From 42a34e865b109ade8a41c7635220653ef96c0e2b Mon Sep 17 00:00:00 2001
From: "Mahadik, Mukul Chandrakant" <MukulChandrakant.Mahadik@nrel.gov>
Date: Tue, 3 Oct 2023 15:49:19 -0700
Subject: [PATCH 1/3] Addressing vulnerability issues in Docker images

- Fixing CRITICAL and HIGH severity issues detected by AWS Inspector in the Docker images in AWS ECR.
- First off, picking up the certifi package dependency issue.
- Upgrading to a newer version of miniconda which contains the recommended fixed version of certifi.
- Additionally, corrected the curl URL to update the version suffix based on the required miniconda version to be installed.
---
 setup/export_versions.sh | 2 +-
 setup/setup_conda.sh     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/setup/export_versions.sh b/setup/export_versions.sh
index b326e6822..c44a9dc6c 100644
--- a/setup/export_versions.sh
+++ b/setup/export_versions.sh
@@ -1 +1 @@
-export EXP_CONDA_VER=23.1.0
+export EXP_CONDA_VER=23.5.2
diff --git a/setup/setup_conda.sh b/setup/setup_conda.sh
index e24b1aa2a..e099e5e0f 100644
--- a/setup/setup_conda.sh
+++ b/setup/setup_conda.sh
@@ -12,7 +12,7 @@ else
     INSTALL_PREFIX=$HOME/miniconda-$EXP_CONDA_VER
     SOURCE_SCRIPT="$HOME/miniconda-$EXP_CONDA_VER/etc/profile.d/conda.sh"
     
-    curl -o miniconda.sh -L https://repo.continuum.io/miniconda/Miniconda3-py39_$EXP_CONDA_VER-1-$PLATFORM.sh;
+    curl -o miniconda.sh -L https://repo.anaconda.com/miniconda/Miniconda3-py39_$EXP_CONDA_VER-0-$PLATFORM.sh;
     bash miniconda.sh -b -p $INSTALL_PREFIX
     source $SOURCE_SCRIPT
     hash -r

From a09212b8df7e7f0395aead8a349ee7b78a99b44d Mon Sep 17 00:00:00 2001
From: "Mahadik, Mukul Chandrakant" <MukulChandrakant.Mahadik@nrel.gov>
Date: Thu, 5 Oct 2023 11:56:31 -0700
Subject: [PATCH 2/3] Upgraded cryptography dependency + Added
 EXP_CONDA_VER_SUFFIX env. variable

- Added EXP_CONDA_VER_SUFFIX environment variable so that it can be updated just in setup/export_versions.sh as per need.
- Manually upgrading cryptography in .docker/setup_config.sh to the recommended version.
- The latest miniconda package contains cryptography version 39.0.1 while latest available cryptography version recommended for fixing vulnerability is 41.0.4.
- Hence, based on comments in this file, manually upgrading to latest version.
---
 .docker/setup_config.sh  | 6 +++++-
 setup/export_versions.sh | 1 +
 setup/setup_conda.sh     | 4 ++--
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/.docker/setup_config.sh b/.docker/setup_config.sh
index dcb4e9a79..0e908a529 100644
--- a/.docker/setup_config.sh
+++ b/.docker/setup_config.sh
@@ -9,7 +9,11 @@ source setup/setup.sh
 ## But that doesn't update all packages (e.g. cryptography=38 stays at that
 ## level instead of upgrading to cryptography=40)
 ## So we just manually upgrade the failing dependencies in the base image
-conda install -c conda-forge cryptography=40.0.2 wheel=0.40.0
+## 
+## 10/02 - Mukul
+## - Above comments talk about manually updating cryptography to version 40
+## - I have upgraded to 41.0.4 as per latest vulnerability fixes.
+conda install -c conda-forge cryptography=41.0.4 wheel=0.40.0
 
 ## Remove the old, unused packages to avoid tripping up the checker
 rm -rf /root/miniconda-23.1.0/pkgs/cryptography-38.0.4-py39h9ce1e76_0
diff --git a/setup/export_versions.sh b/setup/export_versions.sh
index c44a9dc6c..52e3ba45b 100644
--- a/setup/export_versions.sh
+++ b/setup/export_versions.sh
@@ -1 +1,2 @@
 export EXP_CONDA_VER=23.5.2
+export EXP_CONDA_VER_SUFFIX=0
diff --git a/setup/setup_conda.sh b/setup/setup_conda.sh
index e099e5e0f..47f5284b7 100644
--- a/setup/setup_conda.sh
+++ b/setup/setup_conda.sh
@@ -7,12 +7,12 @@ if [[ -z $EXP_CONDA_VER || -z $PLATFORM ]]; then
     echo "Usage: setup_conda.sh <platform>"
     echo "   Assumes that the EXP_CONDA_VER variable is set"
     echo "   Platform options are Linux-x86_64, MacOSX-x86_64"
-    echo "   For Windows, manually download and install https://repo.anaconda.com/miniconda/Miniconda3-py39_$EXP_CONDA_VER-1-Windows-x86_64.exe"
+    echo "   For Windows, manually download and install https://repo.anaconda.com/miniconda/Miniconda3-py39_$EXP_CONDA_VER-$EXP_CONDA_VER_SUFFIX-Windows-x86_64.exe"
 else
     INSTALL_PREFIX=$HOME/miniconda-$EXP_CONDA_VER
     SOURCE_SCRIPT="$HOME/miniconda-$EXP_CONDA_VER/etc/profile.d/conda.sh"
     
-    curl -o miniconda.sh -L https://repo.anaconda.com/miniconda/Miniconda3-py39_$EXP_CONDA_VER-0-$PLATFORM.sh;
+    curl -o miniconda.sh -L https://repo.anaconda.com/miniconda/Miniconda3-py39_$EXP_CONDA_VER-$EXP_CONDA_VER_SUFFIX-$PLATFORM.sh;
     bash miniconda.sh -b -p $INSTALL_PREFIX
     source $SOURCE_SCRIPT
     hash -r

From a494de87350d97d15cd6d5216f79fc82f834d0f7 Mon Sep 17 00:00:00 2001
From: "Mahadik, Mukul Chandrakant" <MukulChandrakant.Mahadik@nrel.gov>
Date: Thu, 5 Oct 2023 16:47:00 -0700
Subject: [PATCH 3/3] Remove older version of cryptography package

- v39.0.1  of cryptography comes with the miniconda-23.5.2 version.
- However, for vulnerability fixing, cryptography had to be manually upgraded to v41.0.4.
- This leaves v39.0.1 unused as a newer version is available; hence removing it.
---
 .docker/setup_config.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.docker/setup_config.sh b/.docker/setup_config.sh
index 0e908a529..46168e2ab 100644
--- a/.docker/setup_config.sh
+++ b/.docker/setup_config.sh
@@ -18,6 +18,7 @@ conda install -c conda-forge cryptography=41.0.4 wheel=0.40.0
 ## Remove the old, unused packages to avoid tripping up the checker
 rm -rf /root/miniconda-23.1.0/pkgs/cryptography-38.0.4-py39h9ce1e76_0
 rm -rf /root/miniconda-23.1.0/pkgs/wheel-0.37.1-pyhd3eb1b0_0
+rm -rf /root/miniconda-23.5.2/pkgs/cryptography-39.0.1-py39h9ce1e76_2
 
 # Clean up the conda install
 conda clean -t