From f8d01eb1ad4a31da711f17b50f9da7fc9d3de381 Mon Sep 17 00:00:00 2001 From: Ohad Mosafi Date: Thu, 22 Aug 2024 17:47:15 +0400 Subject: [PATCH] Fix container vulnerabilities (#113) --- setup/Dockerfile | 11 +++++------ setup/requirements-cve.txt | 7 +++++-- setup/requirements.txt | 2 -- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/setup/Dockerfile b/setup/Dockerfile index cebc5add61..0528f0ef1d 100644 --- a/setup/Dockerfile +++ b/setup/Dockerfile @@ -257,6 +257,11 @@ RUN rm -rf /opt/pytorch/pytorch/third_party/onnx \ && DEBIAN_FRONTEND=noninteractive apt remove -y libslurm37 libpmi2-0 openssh-client \ && DEBIAN_FRONTEND=noninteractive apt autoremove -y +# Remove lightning-app. Nemo and BioNeMo doesn't use it, and it introduces security vulnerabilities: +# https://github.com/advisories/GHSA-cgwc-qvrx-rf7f +# https://github.com/advisories/GHSA-mr7h-w2qc-ffc2 +RUN rm -rf /usr/local/lib/python3.10/dist-packages/lightning/app + #### #### NOTE: THIS MUST BE THE ABSOLUTE **LAST** STEP BEFORE ENTRYPOINT !!!!! #### SPECIFICALLY, THE SECTION LABELED "BioNeMo Build" @@ -301,11 +306,5 @@ WORKDIR ${BIONEMO_HOME} # we already install dependencies earlier, directly from the requirements*.txt files RUN pip install --no-deps -e . -# Remove lightning-app. Nemo and BioNeMo doesn't use it, and it introduces security vulnerabilities: -# https://github.com/advisories/GHSA-cgwc-qvrx-rf7f -# https://github.com/advisories/GHSA-mr7h-w2qc-ffc2 -RUN rm -rf /usr/local/lib/python3.10/dist-packages/lightning/app - - # FIXME: If BIONEMO_HOME _is not_ /workspace/bionemo, then this ENTRYPOINT is invalid! ENTRYPOINT ["/workspace/bionemo/setup/startup.sh"] diff --git a/setup/requirements-cve.txt b/setup/requirements-cve.txt index 0bcc97c44f..b2c7edbf8a 100644 --- a/setup/requirements-cve.txt +++ b/setup/requirements-cve.txt @@ -5,8 +5,11 @@ transformers==4.36.0 triton==2.1.0 pillow==10.2.0 jupyterlab==3.6.7 -aiohttp==3.9.0 -setuptools==65.5.1 mpmath==1.3.0 GitPython==3.1.41 certifi==2023.7.22 +onnx>=1.16.0 +setuptools>=70.0.0 +nltk>=3.9.1 +aiohttp>=3.9.4 +Werkzeug>=3.0.3 diff --git a/setup/requirements.txt b/setup/requirements.txt index 630240702b..281c59ff57 100644 --- a/setup/requirements.txt +++ b/setup/requirements.txt @@ -5,8 +5,6 @@ --extra-index-url https://pypi.ngc.nvidia.com --extra-index-url https://pypi.nvidia.com --extra-index-url https://pypi.python.org/simple -# https://gitlab-master.nvidia.com/clara-discovery/fw2nim -fw2nim==0.2.0 pyfastx==1.1.0 # matplotlib>=3.4.3 matplotlib==3.8.0