Skip to content

Commit 7a041ed

Browse files
thomasdhcNeMo Bot
authored andcommitted
ci: Address container and source code cve (NVIDIA-NeMo#1753)
* Address container and source code cve Signed-off-by: Dong Hyuk Chang <9426164+thomasdhc@users.noreply.github.com> * Update uv lock Signed-off-by: NeMo Bot <nemo-bot@nvidia.com> --------- Signed-off-by: Dong Hyuk Chang <9426164+thomasdhc@users.noreply.github.com> Signed-off-by: NeMo Bot <nemo-bot@nvidia.com> Co-authored-by: NeMo Bot <nemo-bot@nvidia.com>
1 parent 2fde17b commit 7a041ed

File tree

4 files changed

+917
-532
lines changed

4 files changed

+917
-532
lines changed

docker/Dockerfile

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -125,6 +125,7 @@ RUN if [ "$INSTALL_UCCL_EP" = "True" ]; then \
125125

126126
# Address base image CVE
127127
RUN pip install "aiohttp>=3.13.3" \
128+
"black>=26.3.1" \
128129
"jaraco-context>=6.1.0" \
129130
"nbconvert>=7.17.0" \
130131
"pillow>=12.1.1" \
@@ -154,6 +155,28 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
154155
uv sync --extra $AUTOMODEL_INSTALL --all-groups $UV_SYNC_ARGS && \
155156
uv cache prune --ci
156157

158+
# Patch wandb-core: bump google.golang.org/grpc (CVE fix)
159+
ARG TARGETARCH
160+
RUN if python3 -c "import wandb" 2>/dev/null; then \
161+
GRPC_VERSION=1.79.3 && \
162+
GO_VERSION=1.26.1 && \
163+
WANDB_VERSION=$(python3 -c "import wandb; print(wandb.__version__)") && \
164+
WANDB_CORE_BIN=/opt/venv/lib/python3.12/site-packages/wandb/bin/wandb-core && \
165+
curl -fsSL "https://dl.google.com/go/go${GO_VERSION}.linux-${TARGETARCH}.tar.gz" | tar -C /tmp -xz && \
166+
export PATH="/tmp/go/bin:$PATH" && \
167+
export GOPATH=/tmp/gopath && \
168+
git clone --depth 1 --branch "v${WANDB_VERSION}" https://github.com/wandb/wandb.git /tmp/wandb-src && \
169+
cd /tmp/wandb-src/core && \
170+
go get google.golang.org/grpc@v${GRPC_VERSION} && \
171+
go mod tidy && \
172+
go mod vendor && \
173+
CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} go build -trimpath -ldflags="-s -w" \
174+
-o "${WANDB_CORE_BIN}" ./cmd/wandb-core/ && \
175+
rm -rf /tmp/wandb-src /tmp/go /tmp/gopath; \
176+
else \
177+
echo "wandb not installed, skipping CVE patch"; \
178+
fi
179+
157180
COPY . /opt/Automodel
158181

159182
WORKDIR /opt/Automodel

0 commit comments

Comments
 (0)