[MIniconda] - Cryptography - Patch security vulnerability - GHSA-3ww4-gg4f-jr7f (#965)

gauravsaini04 · web-flow · commit 9bb5c4f0540a · 2024-02-16T15:24:35.000-08:00
* [MIniconda] - Cryptography - Patch security vulnerability - GHSA-3ww4-gg4f-jr7f * changes according to comments * install pyopenssl v24.0.0 * Added tests to show that pip works correctly
diff --git a/src/miniconda/.devcontainer/Dockerfile b/src/miniconda/.devcontainer/Dockerfile
@@ -7,8 +7,12 @@ FROM continuumio/miniconda3 as upstream
     # <package_name> = <version>
 
 RUN conda install \
-    # https://github.com/advisories/GHSA-jfhm-5ghh-2f97
-    cryptography==41.0.7
+    # https://github.com/advisories/GHSA-3ww4-gg4f-jr7f
+    cryptography==42.0.2
+
+RUN python3 -m pip install --upgrade \
+    # installed for compatibility with cryptography v42.0.2
+    pyopenssl==24.0.0
 
 # Reset and copy updated files with updated privs to keep image size down
 FROM mcr.microsoft.com/devcontainers/base:1-bullseye
diff --git a/src/miniconda/test-project/test-utils.sh b/src/miniconda/test-project/test-utils.sh
@@ -180,3 +180,29 @@ checkCondaPackageVersion()
     current_version=$(conda list "${PACKAGE}" | grep -E "^${PACKAGE}\s" | awk '{print $2}')
     check-version-ge "conda-${PACKAGE}-requirement" "${current_version}" "${REQUIRED_VERSION}"
 }
+
+# Function to check if a package is installed
+checkPackageInstalled() {
+    if python -c "import $1" &>/dev/null; then
+        echo -e "\n✅ Passed! \n$1 is installed"
+    else
+        echo -e "$1 is NOT installed\n"
+        echoStderr "❌ check failed."
+    fi
+}
+
+# Function to install a package using pip
+installPackage() {
+    python3 -m pip install "$1"
+}
+
+checkPipWorkingCorrectly() {
+    # List of packages to install via pip
+    packages=("numpy" "requests" "matplotlib")
+    # Install packages and check if installation was successful
+    for package in "${packages[@]}"; do
+        echo -e "\n🧪 Testing pip install $package\n"
+        installPackage "$package"
+        checkPackageInstalled "$package"
+    done
+}
diff --git a/src/miniconda/test-project/test.sh b/src/miniconda/test-project/test.sh
@@ -18,12 +18,12 @@ check "gitconfig-contains-name" sh -c "cat /etc/gitconfig | grep 'name = devcont
 
 check "usr-local-etc-config-does-not-exist" test ! -f "/usr/local/etc/gitconfig"
 
-checkPythonPackageVersion "cryptography" "41.0.7"
+checkPythonPackageVersion "cryptography" "42.0.2"
 checkPythonPackageVersion "setuptools" "65.5.1"
 checkPythonPackageVersion "wheel" "0.38.1"
 
-checkCondaPackageVersion "cryptography" "41.0.7"
-checkCondaPackageVersion "pyopenssl" "23.2.0"
+checkCondaPackageVersion "cryptography" "42.0.2"
+checkCondaPackageVersion "pyopenssl" "24.0.0"
 checkCondaPackageVersion "setuptools" "65.5.1"
 checkCondaPackageVersion "wheel" "0.38.1"
 checkCondaPackageVersion "requests" "2.31.0"
@@ -33,5 +33,7 @@ check "conda-update-conda" bash -c "conda update -y conda"
 check "conda-install-tensorflow" bash -c "conda create --name test-env -c conda-forge --yes tensorflow"
 check "conda-install-pytorch" bash -c "conda create --name test-env -c conda-forge --yes pytorch"
 
+checkPipWorkingCorrectly
+
 # Report result
 reportResults
