aix-explainer: update versions to fix CVEs#2364
aix-explainer: update versions to fix CVEs#2364kserve-oss-bot merged 10 commits intokserve:masterfrom
Conversation
Signed-off-by: MessKon <messiskon@gmail.com>
Signed-off-by: MessKon <messiskon@gmail.com>
Signed-off-by: MessKon <messiskon@gmail.com>
Signed-off-by: MessKon <messiskon@gmail.com>
| import kserve | ||
| import numpy as np | ||
| from aix360.algorithms.lime import LimeImageExplainer | ||
| from aix360.algorithms.lime.lime_wrapper import LimeImageExplainer |
There was a problem hiding this comment.
you don't need .lime_wrapper since lime init.py exposed LimeImageExplainer as a public package.
There was a problem hiding this comment.
thank you Tommy. I just went for this as the error on the e2e test was hinting that the aix360.algorithms.lime module cannot be found. I'll revert the change
Signed-off-by: MessKon <messiskon@gmail.com>
Signed-off-by: MessKon <messiskon@gmail.com>
Signed-off-by: MessKon <messiskon@gmail.com>
Signed-off-by: MessKon <messiskon@gmail.com>
Signed-off-by: MessKon <messiskon@gmail.com>
Signed-off-by: MessKon <messiskon@gmail.com>
| "kserve>=0.7.0", | ||
| "argparse >= 1.4.0", | ||
| "aix360 >= 0.1.0", | ||
| "aix360 >= 0.2.0", |
There was a problem hiding this comment.
needed so that we make sure we avoid version 0.1.0 which does not include the lime module used here.
| COPY kserve kserve | ||
| RUN pip install --no-cache-dir --upgrade pip && pip install --no-cache-dir -e ./kserve | ||
|
|
||
| RUN apt update && apt install -y build-essential |
There was a problem hiding this comment.
python:3.7-slim does not include gcc which is used fro installing few pip dependencies in aixexplainer.
we install build-essential and remove it after, as no longer needed
| @@ -1,12 +1,14 @@ | |||
| FROM python:3.7 | |||
| FROM python:3.7-slim | |||
There was a problem hiding this comment.
ideally we'd want to use python:3.8-slim which:
a. includes only 5 critical CVEs (according to grype)
b. includes gcc and so there's no need for apt get and apt remove in this file.
however, python:3.8 supports tensorflow >= 2.2 whilst aix360 versions 0.2.0 and 0.2.1 demand tensorflow 1.14.
in fact the extra critical CVEs reported in python:3.7-slim all come from tensorflow.
For now, there's no other option for fixing CVEs, unless aix360 update their dependency
There was a problem hiding this comment.
Let me open an issue to the aix360 community to update the tensorflow version.
There was a problem hiding this comment.
thank you Tommy!
dependabot seems to have already raised a PR for it.
|
/lgtm |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: MessKon, yuzisun The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
* aix-explainer: update versions to fix CVEs Signed-off-by: MessKon <messiskon@gmail.com> * fix flake8 lint errors Signed-off-by: MessKon <messiskon@gmail.com> * update aix360 module reference Signed-off-by: MessKon <messiskon@gmail.com> * revert aix360 module reference Signed-off-by: MessKon <messiskon@gmail.com> * allow python version 3.6 Signed-off-by: MessKon <messiskon@gmail.com> * allow python version >3.4 Signed-off-by: MessKon <messiskon@gmail.com> * use python:3.8-slim-bullseye Signed-off-by: MessKon <messiskon@gmail.com> * use python:3.8-slim and revert cvxpy change Signed-off-by: MessKon <messiskon@gmail.com> * use python:3.7-slim and update aix360 requirement Signed-off-by: MessKon <messiskon@gmail.com> Signed-off-by: Dan Sun <dsun20@bloomberg.net>
* aix-explainer: update versions to fix CVEs Signed-off-by: MessKon <messiskon@gmail.com> * fix flake8 lint errors Signed-off-by: MessKon <messiskon@gmail.com> * update aix360 module reference Signed-off-by: MessKon <messiskon@gmail.com> * revert aix360 module reference Signed-off-by: MessKon <messiskon@gmail.com> * allow python version 3.6 Signed-off-by: MessKon <messiskon@gmail.com> * allow python version >3.4 Signed-off-by: MessKon <messiskon@gmail.com> * use python:3.8-slim-bullseye Signed-off-by: MessKon <messiskon@gmail.com> * use python:3.8-slim and revert cvxpy change Signed-off-by: MessKon <messiskon@gmail.com> * use python:3.7-slim and update aix360 requirement Signed-off-by: MessKon <messiskon@gmail.com> Signed-off-by: alexagriffith <agriffith96@gmail.com>
4 participants
What this PR does / why we need it:
Fixing critical CVEs in latest kserve/alx-explainer version
Comparing this to latest stable and
v0.9.0kserve/aix-explainerimages:Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Not sure there's an open issue for this
Type of changes
Feature/Issue validation/testing:
kserve/alx-explainerimage builds ok with no issuesSpecial notes for your reviewer:
Release note: