diff --git a/.github/workflows/security_tests_python_v1.yml b/.github/workflows/security_tests_python_v1.yml index fe35584859..35888d731b 100644 --- a/.github/workflows/security_tests_python_v1.yml +++ b/.github/workflows/security_tests_python_v1.yml @@ -148,6 +148,11 @@ jobs: export SERVER_IMAGE_TAG="sec-tests/${{ matrix.server }}-$(date +%s)-$(openssl rand -hex 4)" echo "SERVER_IMAGE_TAG=$SERVER_IMAGE_TAG" >> $GITHUB_ENV make IMAGE_NAME=$SERVER_IMAGE_TAG VERSION=test BASE_IMAGE=${{ needs.build-upload-scan-base-images.outputs.python_base_image_tag }}:test docker-build + + - name: Capture pip freeze + run: | + docker run --rm $SERVER_IMAGE_TAG:test pip freeze > pip-freeze-${{ matrix.server }}.txt + - name: Scan id: scan uses: snyk/actions/docker@master @@ -166,6 +171,12 @@ jobs: with: name: report-${{ matrix.server }} path: report-${{ matrix.server }}.txt + + - name: Upload pip freeze + uses: actions/upload-artifact@v4 + with: + name: pip-freeze-${{ matrix.server }} + path: pip-freeze-${{ matrix.server }}.txt build-alibi-explain: needs: build-upload-scan-base-images diff --git a/components/alibi-detect-server/poetry.lock b/components/alibi-detect-server/poetry.lock index e9c1522e92..cd8dfa94d8 100644 --- a/components/alibi-detect-server/poetry.lock +++ b/components/alibi-detect-server/poetry.lock @@ -4890,24 +4890,24 @@ pyyaml = ["pyyaml"] [[package]] name = "tornado" -version = "6.5.2" +version = "6.5.3" description = "Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed." optional = false python-versions = ">=3.9" groups = ["main", "dev"] files = [ - {file = "tornado-6.5.2-cp39-abi3-macosx_10_9_universal2.whl", hash = "sha256:2436822940d37cde62771cff8774f4f00b3c8024fe482e16ca8387b8a2724db6"}, - {file = "tornado-6.5.2-cp39-abi3-macosx_10_9_x86_64.whl", hash = "sha256:583a52c7aa94ee046854ba81d9ebb6c81ec0fd30386d96f7640c96dad45a03ef"}, - {file = "tornado-6.5.2-cp39-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b0fe179f28d597deab2842b86ed4060deec7388f1fd9c1b4a41adf8af058907e"}, - {file = "tornado-6.5.2-cp39-abi3-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:b186e85d1e3536d69583d2298423744740986018e393d0321df7340e71898882"}, - {file = "tornado-6.5.2-cp39-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:e792706668c87709709c18b353da1f7662317b563ff69f00bab83595940c7108"}, - {file = "tornado-6.5.2-cp39-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:06ceb1300fd70cb20e43b1ad8aaee0266e69e7ced38fa910ad2e03285009ce7c"}, - {file = "tornado-6.5.2-cp39-abi3-musllinux_1_2_i686.whl", hash = "sha256:74db443e0f5251be86cbf37929f84d8c20c27a355dd452a5cfa2aada0d001ec4"}, - {file = "tornado-6.5.2-cp39-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:b5e735ab2889d7ed33b32a459cac490eda71a1ba6857b0118de476ab6c366c04"}, - {file = "tornado-6.5.2-cp39-abi3-win32.whl", hash = "sha256:c6f29e94d9b37a95013bb669616352ddb82e3bfe8326fccee50583caebc8a5f0"}, - {file = "tornado-6.5.2-cp39-abi3-win_amd64.whl", hash = "sha256:e56a5af51cc30dd2cae649429af65ca2f6571da29504a07995175df14c18f35f"}, - {file = "tornado-6.5.2-cp39-abi3-win_arm64.whl", hash = "sha256:d6c33dc3672e3a1f3618eb63b7ef4683a7688e7b9e6e8f0d9aa5726360a004af"}, - {file = "tornado-6.5.2.tar.gz", hash = "sha256:ab53c8f9a0fa351e2c0741284e06c7a45da86afb544133201c5cc8578eb076a0"}, + {file = "tornado-6.5.3-cp39-abi3-macosx_10_9_universal2.whl", hash = "sha256:2dd7d7e8d3e4635447a8afd4987951e3d4e8d1fb9ad1908c54c4002aabab0520"}, + {file = "tornado-6.5.3-cp39-abi3-macosx_10_9_x86_64.whl", hash = "sha256:5977a396f83496657779f59a48c38096ef01edfe4f42f1c0634b791dde8165d0"}, + {file = "tornado-6.5.3-cp39-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:f72ac800be2ac73ddc1504f7aa21069a4137e8d70c387172c063d363d04f2208"}, + {file = "tornado-6.5.3-cp39-abi3-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:c43c4fc4f5419c6561cfb8b884a8f6db7b142787d47821e1a0e1296253458265"}, + {file = "tornado-6.5.3-cp39-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:de8b3fed4b3afb65d542d7702ac8767b567e240f6a43020be8eaef59328f117b"}, + {file = "tornado-6.5.3-cp39-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:dbc4b4c32245b952566e17a20d5c1648fbed0e16aec3fc7e19f3974b36e0e47c"}, + {file = "tornado-6.5.3-cp39-abi3-musllinux_1_2_i686.whl", hash = "sha256:db238e8a174b4bfd0d0238b8cfcff1c14aebb4e2fcdafbf0ea5da3b81caceb4c"}, + {file = "tornado-6.5.3-cp39-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:892595c100cd9b53a768cbfc109dfc55dec884afe2de5290611a566078d9692d"}, + {file = "tornado-6.5.3-cp39-abi3-win32.whl", hash = "sha256:88141456525fe291e47bbe1ba3ffb7982549329f09b4299a56813923af2bd197"}, + {file = "tornado-6.5.3-cp39-abi3-win_amd64.whl", hash = "sha256:ba4b513d221cc7f795a532c1e296f36bcf6a60e54b15efd3f092889458c69af1"}, + {file = "tornado-6.5.3-cp39-abi3-win_arm64.whl", hash = "sha256:278c54d262911365075dd45e0b6314308c74badd6ff9a54490e7daccdd5ed0ea"}, + {file = "tornado-6.5.3.tar.gz", hash = "sha256:16abdeb0211796ffc73765bc0a20119712d68afeeaf93d1a3f2edf6b3aee8d5a"}, ] [[package]] @@ -5286,4 +5286,4 @@ dev = ["pytest", "setuptools"] [metadata] lock-version = "2.1" python-versions = ">=3.12.0,<3.13" -content-hash = "9dfd6b57105ee6c6e235a13861723abf0efe67b65f7f657f265f0871a3180289" +content-hash = "908758bd8bb525ea8e6859c019c7fa50b2e52024d36cfc4fbcb574078d3c4ad4" diff --git a/components/alibi-detect-server/pyproject.toml b/components/alibi-detect-server/pyproject.toml index 93625e76ce..00e825b0ab 100644 --- a/components/alibi-detect-server/pyproject.toml +++ b/components/alibi-detect-server/pyproject.toml @@ -17,7 +17,7 @@ scikit-learn = "1.7.2" elasticsearch = "7.9.1" sh = "^1.14.2" -tornado = "^6.1" +tornado = "^6.5.3" protobuf = "^5.29.1" google-cloud-core = "1.4.1" diff --git a/components/alibi-explain-server/Dockerfile b/components/alibi-explain-server/Dockerfile index 093f0257a8..d01d87d855 100644 --- a/components/alibi-explain-server/Dockerfile +++ b/components/alibi-explain-server/Dockerfile @@ -52,6 +52,8 @@ RUN cp ./licenses/* /licenses # Install python spacy model to avoid issues in airgapped envs RUN python -m spacy download en_core_web_md +# Remove spacy tests to eliminate the CVE-2024-6345 vulnerability in setuptools dependency +RUN rm -rf /opt/conda/lib/python3.12/site-packages/spacy/tests/ # Copy rest of the package COPY alibiexplainer alibiexplainer diff --git a/components/alibi-explain-server/poetry.lock b/components/alibi-explain-server/poetry.lock index d11c028613..fd2464b126 100644 --- a/components/alibi-explain-server/poetry.lock +++ b/components/alibi-explain-server/poetry.lock @@ -1,4 +1,4 @@ -# This file is automatically @generated by Poetry 2.1.2 and should not be changed by hand. +# This file is automatically @generated by Poetry 2.2.1 and should not be changed by hand. [[package]] name = "absl-py" @@ -5241,24 +5241,24 @@ files = [ [[package]] name = "tornado" -version = "6.5.2" +version = "6.5.3" description = "Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed." optional = false python-versions = ">=3.9" groups = ["main", "dev"] files = [ - {file = "tornado-6.5.2-cp39-abi3-macosx_10_9_universal2.whl", hash = "sha256:2436822940d37cde62771cff8774f4f00b3c8024fe482e16ca8387b8a2724db6"}, - {file = "tornado-6.5.2-cp39-abi3-macosx_10_9_x86_64.whl", hash = "sha256:583a52c7aa94ee046854ba81d9ebb6c81ec0fd30386d96f7640c96dad45a03ef"}, - {file = "tornado-6.5.2-cp39-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b0fe179f28d597deab2842b86ed4060deec7388f1fd9c1b4a41adf8af058907e"}, - {file = "tornado-6.5.2-cp39-abi3-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:b186e85d1e3536d69583d2298423744740986018e393d0321df7340e71898882"}, - {file = "tornado-6.5.2-cp39-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:e792706668c87709709c18b353da1f7662317b563ff69f00bab83595940c7108"}, - {file = "tornado-6.5.2-cp39-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:06ceb1300fd70cb20e43b1ad8aaee0266e69e7ced38fa910ad2e03285009ce7c"}, - {file = "tornado-6.5.2-cp39-abi3-musllinux_1_2_i686.whl", hash = "sha256:74db443e0f5251be86cbf37929f84d8c20c27a355dd452a5cfa2aada0d001ec4"}, - {file = "tornado-6.5.2-cp39-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:b5e735ab2889d7ed33b32a459cac490eda71a1ba6857b0118de476ab6c366c04"}, - {file = "tornado-6.5.2-cp39-abi3-win32.whl", hash = "sha256:c6f29e94d9b37a95013bb669616352ddb82e3bfe8326fccee50583caebc8a5f0"}, - {file = "tornado-6.5.2-cp39-abi3-win_amd64.whl", hash = "sha256:e56a5af51cc30dd2cae649429af65ca2f6571da29504a07995175df14c18f35f"}, - {file = "tornado-6.5.2-cp39-abi3-win_arm64.whl", hash = "sha256:d6c33dc3672e3a1f3618eb63b7ef4683a7688e7b9e6e8f0d9aa5726360a004af"}, - {file = "tornado-6.5.2.tar.gz", hash = "sha256:ab53c8f9a0fa351e2c0741284e06c7a45da86afb544133201c5cc8578eb076a0"}, + {file = "tornado-6.5.3-cp39-abi3-macosx_10_9_universal2.whl", hash = "sha256:2dd7d7e8d3e4635447a8afd4987951e3d4e8d1fb9ad1908c54c4002aabab0520"}, + {file = "tornado-6.5.3-cp39-abi3-macosx_10_9_x86_64.whl", hash = "sha256:5977a396f83496657779f59a48c38096ef01edfe4f42f1c0634b791dde8165d0"}, + {file = "tornado-6.5.3-cp39-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:f72ac800be2ac73ddc1504f7aa21069a4137e8d70c387172c063d363d04f2208"}, + {file = "tornado-6.5.3-cp39-abi3-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:c43c4fc4f5419c6561cfb8b884a8f6db7b142787d47821e1a0e1296253458265"}, + {file = "tornado-6.5.3-cp39-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:de8b3fed4b3afb65d542d7702ac8767b567e240f6a43020be8eaef59328f117b"}, + {file = "tornado-6.5.3-cp39-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:dbc4b4c32245b952566e17a20d5c1648fbed0e16aec3fc7e19f3974b36e0e47c"}, + {file = "tornado-6.5.3-cp39-abi3-musllinux_1_2_i686.whl", hash = "sha256:db238e8a174b4bfd0d0238b8cfcff1c14aebb4e2fcdafbf0ea5da3b81caceb4c"}, + {file = "tornado-6.5.3-cp39-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:892595c100cd9b53a768cbfc109dfc55dec884afe2de5290611a566078d9692d"}, + {file = "tornado-6.5.3-cp39-abi3-win32.whl", hash = "sha256:88141456525fe291e47bbe1ba3ffb7982549329f09b4299a56813923af2bd197"}, + {file = "tornado-6.5.3-cp39-abi3-win_amd64.whl", hash = "sha256:ba4b513d221cc7f795a532c1e296f36bcf6a60e54b15efd3f092889458c69af1"}, + {file = "tornado-6.5.3-cp39-abi3-win_arm64.whl", hash = "sha256:278c54d262911365075dd45e0b6314308c74badd6ff9a54490e7daccdd5ed0ea"}, + {file = "tornado-6.5.3.tar.gz", hash = "sha256:16abdeb0211796ffc73765bc0a20119712d68afeeaf93d1a3f2edf6b3aee8d5a"}, ] [[package]] @@ -5445,21 +5445,21 @@ files = [ [[package]] name = "urllib3" -version = "2.5.0" +version = "2.6.1" description = "HTTP library with thread-safe connection pooling, file post, and more." optional = false python-versions = ">=3.9" groups = ["main", "dev"] files = [ - {file = "urllib3-2.5.0-py3-none-any.whl", hash = "sha256:e6b01673c0fa6a13e374b50871808eb3bf7046c4b125b216f6bf1cc604cff0dc"}, - {file = "urllib3-2.5.0.tar.gz", hash = "sha256:3fc47733c7e419d4bc3f6b3dc2b4f890bb743906a30d56ba4a5bfa4bbff92760"}, + {file = "urllib3-2.6.1-py3-none-any.whl", hash = "sha256:e67d06fe947c36a7ca39f4994b08d73922d40e6cca949907be05efa6fd75110b"}, + {file = "urllib3-2.6.1.tar.gz", hash = "sha256:5379eb6e1aba4088bae84f8242960017ec8d8e3decf30480b3a1abdaa9671a3f"}, ] [package.extras] -brotli = ["brotli (>=1.0.9) ; platform_python_implementation == \"CPython\"", "brotlicffi (>=0.8.0) ; platform_python_implementation != \"CPython\""] +brotli = ["brotli (>=1.2.0) ; platform_python_implementation == \"CPython\"", "brotlicffi (>=1.2.0.0) ; platform_python_implementation != \"CPython\""] h2 = ["h2 (>=4,<5)"] socks = ["pysocks (>=1.5.6,!=1.5.7,<2.0)"] -zstd = ["zstandard (>=0.18.0)"] +zstd = ["backports-zstd (>=1.0.0) ; python_version < \"3.14\""] [[package]] name = "wasabi" @@ -5840,4 +5840,4 @@ propcache = ">=0.2.1" [metadata] lock-version = "2.1" python-versions = ">=3.12.0,<3.13" -content-hash = "3420fe8527cb8904a36bbee620593169cac0db8d2a01e0a1d5f74b416ad079c5" +content-hash = "660e2847205bb209ae1f256b470a27a2bcce3790a5bf4942c402aa8062cb6520" diff --git a/components/alibi-explain-server/pyproject.toml b/components/alibi-explain-server/pyproject.toml index 065d2b1c9a..ad5bc4b450 100644 --- a/components/alibi-explain-server/pyproject.toml +++ b/components/alibi-explain-server/pyproject.toml @@ -20,11 +20,11 @@ transformers = "^4.53.0" catboost = "^1.2.8" tf-keras = "2.18.0" -tornado = "6.5.2" +tornado = "6.5.3" protobuf = "5.29.5" joblib = "1.2.0" requests = "^2.32.5" -urllib3 = "^2.5.0" +urllib3 = "^2.6.0" jinja2 = "^3.1.6" werkzeug = "^3.1.3" pillow = "^10.4.0" diff --git a/python/setup.py b/python/setup.py index dcee8d8370..6fdbc0132c 100644 --- a/python/setup.py +++ b/python/setup.py @@ -40,7 +40,7 @@ "cryptography>=46.0.3", "pyyaml>=6.0.3", "click>=8.3.0", - "urllib3>=2.5.0", + "urllib3>=2.6.0", ], extras_require=extras, entry_points={ diff --git a/servers/mlflowserver/mlflowserver/requirements.txt b/servers/mlflowserver/mlflowserver/requirements.txt index 940d73b5f3..91f1648451 100644 --- a/servers/mlflowserver/mlflowserver/requirements.txt +++ b/servers/mlflowserver/mlflowserver/requirements.txt @@ -1,5 +1,6 @@ PyYAML >= 6.0.3, < 7.0.0 # Python 3.12 compatiblity + CVE requests >= 2.32.5 +urllib3 >= 2.6.0 pandas >= 2.3.3 # CVE-2023-47248, CVE-2023-6753, CVE-2023-6709 diff --git a/servers/tfserving_proxy/requirements.txt b/servers/tfserving_proxy/requirements.txt index 871f17b051..b787825970 100644 --- a/servers/tfserving_proxy/requirements.txt +++ b/servers/tfserving_proxy/requirements.txt @@ -3,3 +3,5 @@ tensorflow-serving-api>=1.10.1 grpcio>=1.32.0 # Required for https://github.com/SeldonIO/seldon-core/issues/2787 grpcio-reflection>=1.32.0 # Required for https://github.com/SeldonIO/seldon-core/issues/2787 requests +urllib3>=2.6.0 +setuptools==78.1.1