From f9fbcd3f069e023606c89f662c9b68a2bb192c86 Mon Sep 17 00:00:00 2001 From: ckunki Date: Wed, 15 Jan 2025 11:40:21 +0100 Subject: [PATCH] Added documentation about various dependencies of the AI-Lab --- doc/changes/changes_3.2.0.md | 16 ++++++++-------- doc/developer_guide/dependencies.md | 21 +++++++++++++++++++++ doc/developer_guide/developer_guide.md | 3 ++- 3 files changed, 31 insertions(+), 9 deletions(-) create mode 100644 doc/developer_guide/dependencies.md diff --git a/doc/changes/changes_3.2.0.md b/doc/changes/changes_3.2.0.md index b04d8561..ab0b6131 100644 --- a/doc/changes/changes_3.2.0.md +++ b/doc/changes/changes_3.2.0.md @@ -9,21 +9,21 @@ This release updates dependencies and fixes security vulnerabilities on top of 3 Fixed vulnerabilities: * Vulnerabilities in direct dependency `jinja2` version 3.1.4 - * [#50](https://github.com/exasol/ai-lab/security/dependabot/#50) Moderate: Jinja has a sandbox breakout through malicious filenames Moderate - * [#49](https://github.com/exasol/ai-lab/security/dependabot/#49) Moderate: Jinja has a sandbox breakout through indirect reference to format method Moderate + * #50 Moderate: Jinja has a sandbox breakout through malicious filenames Moderate + * #49 Moderate: Jinja has a sandbox breakout through indirect reference to format method Moderate * Vulnerabilities in transitive dependency `ansible-core` via `ansible`: - * [#44](https://github.com/exasol/ai-lab/security/dependabot/44) Moderate, affects versions < 2.17.6, ansible-core Incorrect Authorization vulnerability Moderate - * [#47](https://github.com/exasol/ai-lab/security/dependabot/47) Low, affects versions < 2.17.7: Ansible-Core vulnerable to content protections bypass Low + * #44 Moderate, affects versions < 2.17.6, ansible-core Incorrect Authorization vulnerability Moderate + * #47 Low, affects versions < 2.17.7: Ansible-Core vulnerable to content protections bypass Low * Vulnerabilities in transitive testing dependency `tornado` version 6.4.1 via `pytest-check-links`, `nbconvert`, `nbclient`, `jupyter-client`: - * [#46](https://github.com/exasol/ai-lab/security/dependabot/#46) High: Tornado has an HTTP cookie parsing DoS vulnerability High + * #46 High: Tornado has an HTTP cookie parsing DoS vulnerability High Accepted vulnerabilities: * Vulnerabilities in transitive testing dependency `python-jose` version 3.3.0 via `localstack` as there is no newer version available. - * [#31](https://github.com/exasol/ai-lab/security/dependabot/31) Critical: python-jose algorithm confusion with OpenSSH ECDSA keys Critical - * [#32](https://github.com/exasol/ai-lab/security/dependabot/#32) Moderate: python-jose denial of service via compressed JWE content Moderate + * #31 Critical: python-jose algorithm confusion with OpenSSH ECDSA keys Critical + * #32 Moderate: python-jose denial of service via compressed JWE content Moderate * Vulnerabilities in transitive dependency `ansible-core` 2.17.7 version via `ansible` as there is no newer version available. - * [#43](https://github.com/exasol/ai-lab/security/dependabot/43) High: Ansible vulnerable to Insertion of Sensitive Information into Log File High + * #43 High: Ansible vulnerable to Insertion of Sensitive Information into Log File High ## Security Issues diff --git a/doc/developer_guide/dependencies.md b/doc/developer_guide/dependencies.md new file mode 100644 index 00000000..1b373b13 --- /dev/null +++ b/doc/developer_guide/dependencies.md @@ -0,0 +1,21 @@ +### Update dependencies + +AI-Lab contains dependencies on multiple levels and specified in multiple places. + +* [pyproject.toml](https://github.com/exasol/ai-lab/blob/main/pyproject.toml) impacting [poetry.lock](https://github.com/exasol/ai-lab/blob/main/poetry.lock) +* Requirements files in ansible scripts + * [jupyter_requirements.txt](https://github.com/exasol/ai-lab/blob/main/exasol/ds/sandbox/runtime/ansible/roles/jupyter/files/jupyter_requirements.txt) + * [notebook_requirements.txt](https://github.com/exasol/ai-lab/blob/main/exasol/ds/sandbox/runtime/ansible/roles/jupyter/files/notebook_requirements.txt) + * Including the notebook-connector and its dependencies SLCT and [slct_manager.py](https://github.com/exasol/notebook-connector/blob/main/exasol/nb_connector/slct_manager.py) +* Dependencies in other ansible scripts, e.g. + * [docker/defaults/main.yml](https://github.com/exasol/ai-lab/blob/main/exasol/ds/sandbox/runtime/ansible/roles/docker/defaults/main.yml) +* AMI base image, see [exasol/ds/sandbox/lib/config.py](https://github.com/exasol/ai-lab/blob/main/exasol/ds/sandbox/lib/config.py) +* GitHub Workflows: no actual dependencies + +Commands to update operating system packages + +```shell +sudo apt-get update +sudo apt-get install = +sudo apt serarch +``` \ No newline at end of file diff --git a/doc/developer_guide/developer_guide.md b/doc/developer_guide/developer_guide.md index 017bdadc..d637b562 100644 --- a/doc/developer_guide/developer_guide.md +++ b/doc/developer_guide/developer_guide.md @@ -16,5 +16,6 @@ the virtual image formats. 6. [Running tests in the CI](ci.md) 7. [Updating Packages](updating_packages.md) 8. [Notebooks](notebooks.md) +9. [Dependencies](dependencies.md) - +Section [Dependencies](dependencies.md) is dedicated to enumerating all places defining dependencies as the AI-Lab contains dependencies on multiple levels and specified in multiple places.