Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vulnerabilities CVE-2021-28918 and CVE-2019-0228 blocking CI builds #249

Closed
4 tasks done
JessicaBarh opened this issue May 4, 2021 · 4 comments · Fixed by #252
Closed
4 tasks done

vulnerabilities CVE-2021-28918 and CVE-2019-0228 blocking CI builds #249

JessicaBarh opened this issue May 4, 2021 · 4 comments · Fixed by #252
Assignees
@JessicaBarh
Labels
area/security size/M 2-3 days

Comments

@JessicaBarh
Copy link
Contributor

JessicaBarh commented May 4, 2021
edited
Loading

New vulnerabilities detected on container scan. These have been temporarily added to .github/containerscan/allowedlist.yaml so we can allow a successful CI run for the current images being used in production but the vulnerabilities need to be handled.
@JessicaBarh JessicaBarh added the size/S ~1 day label May 5, 2021
@JessicaBarh
Copy link
Contributor Author

JessicaBarh commented May 7, 2021
edited by ca-scribner
Loading

Issue:
texlive-xetex is dependant on texlive-xetex-extra which depends on libpdfbox-java (source of the vulnerability). the vulnerability has been fixed in libpdfbox2-java but there are no signs or plans of texlive-xetex supporting that version yet.

Why do we need texlive-xetex?
required by Nbconvert for converting notebooks to PDF

libpdfbox-java is a java library which is probably not used by anyone since we do not support java in our notebooks.

options:

  1. uninstall libpdfbox-java without removing it's dependents (this was tested in a jupyterlab-cpu notebook using test_nbconvert.py and converting notebooks to PDF is functional)

  2. leave as is and add the vulnerability to the allowedlist.yaml assuming no one uses this java library and the vulnerability is not a threat

@blairdrummond
Copy link
Contributor

@justbert would be interested in your thoughts

@justbert
Copy link

Me?! Why ME!? Unfortunately, I'm super unfamiliar with the uses and these systems. :\

This is definitely that place where it's difficult to navigate the tightrope between maintainability and security. From conversations with @zachomedia, it might be a good time to start defining a clearer framework when it comes to situations like these within the AAW, since at a certain point, the risk must be accepted or actions must be taken to mitigate it, which may cause maintainability issues in the long run.

Sorry I'm not super helpful :(

@brendangadd
Copy link
Contributor

@JessicaBarh Option (1) please. :) And let's make sure the issue is raised with docker-stacks and keep an eye on it. Once they resolve the issue upstream, we can revert and use their approach.

@JessicaBarh JessicaBarh mentioned this issue May 10, 2021
Merged
8 tasks
@JessicaBarh JessicaBarh added size/M 2-3 days and removed size/S ~1 day labels May 11, 2021
@JessicaBarh JessicaBarh mentioned this issue May 14, 2021
Closed
@Jose-Matsuda Jose-Matsuda mentioned this issue Jun 24, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JessicaBarh JessicaBarh

Labels
area/security size/M 2-3 days
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: repo build errors and vscode issues StatCan/aaw-kubeflow-containers
4 participants
@brendangadd @justbert @blairdrummond @JessicaBarh