Added and addressed vulnerabilities with snyk

SeldonIO · Dec 7, 2021 · f7d38b8 · f7d38b8
1 parent 03ed062
commit f7d38b8
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 6 deletions.
diff --git a/.github/workflows/security_tests.yml b/.github/workflows/security_tests.yml
@@ -18,7 +18,7 @@ jobs:
         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
       run: |
         pip install -e python/.
-        snyk test --file=python/setup.py
+        snyk test --file=python/setup.py --fail-on=upgradable --severity-threshold=high
 
   security-operator:
 
@@ -32,7 +32,7 @@ jobs:
         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
       run: |
         make -C operator/ fmt
-        snyk test --file=operator/go.mod
+        snyk test --file=operator/go.mod --fail-on=upgradable --severity-threshold=high
 
   security-executor:
 
@@ -46,7 +46,7 @@ jobs:
         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
       run: |
         make -C executor/ executor
-        snyk test --file=executor/go.mod
+        snyk test --file=executor/go.mod --fail-on=upgradable --severity-threshold=high
 
   security-image-executor:
 
@@ -58,6 +58,7 @@ jobs:
         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
       with:
         image: seldonio/seldon-core-executor:1.12.0-dev
+        args: --fail-on=upgradable --severity-threshold=high
 
   security-image-operator:
 
@@ -69,6 +70,7 @@ jobs:
         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
       with:
         image: seldonio/seldon-core-operator:1.12.0-dev
+        args: --fail-on=upgradable --severity-threshold=high
 
   security-image-python-base:
 
@@ -80,6 +82,7 @@ jobs:
         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
       with:
         image: seldonio/seldon-core-s2i-python37-ubi8:1.12.0-dev
+        args: --fail-on=upgradable --severity-threshold=high
 
   security-image-python-sklearn:
 
@@ -91,6 +94,7 @@ jobs:
         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
       with:
         image: seldonio/sklearnserver:1.12.0-dev
+        args: --fail-on=upgradable --severity-threshold=high
 
   security-image-python-mlflow:
 
@@ -102,6 +106,7 @@ jobs:
         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
       with:
         image: seldonio/mlflowserver:1.12.0-dev
+        args: --fail-on=upgradable --severity-threshold=high
 
   security-image-python-xgboost:
 
@@ -113,6 +118,7 @@ jobs:
         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
       with:
         image: seldonio/xgboostserver:1.12.0-dev
+        args: --fail-on=upgradable --severity-threshold=high
 
   security-image-alibi-explain:
 
@@ -124,6 +130,7 @@ jobs:
         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
       with:
         image: seldonio/alibiexplainer:1.12.0-dev
+        args: --fail-on=upgradable --severity-threshold=high
 
   security-image-alibi-detect:
 
@@ -135,6 +142,7 @@ jobs:
         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
       with:
         image: seldonio/alibi-detect-server:1.12.0-dev
+        args: --fail-on=upgradable --severity-threshold=high
 
   security-image-request-logger:
 
@@ -146,6 +154,7 @@ jobs:
         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
       with:
         image: seldonio/seldon-request-logger:1.12.0-dev
+        args: --fail-on=upgradable --severity-threshold=high
 
   security-image-initializer-rclone:
 
@@ -157,4 +166,5 @@ jobs:
         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
       with:
         image: seldonio/rclone-storage-initializer:1.12.0-dev
+        args: --fail-on=upgradable --severity-threshold=high
 
diff --git a/executor/.snyk b/executor/.snyk
@@ -0,0 +1,6 @@
+version: v1.14.0
+ignore:
+  'snyk:lic:golang:github.com:hashicorp:golang-lru:MPL-2.0':
+    - '*':
+        reason: "Source code of MPL licenses included in images"
+        expires: 2025-11-07T11:38:28.614Z
diff --git a/operator/.snyk b/operator/.snyk
@@ -0,0 +1,6 @@
+version: v1.14.0
+ignore:
+  'snyk:lic:golang:github.com:hashicorp:golang-lru:MPL-2.0':
+    - '*':
+        reason: "Source code of MPL licenses included in images"
+        expires: 2025-11-07T11:38:28.614Z
diff --git a/python/.snyk b/python/.snyk
@@ -0,0 +1,6 @@
+version: v1.14.0
+ignore:
+  'snyk:lic:pip:certifi:MPL-2.0':
+    - '*':
+        reason: "Source code of MPL licenses included in images"
+        expires: 2025-11-07T11:38:28.614Z
diff --git a/python/setup.py b/python/setup.py
@@ -38,13 +38,13 @@
         "setuptools >= 41.0.0",
         "prometheus_client >= 0.7.1, < 0.9.0",
         # Addresses CVE-2020-1971
-        "cryptography==3.4",
+        "cryptography >= 3.4, < 3.5",
         # Addresses CVE SNYK-PYTHON-PYYAML-590151
         "PyYAML >= 5.4, < 5.5",
         # Addresses CVE PRISMA-2021-0020
         "click >= 8.0.0a1, < 8.1",
-        # Addresses CVE CVE-2019-11236 and CVE-2020-26137
-        "urllib3 == 1.25.9",
+        # Addresses CVE CVE-2019-11236 and CVE-2020-26137 and SNYK-PYTHON-URLLIB3-1533435
+        "urllib3 == 1.26.5",
     ],
     extras_require=extras,
     entry_points={