Fix container vulnerabilities (#113)

setup/Dockerfile

@@ -257,6 +257,11 @@ RUN rm -rf /opt/pytorch/pytorch/third_party/onnx \
   && DEBIAN_FRONTEND=noninteractive apt remove -y libslurm37 libpmi2-0 openssh-client \
   && DEBIAN_FRONTEND=noninteractive apt autoremove -y
 
+# Remove lightning-app. Nemo and BioNeMo doesn't use it, and it introduces security vulnerabilities:
+# https://github.com/advisories/GHSA-cgwc-qvrx-rf7f
+# https://github.com/advisories/GHSA-mr7h-w2qc-ffc2
+RUN rm -rf /usr/local/lib/python3.10/dist-packages/lightning/app
+
 ####
 #### NOTE: THIS MUST BE THE ABSOLUTE **LAST** STEP BEFORE ENTRYPOINT !!!!!
 ####       SPECIFICALLY, THE SECTION LABELED "BioNeMo Build"
@@ -301,11 +306,5 @@ WORKDIR ${BIONEMO_HOME}
 # we already install dependencies earlier, directly from the requirements*.txt files
 RUN pip install --no-deps -e .
 
-# Remove lightning-app. Nemo and BioNeMo doesn't use it, and it introduces security vulnerabilities:
-# https://github.com/advisories/GHSA-cgwc-qvrx-rf7f
-# https://github.com/advisories/GHSA-mr7h-w2qc-ffc2
-RUN rm -rf /usr/local/lib/python3.10/dist-packages/lightning/app
-
-
 # FIXME: If BIONEMO_HOME _is not_ /workspace/bionemo, then this ENTRYPOINT is invalid!
 ENTRYPOINT ["/workspace/bionemo/setup/startup.sh"]

setup/requirements-cve.txt

@@ -5,8 +5,11 @@ transformers==4.36.0
 triton==2.1.0
 pillow==10.2.0
 jupyterlab==3.6.7
-aiohttp==3.9.0
-setuptools==65.5.1
 mpmath==1.3.0
 GitPython==3.1.41
 certifi==2023.7.22
+onnx>=1.16.0
+setuptools>=70.0.0
+nltk>=3.9.1
+aiohttp>=3.9.4
+Werkzeug>=3.0.3

setup/requirements.txt

@@ -5,8 +5,6 @@
 --extra-index-url https://pypi.ngc.nvidia.com
 --extra-index-url https://pypi.nvidia.com
 --extra-index-url https://pypi.python.org/simple
-# https://gitlab-master.nvidia.com/clara-discovery/fw2nim
-fw2nim==0.2.0
 pyfastx==1.1.0
 # matplotlib>=3.4.3
 matplotlib==3.8.0