def _run_dependency_check_test(image, ec2_connection): # Record any whitelisted medium/low severity CVEs; I.E. allowed_vulnerabilities = {CVE-1000-5555, CVE-9999-9999} allowed_vulnerabilities = { # Those vulnerabilities are fixed. Current openssl version is 1.1.1g. These are false positive "CVE-2016-2109", "CVE-2016-2177", "CVE-2016-6303", "CVE-2016-2182", # CVE-2020-13936: vulnerability found in apache velocity package which is a dependency for dependency-check package. Hence, ignoring. "CVE-2020-13936", } processor = get_processor_from_image_uri(image) # Whitelist CVE #CVE-2021-3711 for DLCs where openssl is installed using apt-get framework, _ = get_framework_and_version_from_tag(image) short_fw_version = re.search(r"(\d+\.\d+)", image).group(1) # Check that these versions have been matched on https://ubuntu.com/security/CVE-2021-3711 before adding allow_openssl_cve_fw_versions = { "tensorflow": { "1.15": ["cpu", "gpu", "neuron"], "2.3": ["cpu", "gpu"], "2.4": ["cpu", "gpu"], "2.5": ["cpu", "gpu", "neuron"], "2.6": ["cpu", "gpu"], "2.7": ["cpu", "gpu"], }, "mxnet": { "1.8": ["neuron"], "1.9": ["cpu", "gpu"] }, "pytorch": { "1.10": ["cpu"] }, "huggingface_pytorch": { "1.8": ["cpu", "gpu"], "1.9": ["cpu", "gpu"] }, "huggingface_tensorflow": { "2.4": ["cpu", "gpu"], "2.5": ["cpu", "gpu"] }, "autogluon": { "0.3": ["cpu"] }, } if processor in allow_openssl_cve_fw_versions.get(framework, {}).get( short_fw_version, []): allowed_vulnerabilities.add("CVE-2021-3711") container_name = f"dep_check_{processor}" report_addon = get_container_name("depcheck-report", image) dependency_check_report = f"{report_addon}.html" html_file = f"{container_name}:/build/dependency-check-report.html" test_script = os.path.join(CONTAINER_TESTS_PREFIX, "testDependencyCheck") # Execute test, copy results to s3 ec2.execute_ec2_training_test(ec2_connection, image, test_script, container_name=container_name, bin_bash_entrypoint=True) ec2_connection.run(f"docker cp {html_file} ~/{dependency_check_report}") ec2_connection.run( f"aws s3 cp ~/{dependency_check_report} s3://dlc-dependency-check") # Check for any vulnerabilities not mentioned in allowed_vulnerabilities html_output = ec2_connection.run(f"cat ~/{dependency_check_report}", hide=True).stdout cves = re.findall(r">(CVE-\d+-\d+)</a>", html_output) vulnerabilities = set(cves) - allowed_vulnerabilities if vulnerabilities: vulnerability_severity = {} # Check NVD for vulnerability severity to provide this useful info in error message. for vulnerability in vulnerabilities: try: cve_url = f"https://services.nvd.nist.gov/rest/json/cve/1.0/{vulnerability}" session = requests.Session() session.mount( "https://", requests.adapters.HTTPAdapter(max_retries=Retry( total=5, status_forcelist=[404, 504, 502])), ) response = session.get(cve_url) if response.status_code == 200: severity = (response.json().get("result", {}).get( "CVE_Items", [{}])[0].get("impact", {}).get("baseMetricV2", {}).get("severity", "UNKNOWN")) if vulnerability_severity.get(severity): vulnerability_severity[severity].append(vulnerability) else: vulnerability_severity[severity] = [vulnerability] except ConnectionError: LOGGER.exception( f"Failed to load NIST data for CVE {vulnerability}") # TODO: Remove this once we have whitelisted appropriate LOW/MEDIUM vulnerabilities if not (vulnerability_severity.get("CRITICAL") or vulnerability_severity.get("HIGH")): return raise DependencyCheckFailure( f"Unrecognized CVEs have been reported : {vulnerability_severity}. " f"Allowed vulnerabilities are {allowed_vulnerabilities or None}. Please see " f"{dependency_check_report} for more details.")
def _run_dependency_check_test(image, ec2_connection, processor): # Record any whitelisted medium/low severity CVEs; I.E. allowed_vulnerabilities = {CVE-1000-5555, CVE-9999-9999} allowed_vulnerabilities = { # Those vulnerabilities are fixed. Current openssl version is 1.1.1g. These are false positive "CVE-2016-2109", "CVE-2016-2177", "CVE-2016-6303", "CVE-2016-2182", # CVE-2020-13936: vulnerability found in apache velocity package which is a dependency for dependency-check package. Hence, ignoring. "CVE-2020-13936", } container_name = f"dep_check_{processor}" report_addon = get_container_name("depcheck-report", image) dependency_check_report = f"{report_addon}.html" html_file = f"{container_name}:/build/dependency-check-report.html" test_script = os.path.join(CONTAINER_TESTS_PREFIX, "testDependencyCheck") # Execute test, copy results to s3 ec2.execute_ec2_training_test(ec2_connection, image, test_script, container_name=container_name) ec2_connection.run(f"docker cp {html_file} ~/{dependency_check_report}") ec2_connection.run(f"aws s3 cp ~/{dependency_check_report} s3://dlc-dependency-check") # Check for any vulnerabilities not mentioned in allowed_vulnerabilities html_output = ec2_connection.run(f"cat ~/{dependency_check_report}", hide=True).stdout cves = re.findall(r">(CVE-\d+-\d+)</a>", html_output) vulnerabilities = set(cves) - allowed_vulnerabilities if vulnerabilities: vulnerability_severity = {} # Check NVD for vulnerability severity to provide this useful info in error message. for vulnerability in vulnerabilities: try: cve_url = f"https://services.nvd.nist.gov/rest/json/cve/1.0/{vulnerability}" session = requests.Session() session.mount( "https://", requests.adapters.HTTPAdapter(max_retries=Retry(total=5, status_forcelist=[404, 504, 502])), ) response = session.get(cve_url) if response.status_code == 200: severity = ( response.json() .get("result", {}) .get("CVE_Items", [{}])[0] .get("impact", {}) .get("baseMetricV2", {}) .get("severity", "UNKNOWN") ) except ConnectionError: LOGGER.exception(f"Failed to load NIST data for CVE {vulnerability}") if vulnerability_severity.get(severity): vulnerability_severity[severity].append(vulnerability) else: vulnerability_severity[severity] = [vulnerability] # TODO: Remove this once we have whitelisted appropriate LOW/MEDIUM vulnerabilities if not (vulnerability_severity.get("CRITICAL") or vulnerability_severity.get("HIGH")): return raise DependencyCheckFailure( f"Unrecognized CVEs have been reported : {vulnerability_severity}. " f"Allowed vulnerabilities are {allowed_vulnerabilities or None}. Please see " f"{dependency_check_report} for more details." )