[Snyk] Fix for 10 vulnerabilities #101
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Update proto & swagger generator libraries for generator dockerfile. Signed-off-by: Humair Khan <[email protected]>
This change bumps support for kfp-pipeline-spec to 6.x. This is a significant bump by two major versions. We specifically opt not to support a range (e.g. >=5.x,<=6.x) because we are bumping protoc to 30.x+ and this compiler is only compatible with 6.x+. Accompanying this change is a change to the makefile command. Previously, the developer was required to hunt down and manually download the protos originating from the protobuf libraries in git. The makefile will now download these proto dependencies for the user. Signed-off-by: Humair Khan <[email protected]>
This change will bump KFP sdk to leverage protobuf 6.x. It also bumps kfp-pipeline-spec to 0.8.0 which too requires protobuf 6.x. Note that the version of KFP is also bumped to 2.4.0. This is required because CI will fail otherwise when it attempts to retrieve KFP 2.3.0 due to a mismatch between kfp sdk 2.13 protobuf requirements (>=4.x,<5), and kfp sdk 2.14 requirements (>=6.x, <7). In order to accompany CI, we need to also ensure any CI that tries to re-compile KFP from source must also install kfp-pipeline-spec from source, otherwise it will try to download 0.8.0 before it is released. In order to support this case, there is an env var introduced: "KFP_PIPELINE_SPEC_PACKAGE_PATH", this var when set will have the executing pipeline install pipeline-spec from the designated store instead of pypi (transitively through KFP). This change is also utilized in some of the kfp.local tests that will compile and run tests locally via subprocess. Signed-off-by: Humair Khan <[email protected]>
The change also includes the re-generated python and go code. There is also an update to setup.py, where dependencies are split into separate requirements.txt to supplement dep management via third party tools. There are two noteworthy changes to the Makefile: * Support for installing dependent packages sourced locally, via: USE_FIND_LINKS, FIND_LINKS_PATH. See inline comments for details. * Support for fetching dependent protos. Here we re-use the make target already available from pipeline_spec. Signed-off-by: Humair Khan <[email protected]>
This change makes various updates to CI and testing code to achieve this. GitHub workflows: Protobuf dependency installation and management are moved to a separate action. This allows us to manage versions in one location and remove redundant code. Similarly, installation of KFP-Kubernetes, and transitively KFP sdk are also moved to a separate action. Presubmit tests now support optional dep installation, allowing us to instead opt to install dependencies from the CI env instead. This is to prevent the script from overwriting the python packages we install via our new re-usable GitHub action. kfp-k8s and kfp-sdk execution tests have been updated to leverage kfp-pipeline-spec from the source for runtime tests. kfp-readiness requirements are moved to their own file, since the dependency requirement for this script is much smaller than sdk, it makes more sense to scope this to a smaller, more targeted requirements file. Signed-off-by: Humair Khan <[email protected]>
This change comes with a large changeset to accommodate the api breaking changes introduced with protoc-gen-openapiv2 (grpc-gateway v2+) and other associated (protoc-gen-go, protobuf, etc.). Some noteworthy changes: * Newer protoc-gen-go-grpc requires UnimplementedXxxServer struct to help with forward compatibility and optional method implementations. Because of this, we can no longer used shared servers for both v1 and v2 APIs. To keep the diff low this change adds a wrapper server to split them up, whilst keeping shared code co-located. * In newer protoc-gen-openapiv2, generating swagger code results in camelcase for message field names, to prevent this breaking api change the usage of [json_name = ".."] is added in api fields. * client go code is updated to accommodate other breaking changes * presubmit and associated scripts are removed as they are no longer used by CI. Signed-off-by: Humair Khan <[email protected]>
This change re-generates the golang proto files. Signed-off-by: Humair Khan <[email protected]>
Signed-off-by: Humair Khan <[email protected]>
Signed-off-by: Humair Khan <[email protected]>
Signed-off-by: Humair Khan <[email protected]>
Signed-off-by: Humair Khan <[email protected]>
…isualize_html/requirements.txt to reduce vulnerabilities The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-FONTTOOLS-6133203 - https://snyk.io/vuln/SNYK-PYTHON-NUMPY-2321964 - https://snyk.io/vuln/SNYK-PYTHON-NUMPY-2321966 - https://snyk.io/vuln/SNYK-PYTHON-NUMPY-2321970 - https://snyk.io/vuln/SNYK-PYTHON-PILLOW-5918878 - https://snyk.io/vuln/SNYK-PYTHON-PILLOW-6043904 - https://snyk.io/vuln/SNYK-PYTHON-PILLOW-6182918 - https://snyk.io/vuln/SNYK-PYTHON-PILLOW-6219984 - https://snyk.io/vuln/SNYK-PYTHON-PILLOW-6219986 - https://snyk.io/vuln/SNYK-PYTHON-PILLOW-6514866
🎉 Snyk checks have passed. No issues have been found so far.✅ security/snyk check is complete. No issues have been found. (View Details) |
HumairAK
force-pushed
the
master
branch
6 times, most recently
from
aa17af9 to
87e54d1
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Snyk has created this PR to fix 10 vulnerabilities in the pip dependencies of this project.
Snyk changed the following file(s):
samples/contrib/versioned-pipeline-ci-samples/kaggle-ci-sample/visualize_html/requirements.txtImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 XML External Entity (XXE) Injection
🦉 NULL Pointer Dereference
🦉 Uncontrolled Resource Consumption ('Resource Exhaustion')
🦉 More lessons are available in Snyk Learn