Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ISSUE: #49 - Update math libraries #51

Merged
merged 32 commits into from
Mar 31, 2023
Merged

ISSUE: #49 - Update math libraries #51

merged 32 commits into from
Mar 31, 2023

Conversation

brendanarnold
Copy link
Collaborator

@brendanarnold brendanarnold commented Dec 29, 2022
edited
Loading

Addresses issue #49

docker scan polis-math:latest now results in 2 low severity issues in the Alpine Docker base image and 1 low in polis-math

  • Move metasaurus/oz to a developer dependency (removes vulnerable protobuf-java, netty-codec, jetty-http in ring, soup, snakeyaml from production code)
  • Remove AWS housekeeping code and vulnerable amazonica and other AWS libraries (removes vulnerable guava, nippy, httpclient)
  • Updated postgresql library to 42.5.1
  • Update semantic-csv already at latest (uses vulnerable gson and protobuf-java)
  • Update korma already at latest (uses vulnerable c3p0)
  • Update commons/collection to 3.2.2
  • Update cli-excel (uses vulnerable poi)
  • Update ring (uses vulnerable jetty-http)
  • Update clj-http to 3.12.3 (uses vulnerable commons-codec)
  • Update clojure/tools
  • Included MATH_ENV variable in template - necessary for data export
  • Update docs to reflect not needing to install all the dependencies before running math

Brendan Arnold added 18 commits December 28, 2022 21:41
Remove aws, move oz to dev
53a1d13
Removed some unnecessary dependencies
6bec531
Set MATH_ENV to prod so export will work
48c88eb
Added proper return value back in for Darwin start
89979e4
Update postgresql library
9c1d3ed
Add leiningen to devcontainer
642dc1e
Update CHANGELOG
418028e
Added file-export instructions
084b105
Tentative removal of oz package
1ea65a5
Adjusted CHANGELOG message
6c19304
Update export command so that only production deps are installed, res…
93985fb 
…tore user.clj with dev code
Remove unused dev imports
5c1db43
Update commons-collections
ba48e4c
Update ring to latest
4818094
Update clojure/tools
a933664
Explicitly use production dependencies in run.sh
5cbee6e
Undo needless formatting changes/removals
63cc0b8
Made math Docker platform version explicit
10a4b8c
@brendanarnold brendanarnold marked this pull request as ready for review December 29, 2022 19:02
metasoarous
metasoarous reviewed Jan 4, 2023
View reviewed changes
deploy/docker/math.Dockerfile
@@ -1,11 +1,8 @@
FROM docker.io/clojure:tools-deps
FROM --platform=linux/amd64 docker.io/clojure:tools-deps-1.11.1.1208-alpine
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You may have done this because the default ubuntu base has become problematic (I ran into this recently). I have a preference for sticking with a debian base, for familiarity sake as much as anything, but this is something we can discuss.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes its because Debian and Ubuntu both have a huge amount of dependencies that are considered vulnerable in our governance tests - I'd like to keep our production system using Alpine becuase of this minimal approach.

metasoarous
metasoarous reviewed Jan 4, 2023
View reviewed changes
server/.envrc.example Outdated
Comment on lines 28 to 30
# These may be the deprecated settings for submitting web requests to the math worker
# These are the shared credentials for the math worker to use when polling
export WEBSERVER_USERNAME=ws-user
export WEBSERVER_PASS=ws-pass
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think these are needed any more and can be deleted. This was for when the server directly made web requests to an the darwin server, which ran from the math codebase (but wasn't the same as the polling process). Now, export requests are handled through messasges sent through the postgres db.

@metasoarous metasoarous mentioned this pull request Jan 31, 2023
Closed
@metasoarous
Copy link

@brendanarnold FYI: A similar update has been merged into the edge branch at #compdemocracy/polis. Will probably be doing some additional work soon to pull out some libraries that aren't being used anymore.

Thanks!

@brendanarnold brendanarnold mentioned this pull request Mar 31, 2023
Open
@brendanarnold brendanarnold merged commit a34a22e into govuk/main Mar 31, 2023
@brendanarnold
Copy link
Collaborator Author

@brendanarnold FYI: A similar update has been merged into the edge branch at #compdemocracy/polis. Will probably be doing some additional work soon to pull out some libraries that aren't being used anymore.

Thanks @metasoarous good to know - there are a couple of vulnerabilities that are from semantic-csv that would be good to squash - I've put an issue against that repo here metasoarous/semantic-csv#75 it looks like a version bump on clojurescript should do it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@metasoarous metasoarous metasoarous left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@brendanarnold @metasoarous