intel/e2eAIOK

[v1.2]CVE issue fixing

xuechendi opened this issue · 1 comments

xuechendi commented

Hi, @zhouyu5

I created a new dockerfile only including deltatuner and recdp, here: https://github.com/intel/e2eAIOK/blob/main/Dockerfile-ubuntu/Dockerfile-v1.2

The reason to do that is we reached our quaterly SDLe evidence refresh cycle and need to refresh security/vulnerability evidences.
And for SDLe - task 247, which is to test Vulnerability for our dependencies, We detect two critical vulnerability issue as below

Complete report is here: https://github.com/intel-innersource/frameworks.ai.infrastructure.code-scan-tools/actions/runs/6644304331

Please help to update below two packages version both in:

  1. https://github.com/intel/e2eAIOK/blob/main/Dockerfile-ubuntu/Dockerfile-v1.2
  2. setup README provided by deltatuner

Python (python-pkg)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 1)

┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────────────────────┬────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────────────────────┼────────────────────────────────────────────────────────┤
│ protobuf (METADATA) │ CVE-2022-1941 │ HIGH │ fixed │ 3.20.1 │ 3.18.3, 3.19.5, 3.20.2, 4.21.6 │ A parsing vulnerability for the MessageSet type in the │
│ │ │ │ │ │ │ ProtocolBuffers ... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-1941
├─────────────────────┼────────────────┼──────────┤ ├───────────────────┼────────────────────────────────┼────────────────────────────────────────────────────────┤
│ torch (METADATA) │ CVE-2022-45907 │ CRITICAL │ │ 1.13.0 │ 1.13.1 │ In PyTorch before trunk/89695, │
│ │ │ │ │ │ │ torch.jit.annotations.parse_type_line c ... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-45907
└─────────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────────────────────┴────────────────────────────────────────────────────────┘

zhouyu5 commented

@xuechendi Resolved now, please refer to PR#414 and the commit 7280bf7