From f7d38b86b1ed5d577debd6587cff86260bc9fbee Mon Sep 17 00:00:00 2001
From: Alejandro Saucedo <axsauze@gmail.com>
Date: Tue, 7 Dec 2021 16:41:45 +0000
Subject: [PATCH] Added and addressed vulnerabilities with snyk

---
 .github/workflows/security_tests.yml | 16 +++++++++++++---
 executor/.snyk                       |  6 ++++++
 operator/.snyk                       |  6 ++++++
 python/.snyk                         |  6 ++++++
 python/setup.py                      |  6 +++---
 5 files changed, 34 insertions(+), 6 deletions(-)
 create mode 100644 executor/.snyk
 create mode 100644 operator/.snyk
 create mode 100644 python/.snyk

diff --git a/.github/workflows/security_tests.yml b/.github/workflows/security_tests.yml
index 5cfd1c740f..1a8c1b7e3b 100644
--- a/.github/workflows/security_tests.yml
+++ b/.github/workflows/security_tests.yml
@@ -18,7 +18,7 @@ jobs:
         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
       run: |
         pip install -e python/.
-        snyk test --file=python/setup.py
+        snyk test --file=python/setup.py --fail-on=upgradable --severity-threshold=high
 
   security-operator:
 
@@ -32,7 +32,7 @@ jobs:
         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
       run: |
         make -C operator/ fmt
-        snyk test --file=operator/go.mod
+        snyk test --file=operator/go.mod --fail-on=upgradable --severity-threshold=high
 
   security-executor:
 
@@ -46,7 +46,7 @@ jobs:
         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
       run: |
         make -C executor/ executor
-        snyk test --file=executor/go.mod
+        snyk test --file=executor/go.mod --fail-on=upgradable --severity-threshold=high
 
   security-image-executor:
 
@@ -58,6 +58,7 @@ jobs:
         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
       with:
         image: seldonio/seldon-core-executor:1.12.0-dev
+        args: --fail-on=upgradable --severity-threshold=high
 
   security-image-operator:
 
@@ -69,6 +70,7 @@ jobs:
         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
       with:
         image: seldonio/seldon-core-operator:1.12.0-dev
+        args: --fail-on=upgradable --severity-threshold=high
 
   security-image-python-base:
 
@@ -80,6 +82,7 @@ jobs:
         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
       with:
         image: seldonio/seldon-core-s2i-python37-ubi8:1.12.0-dev
+        args: --fail-on=upgradable --severity-threshold=high
 
   security-image-python-sklearn:
 
@@ -91,6 +94,7 @@ jobs:
         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
       with:
         image: seldonio/sklearnserver:1.12.0-dev
+        args: --fail-on=upgradable --severity-threshold=high
 
   security-image-python-mlflow:
 
@@ -102,6 +106,7 @@ jobs:
         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
       with:
         image: seldonio/mlflowserver:1.12.0-dev
+        args: --fail-on=upgradable --severity-threshold=high
 
   security-image-python-xgboost:
 
@@ -113,6 +118,7 @@ jobs:
         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
       with:
         image: seldonio/xgboostserver:1.12.0-dev
+        args: --fail-on=upgradable --severity-threshold=high
 
   security-image-alibi-explain:
 
@@ -124,6 +130,7 @@ jobs:
         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
       with:
         image: seldonio/alibiexplainer:1.12.0-dev
+        args: --fail-on=upgradable --severity-threshold=high
 
   security-image-alibi-detect:
 
@@ -135,6 +142,7 @@ jobs:
         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
       with:
         image: seldonio/alibi-detect-server:1.12.0-dev
+        args: --fail-on=upgradable --severity-threshold=high
 
   security-image-request-logger:
 
@@ -146,6 +154,7 @@ jobs:
         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
       with:
         image: seldonio/seldon-request-logger:1.12.0-dev
+        args: --fail-on=upgradable --severity-threshold=high
 
   security-image-initializer-rclone:
 
@@ -157,4 +166,5 @@ jobs:
         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
       with:
         image: seldonio/rclone-storage-initializer:1.12.0-dev
+        args: --fail-on=upgradable --severity-threshold=high
 
diff --git a/executor/.snyk b/executor/.snyk
new file mode 100644
index 0000000000..fc3ec374d1
--- /dev/null
+++ b/executor/.snyk
@@ -0,0 +1,6 @@
+version: v1.14.0
+ignore:
+  'snyk:lic:golang:github.com:hashicorp:golang-lru:MPL-2.0':
+    - '*':
+        reason: "Source code of MPL licenses included in images"
+        expires: 2025-11-07T11:38:28.614Z
diff --git a/operator/.snyk b/operator/.snyk
new file mode 100644
index 0000000000..fc3ec374d1
--- /dev/null
+++ b/operator/.snyk
@@ -0,0 +1,6 @@
+version: v1.14.0
+ignore:
+  'snyk:lic:golang:github.com:hashicorp:golang-lru:MPL-2.0':
+    - '*':
+        reason: "Source code of MPL licenses included in images"
+        expires: 2025-11-07T11:38:28.614Z
diff --git a/python/.snyk b/python/.snyk
new file mode 100644
index 0000000000..a70804dd12
--- /dev/null
+++ b/python/.snyk
@@ -0,0 +1,6 @@
+version: v1.14.0
+ignore:
+  'snyk:lic:pip:certifi:MPL-2.0':
+    - '*':
+        reason: "Source code of MPL licenses included in images"
+        expires: 2025-11-07T11:38:28.614Z
diff --git a/python/setup.py b/python/setup.py
index 35475fed91..3ebdfc3db6 100644
--- a/python/setup.py
+++ b/python/setup.py
@@ -38,13 +38,13 @@
         "setuptools >= 41.0.0",
         "prometheus_client >= 0.7.1, < 0.9.0",
         # Addresses CVE-2020-1971
-        "cryptography==3.4",
+        "cryptography >= 3.4, < 3.5",
         # Addresses CVE SNYK-PYTHON-PYYAML-590151
         "PyYAML >= 5.4, < 5.5",
         # Addresses CVE PRISMA-2021-0020
         "click >= 8.0.0a1, < 8.1",
-        # Addresses CVE CVE-2019-11236 and CVE-2020-26137
-        "urllib3 == 1.25.9",
+        # Addresses CVE CVE-2019-11236 and CVE-2020-26137 and SNYK-PYTHON-URLLIB3-1533435
+        "urllib3 == 1.26.5",
     ],
     extras_require=extras,
     entry_points={