chore(cves) Fixes for latest CVEs (#7003)

* [alibi-detect-server] Fixing SNYK-PYTHON-URLLIB3-14192442 CVE

* Skip few job in CI to save resources

* Upgrade urrlib3 in alibi-explain-server component

* Remove spacy tests to eliminate the CVE-2024-6345 vulnerability in setuptools dependency

* Pin urllib3 in mlflowserver to get rid of CVE-2025-66471

* pin urllib3 for `tfserving_proxy`

* Print deps tree to debug

* Fix broken workflow after adding another `if`

* Pin setuptools again to check deps tree

* Try to manually add snyk ignore

* Fix `--policy-path` arg

* Try `--exclude-base-image-vulns` arg as well

* Add pip freeze for server images

* Make .snyk `ignore` section more specific

* Enable all jobs in the python security tests

* Upgrade tornado minor version in alibi-explain, alibi-detect

* pin setuptools to exact version in tfserving_proxy

Author: tyndria

.github/workflows/security_tests_python_v1.yml

@@ -148,6 +148,11 @@ jobs:
           export SERVER_IMAGE_TAG="sec-tests/${{ matrix.server }}-$(date +%s)-$(openssl rand -hex 4)"
           echo "SERVER_IMAGE_TAG=$SERVER_IMAGE_TAG" >> $GITHUB_ENV
           make IMAGE_NAME=$SERVER_IMAGE_TAG VERSION=test BASE_IMAGE=${{ needs.build-upload-scan-base-images.outputs.python_base_image_tag }}:test docker-build
+      
+      - name: Capture pip freeze
+        run: |
+          docker run --rm $SERVER_IMAGE_TAG:test pip freeze > pip-freeze-${{ matrix.server }}.txt
+      
       - name: Scan
         id: scan
         uses: snyk/actions/docker@master
@@ -166,6 +171,12 @@ jobs:
         with:
           name: report-${{ matrix.server }}
           path: report-${{ matrix.server }}.txt
+      
+      - name: Upload pip freeze
+        uses: actions/upload-artifact@v4
+        with:
+          name: pip-freeze-${{ matrix.server }}
+          path: pip-freeze-${{ matrix.server }}.txt
 
   build-alibi-explain:
     needs: build-upload-scan-base-images

components/alibi-detect-server/poetry.lock

@@ -17,7 +17,7 @@ scikit-learn = "1.7.2"
 elasticsearch = "7.9.1"
 
 sh = "^1.14.2"
-tornado = "^6.1"
+tornado = "^6.5.3"
 protobuf = "^5.29.1"
 
 google-cloud-core = "1.4.1"

components/alibi-detect-server/pyproject.toml

@@ -52,6 +52,8 @@ RUN cp ./licenses/* /licenses
 # Install python spacy model to avoid issues in airgapped envs
 RUN python -m spacy download en_core_web_md
 
+# Remove spacy tests to eliminate the CVE-2024-6345 vulnerability in setuptools dependency
+RUN rm -rf /opt/conda/lib/python3.12/site-packages/spacy/tests/
 
 # Copy rest of the package
 COPY alibiexplainer alibiexplainer

components/alibi-explain-server/Dockerfile

@@ -20,11 +20,11 @@ transformers = "^4.53.0"
 catboost = "^1.2.8"
 tf-keras = "2.18.0"
 
-tornado = "6.5.2"
+tornado = "6.5.3"
 protobuf = "5.29.5"
 joblib = "1.2.0"
 requests = "^2.32.5"
-urllib3 = "^2.5.0"
+urllib3 = "^2.6.0"
 jinja2 = "^3.1.6"
 werkzeug = "^3.1.3"
 pillow = "^10.4.0"

components/alibi-explain-server/poetry.lock

@@ -40,7 +40,7 @@
         "cryptography>=46.0.3",
         "pyyaml>=6.0.3",
         "click>=8.3.0",
-        "urllib3>=2.5.0",
+        "urllib3>=2.6.0",
     ],
     extras_require=extras,
     entry_points={

components/alibi-explain-server/pyproject.toml

@@ -1,5 +1,6 @@
 PyYAML >= 6.0.3, < 7.0.0 # Python 3.12 compatiblity + CVE
 requests >= 2.32.5
+urllib3 >= 2.6.0
 pandas >= 2.3.3
 
 # CVE-2023-47248, CVE-2023-6753, CVE-2023-6709

python/setup.py

@@ -3,3 +3,5 @@ tensorflow-serving-api>=1.10.1
 grpcio>=1.32.0 # Required for https://github.com/SeldonIO/seldon-core/issues/2787
 grpcio-reflection>=1.32.0 # Required for https://github.com/SeldonIO/seldon-core/issues/2787
 requests
+urllib3>=2.6.0
+setuptools==78.1.1