[miniconda] Update cryptography package due to GHSA-jm77-qphf-c4w8 (#…

…743) * Bump `cryptography` package version * Update tests * Use separate environment for installation tests * Add information about conda channels
devcontainers · Sep 12, 2023 · dce97cb · dce97cb
1 parent 10c097f
commit dce97cb
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 6 deletions.
diff --git a/src/miniconda/.devcontainer/Dockerfile b/src/miniconda/.devcontainer/Dockerfile
@@ -3,9 +3,10 @@ FROM continuumio/miniconda3 as upstream
 # Temporary: Upgrade python packages due to mentioned CVEs
 # They are installed by the base image (continuumio/miniconda3) which does not have the patch.
 RUN conda install \ 
-    # https://github.com/pyca/cryptography/security/advisories/GHSA-5cpq-8wj7-hf2v
+    # pyopenssl should be updated to be compatible with latest version of cryptography
     pyopenssl=23.2.0 \ 
-    cryptography=41.0.2 \
+    # https://github.com/advisories/GHSA-jm77-qphf-c4w8
+    cryptography=41.0.3 \
     # https://github.com/advisories/GHSA-j8r2-6x86-q33q
     requests=2.31.0
 

diff --git a/src/miniconda/README.md b/src/miniconda/README.md
@@ -67,6 +67,10 @@ Given JavaScript front-end web client code written for use in conjunction with a
 }
 ```
 
+#### Using different Conda channels
+
+This image is based on the `ContinuumIO/miniconda3` docker image, which has the conda and its dependencies (*installed from conda's default channel*) in the base environment. It is not recommended to install packages from different channels in one environment since it could cause conflicts. When installing a package from a different channel (e.g., `conda-forge`) is required, the better approach is to create a new conda environment.
+
 #### Installing or updating Python utilities
 
 This container installs all Python development utilities using [pipx](https://pipxproject.github.io/pipx/) to avoid impacting the global Python environment. You can use this same utility add additional utilities in an isolated environment. For example:

diff --git a/src/miniconda/test-project/test.sh b/src/miniconda/test-project/test.sh
@@ -18,19 +18,19 @@ check "gitconfig-contains-name" sh -c "cat /etc/gitconfig | grep 'name = devcont
 
 check "usr-local-etc-config-does-not-exist" test ! -f "/usr/local/etc/gitconfig"
 
-checkPythonPackageVersion "cryptography" "41.0.0"
+checkPythonPackageVersion "cryptography" "41.0.3"
 checkPythonPackageVersion "setuptools" "65.5.1"
 checkPythonPackageVersion "wheel" "0.38.1"
 
-checkCondaPackageVersion "cryptography" "41.0.0"
+checkCondaPackageVersion "cryptography" "41.0.3"
 checkCondaPackageVersion "pyopenssl" "23.2.0"
 checkCondaPackageVersion "setuptools" "65.5.1"
 checkCondaPackageVersion "wheel" "0.38.1"
 checkCondaPackageVersion "requests" "2.31.0"
 
 check "conda-update-conda" bash -c "conda update -y conda"
-check "conda-install-tensorflow" bash -c "conda install -c conda-forge --yes tensorflow"
-check "conda-install-pytorch" bash -c "conda install -c conda-forge --yes pytorch"
+check "conda-install-tensorflow" bash -c "conda create --name test-env -c conda-forge --yes tensorflow"
+check "conda-install-pytorch" bash -c "conda create --name test-env -c conda-forge --yes pytorch"
 
 # Report result
 reportResults