Patch fixed critical CVEs in kserve/alibi-explainer (kserve#2270)

* update versions for alibi-explainer to resolve several critical CVEs

Signed-off-by: MessKon <[email protected]>

* change required python version to >=3.7; no impact on critical CVEs

Signed-off-by: MessKon <[email protected]>

* revert the kserve version change

Signed-off-by: MessKon <[email protected]>

* revert alibi version change

Signed-off-by: MessKon <[email protected]>

* fix flake8 lint errors

Signed-off-by: MessKon <[email protected]>

* update aix360 module reference

Signed-off-by: MessKon <[email protected]>

* revert aix360 module reference

Signed-off-by: MessKon <[email protected]>
Signed-off-by: alexagriffith <[email protected]>

python/alibiexplainer/setup.py

@@ -29,15 +29,15 @@
     description='Model Explanation Server. \
                  Not intended for use outside KServe Frameworks Images',
     long_description=open('README.md').read(),
-    python_requires='>=3.6',
+    python_requires='>=3.7',
     packages=find_packages("alibiexplainer"),
     install_requires=[
         "kserve>=0.7.0",
         "nest_asyncio>=1.4.0",
         "alibi==0.6.4",
         "joblib>=0.13.2",
-        "xgboost==1.5.0",
-        "shap==0.40.0",
+        "xgboost==1.6.1",
+        "shap==0.41.0",
     ],
     tests_require=tests_require,
     extras_require={'test': tests_require}

test/e2e/explainer/test_aix_explainer.py

@@ -82,9 +82,9 @@ def test_tabular_explainer():
         raise e
 
     res = predict(service_name, './data/mnist_input.json')
-    assert(res["predictions"] == [[0.0, 0.0, 1.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0]])
+    assert (res["predictions"] == [[0.0, 0.0, 1.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0]])
 
     mask = explain_aix(service_name, './data/mnist_input.json')
     percent_in_mask = np.count_nonzero(mask) / np.size(np.array(mask))
-    assert(percent_in_mask > 0.6)
+    assert (percent_in_mask > 0.6)
     kserve_client.delete(service_name, KSERVE_TEST_NAMESPACE)

test/e2e/logger/test_logger.py

@@ -82,7 +82,7 @@ def test_kserve_logger():
             print(pod)
 
     res = predict(service_name, './data/iris_input.json')
-    assert(res["predictions"] == [1, 1])
+    assert (res["predictions"] == [1, 1])
     pods = kserve_client.core_api.list_namespaced_pod(KSERVE_TEST_NAMESPACE,
                                                       label_selector='serving.kserve.io/inferenceservice={}'.
                                                       format(msg_dumper))
@@ -93,7 +93,7 @@ def test_kserve_logger():
                                                               namespace=pod.metadata.namespace,
                                                               container="kserve-container")
         print(log)
-    assert("org.kubeflow.serving.inference.request" in log)
-    assert("org.kubeflow.serving.inference.response" in log)
+    assert ("org.kubeflow.serving.inference.request" in log)
+    assert ("org.kubeflow.serving.inference.response" in log)
     kserve_client.delete(service_name, KSERVE_TEST_NAMESPACE)
     kserve_client.delete(msg_dumper, KSERVE_TEST_NAMESPACE)

test/e2e/logger/test_raw_logger.py

@@ -87,7 +87,7 @@ def test_kserve_logger():
             print(pod)
 
     res = predict(service_name, './data/iris_input.json')
-    assert(res["predictions"] == [1, 1])
+    assert (res["predictions"] == [1, 1])
     pods = kserve_client.core_api.list_namespaced_pod(KSERVE_TEST_NAMESPACE,
                                                       label_selector='serving.kserve.io/inferenceservice={}'.
                                                       format(msg_dumper))
@@ -98,7 +98,7 @@ def test_kserve_logger():
                                                               namespace=pod.metadata.namespace,
                                                               container="kserve-container")
         print(log)
-    assert("org.kubeflow.serving.inference.request" in log)
-    assert("org.kubeflow.serving.inference.response" in log)
+    assert ("org.kubeflow.serving.inference.request" in log)
+    assert ("org.kubeflow.serving.inference.response" in log)
     kserve_client.delete(service_name, KSERVE_TEST_NAMESPACE)
     kserve_client.delete(msg_dumper, KSERVE_TEST_NAMESPACE)

test/e2e/predictor/test_autoscaling.py

@@ -69,8 +69,8 @@ def test_sklearn_kserve_concurrency():
 
     res = predict(service_name, INPUT)
     assert res["predictions"] == [1, 1]
-    assert(isvc_annotations[METRIC] == 'concurrency')
-    assert(isvc_annotations[TARGET] == '2')
+    assert (isvc_annotations[METRIC] == 'concurrency')
+    assert (isvc_annotations[TARGET] == '2')
     kserve_client.delete(service_name, KSERVE_TEST_NAMESPACE)
 
 
@@ -108,8 +108,8 @@ def test_sklearn_kserve_rps():
 
     annotations = pods.items[0].metadata.annotations
 
-    assert(annotations[METRIC] == 'rps')
-    assert(annotations[TARGET] == '5')
+    assert (annotations[METRIC] == 'rps')
+    assert (annotations[TARGET] == '5')
     res = predict(service_name, INPUT)
     assert res["predictions"] == [1, 1]
     kserve_client.delete(service_name, KSERVE_TEST_NAMESPACE)
@@ -153,8 +153,8 @@ def test_sklearn_kserve_cpu():
 
     isvc_annotations = pods.items[0].metadata.annotations
 
-    assert(isvc_annotations[METRIC] == 'cpu')
-    assert(isvc_annotations[TARGET] == '50')
+    assert (isvc_annotations[METRIC] == 'cpu')
+    assert (isvc_annotations[TARGET] == '50')
     res = predict(service_name, INPUT)
     assert res["predictions"] == [1, 1]
     kserve_client.delete(service_name, KSERVE_TEST_NAMESPACE)
@@ -197,7 +197,7 @@ def test_sklearn_kserve_raw():
                                                           namespace=KSERVE_TEST_NAMESPACE,
                                                           plural='horizontalpodautoscalers')
 
-    assert(hpa_resp['items'][0]['spec']['targetCPUUtilizationPercentage'] == 50)
+    assert (hpa_resp['items'][0]['spec']['targetCPUUtilizationPercentage'] == 50)
     res = predict(service_name, INPUT)
     assert res["predictions"] == [1, 1]
     kserve_client.delete(service_name, KSERVE_TEST_NAMESPACE)

test/e2e/predictor/test_canary.py

@@ -72,7 +72,7 @@ def test_canary_rollout():
     canary_isvc = kserve_client.get(service_name, namespace=KSERVE_TEST_NAMESPACE)
     for traffic in canary_isvc['status']['components']['predictor']['traffic']:
         if traffic['latestRevision']:
-            assert(traffic['percent'] == 10)
+            assert (traffic['percent'] == 10)
 
     # Delete the InferenceService
     kserve_client.delete(service_name, namespace=KSERVE_TEST_NAMESPACE)
@@ -126,7 +126,7 @@ def test_canary_rollout_runtime():
     canary_isvc = kserve_client.get(service_name, namespace=KSERVE_TEST_NAMESPACE)
     for traffic in canary_isvc['status']['components']['predictor']['traffic']:
         if traffic['latestRevision']:
-            assert(traffic['percent'] == 10)
+            assert (traffic['percent'] == 10)
 
     # Delete the InferenceService
     kserve_client.delete(service_name, namespace=KSERVE_TEST_NAMESPACE)

test/e2e/predictor/test_pytorch.py

@@ -63,5 +63,5 @@ def test_pytorch():
             print(pod)
         raise e
     res = predict(service_name, './data/cifar_input.json')
-    assert(np.argmax(res["predictions"]) == 3)
+    assert (np.argmax(res["predictions"]) == 3)
     kserve_client.delete(service_name, KSERVE_TEST_NAMESPACE)

test/e2e/predictor/test_tensorflow.py

@@ -52,7 +52,7 @@ def test_tensorflow_kserve():
     kserve_client.create(isvc)
     kserve_client.wait_isvc_ready(service_name, namespace=KSERVE_TEST_NAMESPACE)
     res = predict(service_name, './data/flower_input.json')
-    assert(np.argmax(res["predictions"][0].get('scores')) == 0)
+    assert (np.argmax(res["predictions"][0].get('scores')) == 0)
 
     # Delete the InferenceService
     kserve_client.delete(service_name, namespace=KSERVE_TEST_NAMESPACE)
@@ -85,7 +85,7 @@ def test_tensorflow_runtime_kserve():
     kserve_client.create(isvc)
     kserve_client.wait_isvc_ready(service_name, namespace=KSERVE_TEST_NAMESPACE)
     res = predict(service_name, './data/flower_input.json')
-    assert(np.argmax(res["predictions"][0].get('scores')) == 0)
+    assert (np.argmax(res["predictions"][0].get('scores')) == 0)
 
     # Delete the InferenceService
     kserve_client.delete(service_name, namespace=KSERVE_TEST_NAMESPACE)

test/e2e/predictor/test_triton.py

@@ -74,7 +74,7 @@ def test_triton():
             print(deployment)
         raise e
     res = predict(service_name, "./data/image.json", model_name='cifar10')
-    assert(np.argmax(res.get("predictions")[0]) == 5)
+    assert (np.argmax(res.get("predictions")[0]) == 5)
     kserve_client.delete(service_name, KSERVE_TEST_NAMESPACE)
 
 
@@ -126,5 +126,5 @@ def test_triton_runtime():
             print(deployment)
         raise e
     res = predict(service_name, "./data/image.json", model_name='cifar10')
-    assert(np.argmax(res.get("predictions")[0]) == 5)
+    assert (np.argmax(res.get("predictions")[0]) == 5)
     kserve_client.delete(service_name, KSERVE_TEST_NAMESPACE)

test/e2e/transformer/test_raw_transformer.py

@@ -77,5 +77,5 @@ def test_transformer():
         raise e
 
     res = predict(service_name, "./data/transformer.json", model_name="mnist")
-    assert(res.get("predictions")[0] == 2)
+    assert (res.get("predictions")[0] == 2)
     kserve_client.delete(service_name, KSERVE_TEST_NAMESPACE)

test/e2e/transformer/test_transformer.py

@@ -78,5 +78,5 @@ def test_transformer():
             print(pod)
         raise e
     res = predict(service_name, "./data/transformer.json", model_name="mnist")
-    assert(res.get("predictions")[0] == 2)
+    assert (res.get("predictions")[0] == 2)
     kserve_client.delete(service_name, KSERVE_TEST_NAMESPACE)