Skip to content

chore(cves) Fixes for latest CVEs #7003

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tyndria merged 17 commits into from
Dec 17, 2025
Merged

chore(cves) Fixes for latest CVEs #7003

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
0121784
[alibi-detect-server] Fixing SNYK-PYTHON-URLLIB3-14192442 CVE
tyndria Dec 10, 2025
f6f135b
Skip few job in CI to save resources
tyndria Dec 10, 2025
4cb2f99
Upgrade urrlib3 in alibi-explain-server component
tyndria Dec 11, 2025
27efcbe
Remove spacy tests to eliminate the CVE-2024-6345 vulnerability in se…
tyndria Dec 11, 2025
ad4a2f2
Pin urllib3 in mlflowserver to get rid of CVE-2025-66471
tyndria Dec 11, 2025
b7b38f9
pin urllib3 for `tfserving_proxy`
tyndria Dec 11, 2025
3dd3e64
Print deps tree to debug
tyndria Dec 11, 2025
793ce74
Fix broken workflow after adding another `if`
tyndria Dec 11, 2025
0c9e9a5
Pin setuptools again to check deps tree
tyndria Dec 11, 2025
6b66b76
Try to manually add snyk ignore
tyndria Dec 15, 2025
6be9955
Fix `--policy-path` arg
tyndria Dec 15, 2025
916d17b
Try `--exclude-base-image-vulns` arg as well
tyndria Dec 15, 2025
ef1e252
Add pip freeze for server images
tyndria Dec 15, 2025
cf36607
Make .snyk `ignore` section more specific
tyndria Dec 15, 2025
e82736f
Enable all jobs in the python security tests
tyndria Dec 15, 2025
1b22548
Upgrade tornado minor version in alibi-explain, alibi-detect
tyndria Dec 15, 2025
a37d670
pin setuptools to exact version in tfserving_proxy
tyndria Dec 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions .github/workflows/security_tests_python_v1.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,11 @@ jobs:
export SERVER_IMAGE_TAG="sec-tests/${{ matrix.server }}-$(date +%s)-$(openssl rand -hex 4)"
echo "SERVER_IMAGE_TAG=$SERVER_IMAGE_TAG" >> $GITHUB_ENV
make IMAGE_NAME=$SERVER_IMAGE_TAG VERSION=test BASE_IMAGE=${{ needs.build-upload-scan-base-images.outputs.python_base_image_tag }}:test docker-build

- name: Capture pip freeze
run: |
docker run --rm $SERVER_IMAGE_TAG:test pip freeze > pip-freeze-${{ matrix.server }}.txt

- name: Scan
id: scan
uses: snyk/actions/docker@master
Expand All @@ -166,6 +171,12 @@ jobs:
with:
name: report-${{ matrix.server }}
path: report-${{ matrix.server }}.txt

- name: Upload pip freeze
uses: actions/upload-artifact@v4
with:
name: pip-freeze-${{ matrix.server }}
path: pip-freeze-${{ matrix.server }}.txt

build-alibi-explain:
needs: build-upload-scan-base-images
Expand Down
28 changes: 14 additions & 14 deletions components/alibi-detect-server/poetry.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion components/alibi-detect-server/pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ scikit-learn = "1.7.2"
elasticsearch = "7.9.1"

sh = "^1.14.2"
tornado = "^6.1"
tornado = "^6.5.3"
protobuf = "^5.29.1"

google-cloud-core = "1.4.1"
Expand Down
2 changes: 2 additions & 0 deletions components/alibi-explain-server/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,8 @@ RUN cp ./licenses/* /licenses
# Install python spacy model to avoid issues in airgapped envs
RUN python -m spacy download en_core_web_md

# Remove spacy tests to eliminate the CVE-2024-6345 vulnerability in setuptools dependency
RUN rm -rf /opt/conda/lib/python3.12/site-packages/spacy/tests/

# Copy rest of the package
COPY alibiexplainer alibiexplainer
Expand Down
40 changes: 20 additions & 20 deletions components/alibi-explain-server/poetry.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions components/alibi-explain-server/pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,11 @@ transformers = "^4.53.0"
catboost = "^1.2.8"
tf-keras = "2.18.0"

tornado = "6.5.2"
tornado = "6.5.3"
protobuf = "5.29.5"
joblib = "1.2.0"
requests = "^2.32.5"
urllib3 = "^2.5.0"
urllib3 = "^2.6.0"
jinja2 = "^3.1.6"
werkzeug = "^3.1.3"
pillow = "^10.4.0"
Expand Down
2 changes: 1 addition & 1 deletion python/setup.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@
"cryptography>=46.0.3",
"pyyaml>=6.0.3",
"click>=8.3.0",
"urllib3>=2.5.0",
"urllib3>=2.6.0",
],
extras_require=extras,
entry_points={
Expand Down
1 change: 1 addition & 0 deletions servers/mlflowserver/mlflowserver/requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
PyYAML >= 6.0.3, < 7.0.0 # Python 3.12 compatiblity + CVE
requests >= 2.32.5
urllib3 >= 2.6.0
pandas >= 2.3.3

# CVE-2023-47248, CVE-2023-6753, CVE-2023-6709
Expand Down
2 changes: 2 additions & 0 deletions servers/tfserving_proxy/requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,5 @@ tensorflow-serving-api>=1.10.1
grpcio>=1.32.0 # Required for https://github.com/SeldonIO/seldon-core/issues/2787
grpcio-reflection>=1.32.0 # Required for https://github.com/SeldonIO/seldon-core/issues/2787
requests
urllib3>=2.6.0
setuptools==78.1.1
Loading