1.22.1 binary with 11 Go stdlib CVEs) — we
-# never use --dash mode; delete inline so it never appears in any layer.
+# Post-install fixups (inline so vulnerable files never appear in a committed layer):
+#   - mafft's dash_client: Go 1.22.1 binary with Go stdlib CVEs; we never use --dash mode
+#   - Ruby json gem: mummer4/sequip pull in Ruby (via yaggo), whose bundled json gem
+#     has CVE-2026-33210; remove the old default gem and install patched version (>=2.19.2)
 RUN /tmp/install-conda-deps.sh /tmp/requirements/baseimage.txt /tmp/requirements/core.txt /tmp/requirements/assemble.txt \
     --x86-only:/tmp/requirements/assemble-x86.txt && \
-    rm -f /opt/conda/libexec/mafft/dash_client
+    rm -f /opt/conda/libexec/mafft/dash_client && \
+    find /opt/conda/lib/ruby -maxdepth 3 -name 'json*' -not -path '*/psych/*' -exec rm -rf {} + && \
+    rm -f /opt/conda/lib/ruby/gems/*/specifications/default/json-*.gemspec && \
-    rm -f /opt/conda/lib/ruby/gems/*/specifications/default/json-*.gemspec && \
+    RUBY_GEM_DIRS="$(ruby -e 'print Gem.default_dir' 2>/dev/null || true) $(gem env gemdir 2>/dev/null || true)" && \
+    for d in $RUBY_GEM_DIRS; do \
+      if [ -d "$d" ]; then \
+        rm -rf "$d"/gems/json-* "$d"/cache/json-* "$d"/specifications/json-*.gemspec "$d"/extensions/*/*/json-* 2>/dev/null || true; \
+        rm -f "$d"/specifications/default/json-*.gemspec 2>/dev/null || true; \
+      fi; \
+    done && \
-    find /opt/conda/lib/ruby -maxdepth 3 -name 'json*' -not -path '*/psych/*' -exec rm -rf {} + && \
-    rm -f /opt/conda/lib/ruby/gems/*/specifications/default/json-*.gemspec && \
+    RUBY_LIB_DIR="$(ruby -e 'require \"rbconfig\"; print RbConfig::CONFIG[\"rubylibdir\"]')" && \
+    RUBY_GEM_DIR="$(ruby -e 'print Gem.default_dir')" && \
+    find "$RUBY_LIB_DIR" -maxdepth 3 -name 'json*' -not -path '*/psych/*' -exec rm -rf {} + && \
+    rm -f "$RUBY_GEM_DIR"/specifications/default/json-*.gemspec && \
-    rm -f /opt/conda/lib/ruby/gems/*/specifications/default/json-*.gemspec && \
+    RUBY_GEM_DIRS="$(ruby -e 'print Gem.default_dir' 2>/dev/null || true) $(gem env gemdir 2>/dev/null || true)" && \
+    for d in $RUBY_GEM_DIRS; do \
+      if [ -d "$d" ]; then \
+        rm -rf "$d"/gems/json-* "$d"/cache/json-* "$d"/specifications/json-*.gemspec "$d"/extensions/*/*/json-* 2>/dev/null || true; \
+        rm -f "$d"/specifications/default/json-*.gemspec 2>/dev/null || true; \
+      fi; \
+    done && \
-    find /opt/conda/lib/ruby -maxdepth 3 -name 'json*' -not -path '*/psych/*' -exec rm -rf {} + && \
-    rm -f /opt/conda/lib/ruby/gems/*/specifications/default/json-*.gemspec && \
+    RUBY_LIB_DIR="$(ruby -e 'require \"rbconfig\"; print RbConfig::CONFIG[\"rubylibdir\"]')" && \
+    RUBY_GEM_DIR="$(ruby -e 'print Gem.default_dir')" && \
+    find "$RUBY_LIB_DIR" -maxdepth 3 -name 'json*' -not -path '*/psych/*' -exec rm -rf {} + && \
+    rm -f "$RUBY_GEM_DIR"/specifications/default/json-*.gemspec && \
+    gem install json --version '>=2.19.2' --no-document
-    gem install json --version '>=2.19.2' --no-document
+    gem install json --version '>=2.19.2' --no-document && \
+    ruby -e "require 'rubygems'; require 'json'; min = Gem::Version.new('2.19.2'); if Gem::Version.new(JSON::VERSION) < min; abort(\"json gem version #{JSON::VERSION} is less than required #{min}\"); end"
-    gem install json --version '>=2.19.2' --no-document
+    gem install json --version '>=2.19.2' --no-document && \
+    ruby -e "require 'rubygems'; require 'json'; min = Gem::Version.new('2.19.2'); if Gem::Version.new(JSON::VERSION) < min; abort(\"json gem version #{JSON::VERSION} is less than required #{min}\"); end"
 
 # Copy source code (includes assembly module)
 COPY src/ /opt/viral-ngs/source/src/

diff --git a/docker/Dockerfile.mega b/docker/Dockerfile.mega
@@ -25,13 +25,18 @@ COPY docker/install-conda-deps.sh /tmp/
 
 # Install ALL conda dependencies in single resolver call for proper dependency resolution
 # All files resolved together; x86-only files skipped on ARM
-# Remove mafft's dash_client (Go 1.22.1 binary with 11 Go stdlib CVEs) — we
-# never use --dash mode; delete inline so it never appears in any layer.
+# Post-install fixups (inline so vulnerable files never appear in a committed layer):
+#   - mafft's dash_client: Go 1.22.1 binary with Go stdlib CVEs; we never use --dash mode
+#   - Ruby json gem: mummer4 → yaggo → Ruby, whose bundled json gem has CVE-2026-33210;
+#     remove the old default gem and install patched version (>=2.19.2)
 RUN /tmp/install-conda-deps.sh /tmp/requirements/baseimage.txt /tmp/requirements/core.txt /tmp/requirements/assemble.txt /tmp/requirements/classify.txt /tmp/requirements/phylo.txt \
     --x86-only:/tmp/requirements/assemble-x86.txt \
     --x86-only:/tmp/requirements/classify-x86.txt \
     --x86-only:/tmp/requirements/phylo-x86.txt && \
-    rm -f /opt/conda/libexec/mafft/dash_client
+    rm -f /opt/conda/libexec/mafft/dash_client && \
+    find /opt/conda/lib/ruby -maxdepth 3 -name 'json*' -not -path '*/psych/*' -exec rm -rf {} + && \
+    rm -f /opt/conda/lib/ruby/gems/*/specifications/default/json-*.gemspec && \
+    gem install json --version '>=2.19.2' --no-document
 
 # Copy source code (includes all modules)
 COPY src/ /opt/viral-ngs/source/src/

diff --git a/docker/Dockerfile.phylo b/docker/Dockerfile.phylo
@@ -25,11 +25,16 @@ COPY docker/install-conda-deps.sh /tmp/
 
 # Install conda dependencies (phylo tools)
 # All files resolved together in single micromamba call; x86-only files skipped on ARM
-# Remove mafft's dash_client (Go 1.22.1 binary with 11 Go stdlib CVEs) — we
-# never use --dash mode; delete inline so it never appears in any layer.
+# Post-install fixups (inline so vulnerable files never appear in a committed layer):
+#   - mafft's dash_client: Go 1.22.1 binary with Go stdlib CVEs; we never use --dash mode
+#   - Ruby json gem: mummer4 pulls in yaggo → Ruby, whose bundled json gem has
+#     CVE-2026-33210; remove the old default gem and install patched version (>=2.19.2)
 RUN /tmp/install-conda-deps.sh /tmp/requirements/baseimage.txt /tmp/requirements/core.txt /tmp/requirements/phylo.txt \
     --x86-only:/tmp/requirements/phylo-x86.txt && \
-    rm -f /opt/conda/libexec/mafft/dash_client
+    rm -f /opt/conda/libexec/mafft/dash_client && \
+    find /opt/conda/lib/ruby -maxdepth 3 -name 'json*' -not -path '*/psych/*' -exec rm -rf {} + && \
+    rm -f /opt/conda/lib/ruby/gems/*/specifications/default/json-*.gemspec && \
+    gem install json --version '>=2.19.2' --no-document
 
 # Copy source code (includes phylo module)
 COPY src/ /opt/viral-ngs/source/src/