[101981] Remove SU privileges from the DB user, update dependencies (#145)

Author: akashchi

SECURITY.md

@@ -0,0 +1,12 @@
+# Security Policy
+
+## Report a Vulnerability
+
+Please report security issues or vulnerabilities to the [Intel® Security Center].
+
+For more information on how Intel® works to resolve security issues, see
+[Vulnerability Handling Guidelines].
+
+[Intel® Security Center]:https://www.intel.com/security
+
+[Vulnerability Handling Guidelines]:https://www.intel.com/content/www/us/en/security-center/vulnerability-handling-guidelines.html

client/e2e/commands.json

@@ -6,7 +6,7 @@
   },
   "browsers": {
     "base": "./node_modules/protractor/bin/webdriver-manager clean && ./node_modules/protractor/bin/webdriver-manager update --github_token 5fb7f923d65bd47dde62689da74cb849435c2c8a {chrome} {firefox}",
-    "chrome": "--versions.chrome 108.0.5359.71",
+    "chrome": "--versions.chrome 110.0.5481.77",
     "firefox": "--versions.gecko v0.26.0",
     "without:chrome": "--chrome false",
     "without:firefox": "--gecko false",

client/package-lock.json

@@ -123,11 +123,12 @@ RUN apt update && \
     rm -rf /var/lib/apt/lists/*
 
 RUN python3 -m pip install pip==19.3.1
+RUN python3 -m pip install -U pip setuptools==65.5.1 wheel
 
 USER postgres
 
 RUN service postgresql start && \
-    psql --command "CREATE USER ${DB_USER}  WITH SUPERUSER PASSWORD '${DB_PASSWORD}';" && \
+    psql --command "CREATE USER ${DB_USER} WITH CREATEDB PASSWORD '${DB_PASSWORD}';" && \
     service postgresql stop
 
 USER root
@@ -217,9 +218,7 @@ WORKDIR ${WHEELS_PATH}
 RUN curl -O $WHEELS_LINK
 RUN curl -O $WHEELS_DEV_LINK
 
-# Base image changed to ubuntu, we should to setup openvino
-RUN python3 -m pip install -U pip setuptools==65.5.1 wheel
-
+# Install OpenVINO manually for Ubuntu base image
 RUN chown -R ${USER_NAME} ${WHEELS_PATH} && \
     OPENVINO_WHEEL=$(find ${WHEELS_PATH} -name "openvino-202*cp38*linux*.whl" -print -quit) && python3 -m pip install ${OPENVINO_WHEEL} && \
     OPENVINO_DEV_WHEEL=$(find ${WHEELS_PATH} -name "openvino_dev*.whl" -print -quit) && python3 -m pip install "${OPENVINO_DEV_WHEEL}"

docker/dockerfiles/Dockerfile

@@ -67,6 +67,7 @@ RUN sed -Ei 's/# deb-src /deb-src /' /etc/apt/sources.list && \
     rm -rf /var/lib/apt/lists/*
 
 RUN python3 -m pip install pip==19.3.1
+RUN python3 -m pip install -U pip setuptools==65.5.1 wheel
 
 # CREATE DIRECTORY FOR PUBLIC WORKBENCH ARTIFACTS
 RUN mkdir -m 777 -p ${WORKBENCH_PUBLIC_DIR} && chown -R ${USER_NAME} ${WORKBENCH_PUBLIC_DIR}

docker/dockerfiles/Dockerfile_install_from_openvino_image.template

@@ -65,7 +65,6 @@ ENV DEPENDENCIES " \
     rabbitmq-server \
     nginx \
     gettext-base \
-    unzip \
     dpkg-dev \
     cmake \
     libpugixml-dev \
@@ -97,6 +96,7 @@ WORKDIR ${INTEL_OPENVINO_DIR}/tools
 ADD --chown=workbench workbench ${OPENVINO_WORKBENCH_ROOT}/
 
 RUN python3 -m pip install pip==19.3.1
+RUN python3 -m pip install -U pip setuptools==65.5.1 wheel
 
 # COPY JUPYTER USER SETTINGS
 COPY --chown=workbench workbench/docker/jupyter_config/user-settings ${JUPYTER_USER_SETTINGS_DIR}
@@ -105,8 +105,6 @@ RUN python3 -m pip install --no-cache-dir -r ${OPENVINO_WORKBENCH_ROOT}/requirem
     python3 -m pip install --no-cache-dir -r ${OPENVINO_WORKBENCH_ROOT}/requirements/requirements_jupyter.txt && \
     python3 -m pip install --no-cache-dir -r ${OPENVINO_WORKBENCH_ROOT}/model_analyzer/requirements.txt
 
-RUN python3 -m pip install -U pip setuptools==65.5.1 wheel
-
 RUN chown -R ${USER_NAME} ${WHEELS_PATH} && \
     OPENVINO_WHEEL=$(find ${WHEELS_PATH} -name "openvino-202*cp38*linux*.whl" -print -quit) && python3 -m pip install ${OPENVINO_WHEEL} && \
     OPENVINO_DEV_WHEEL=$(find ${WHEELS_PATH} -name "openvino_dev*.whl" -print -quit) && python3 -m pip install "${OPENVINO_DEV_WHEEL}"

docker/dockerfiles/Dockerfile_opensource_image.template

@@ -27,7 +27,7 @@ setup_db() {
     # TODO: rm -E UTF8 when 53369 is resolved
     ${POSTGRESQL_BIN_PATH}/initdb -E UTF8 -D "${WORKBENCH_POSTGRESQL_DATA_DIR}" &> ${WB_LOG_FILE}
     ${POSTGRESQL_BIN_PATH}/pg_ctl -D "${WORKBENCH_POSTGRESQL_DATA_DIR}" -w start --log=${WB_LOG_FILE}
-    psql -d postgres --command "CREATE USER ${DB_USER} WITH SUPERUSER PASSWORD '${DB_PASSWORD}'" --quiet &> ${WB_LOG_FILE}
+    psql -d postgres --command "CREATE USER ${DB_USER} WITH CREATEDB PASSWORD '${DB_PASSWORD}'" --quiet &> ${WB_LOG_FILE}
     createdb -O "${DB_USER}" "${DB_NAME}"
     psql -d postgres --command "ALTER USER ${DB_USER} PASSWORD '${DB_PASSWORD}'" --quiet
 

docker/scripts/start_postgresql.sh

@@ -8,7 +8,7 @@ celery==5.2.2
 cffi==1.15.0
 chardet==4.0.0
 click==8.0.0
-cryptography==3.4.8
+cryptography==39.0.1
 git+https://github.com/openvinotoolkit/datumaro.git@develop#egg=datumaro
 defusedxml==0.7.1
 distlib==0.3.2

requirements/requirements.txt

@@ -14,7 +14,7 @@ defusedxml==0.7.1
 entrypoints==0.3
 idna==3.3
 ipykernel==5.1.2
-ipython==7.16.3
+ipython==8.10.0
 ipython-genutils==0.2.0
 ipywidgets==7.5.1
 jedi==0.17.2
@@ -44,7 +44,7 @@ parso==0.7.1
 pexpect==4.8.0
 pickleshare==0.7.5
 prometheus-client==0.9.0
-prompt-toolkit==2.0.10
+prompt-toolkit==3.0.30
 ptyprocess==0.7.0
 pycparser==2.21
 Pygments==2.8.0

requirements/requirements_jupyter.txt

@@ -1,2 +1,2 @@
 numpy==1.22.0
-cryptography==3.3.2
+cryptography==39.0.1

requirements/requirements_snyk.txt

@@ -65,6 +65,7 @@
     r'.*CONTRIBUTING\.md$',
     r'.*pull_request_template\.md$',
     r'LICENSE$',
+    r'SECURITY\.md$',
     r'third-party-programs\.txt$',
     r'.*\.log',
     r'.*requirements_dev\.txt.*',