Merge pull request #252 from StatCan/vulnerability-fix

fix: repo build errors and vscode issues

Author: JessicaBarh

Diff for: .github/containerscan/allowedlist.yaml

@@ -9,5 +9,4 @@ general:
     - NSWG-ECO-427
     - CVE-2019-10746
     - CVE-2019-10747
-    - CVE-2019-0228
-    - CVE-2021-28918
+    - CVE-2021-23334 # static-eval - was deemed not a vulnerability

Diff for: Makefile

@@ -8,7 +8,7 @@
 # https://github.com/jupyter/docker-stacks
 
 # The docker-stacks tag
-DOCKER-STACKS-UPSTREAM-TAG := r-4.0.3
+DOCKER-STACKS-UPSTREAM-TAG := 512afd49b925
 
 tensorflow-CUDA := 11.1
 pytorch-CUDA    := 11.0
@@ -103,6 +103,7 @@ rstudio: cpu
 		$(SRC)/4_CLI.Dockerfile \
 		$(SRC)/5_DB-Drivers.Dockerfile \
 		$(SRC)/6_$(@).Dockerfile \
+		$(SRC)/7_remove_vulnerabilities.Dockerfile \
 		$(SRC)/∞_CMD.Dockerfile \
 	>   $(OUT)/$@/Dockerfile
 
@@ -118,6 +119,7 @@ jupyterlab: pytorch tensorflow cpu
 			$(SRC)/4_CLI.Dockerfile \
 			$(SRC)/5_DB-Drivers.Dockerfile \
 			$(SRC)/6_$(@).Dockerfile \
+			$(SRC)/7_remove_vulnerabilities.Dockerfile \
 			$(SRC)/∞_CMD.Dockerfile \
 		>   $(OUT)/$@-$${type}/Dockerfile; \
 	done
@@ -135,6 +137,7 @@ remote-desktop:
 		$(SRC)/3_Kubeflow.Dockerfile \
 		$(SRC)/4_CLI.Dockerfile \
 		$(SRC)/6_remote-desktop.Dockerfile \
+		$(SRC)/7_remove_vulnerabilities.Dockerfile \
 		$(SRC)/∞_CMD_remote-desktop.Dockerfile \
 	>   $(OUT)/$@/Dockerfile
 

Diff for: docker-bits/0_Rocker.Dockerfile

@@ -1,4 +1,6 @@
-FROM rocker/geospatial:4.0.3
+# Rocker/geospatial is tagged by R version number.  They are not clear on whether they'll change those tagged 
+# images for hotfixes, so always pin tag and digest to prevent unexpected upstream changes
+FROM rocker/geospatial:4.0.3@sha256:9e00ab4fec7b38a0edbadb07e7554bf3b7fa34d15c6fe42522a09ae88d336219
 
 # For compatibility with docker stacks
 ARG NB_USER="jovyan"

Diff for: docker-bits/0_cpu.Dockerfile

@@ -1,7 +1,13 @@
-ARG BASE_VERSION=r-4.0.3
+# Docker-stacks version tags (eg: `r-4.0.3`) are LIVE images that are frequently updated.  To avoid unexpected
+# image updates, pin to the docker-stacks git commit SHA tag.
+# It can be obtained by running `docker inspect repo/imagename:tag@digest` or from 
+# https://github.com/jupyter/docker-stacks/wiki
+
+ARG BASE_VERSION=512afd49b925
 FROM jupyter/datascience-notebook:$BASE_VERSION
 
 USER root
+
 ENV PATH="/home/jovyan/.local/bin/:${PATH}"
 
 RUN apt-get update --yes \

Diff for: docker-bits/6_jupyterlab.Dockerfile

@@ -1,6 +1,6 @@
 # installs vscode server, python & conda packages and jupyter lab extensions.
 
-# Using JupyterLab 3.0 inherited docker-stacks base image. A few extensions we used to install do not yet support 
+# Using JupyterLab 3.0 inherited docker-stacks base image. A few extensions we used to install do not yet support
 # this version of Jupyterlab and/or are not OL-compliant so they have been removed until new compatible versions are available:
     # jupyterlab-kale
     # jupyterlab-variableinspector
@@ -11,8 +11,8 @@
 # TODO: use official package jupyterlab-language-pack-fr-FR when released by Jupyterlab instead of the StatCan/jupyterlab-language-pack-fr_FR repo.
 
 # Install vscode
-ARG VSCODE_VERSION=3.8.0
-ARG VSCODE_SHA=ee10f45b570050939cafd162fbdc52feaa03f2da89d7cdb8c42bea0a0358a32a
+ARG VSCODE_VERSION=3.10.0
+ARG VSCODE_SHA=ce4e252a47682319e27d836bb443d6246938db4be2c3bfbc80793a5939e35604
 ARG VSCODE_URL=https://github.com/cdr/code-server/releases/download/v${VSCODE_VERSION}/code-server_${VSCODE_VERSION}_amd64.deb
 
 USER root
@@ -29,15 +29,17 @@ RUN wget -q "${VSCODE_URL}" -O ./vscode.deb \
 ENV XDG_DATA_HOME=/etc/share
 ENV SERVICE_URL=https://extensions.coder.com/api
 COPY vscode-overrides.json $XDG_DATA_HOME/code-server/User/settings.json
-ARG SHA256py=a4191fefc0e027fbafcd87134ac89a8b1afef4fd8b9dc35f14d6ee7bdf186348
+ARG SHA256py=d32d8737858661451705faa9f176f8a1a03485b2d9984de40d45cc0403a3bcf4
+# Languagepacks.json needs to exist for code-server to recognize the languagepack
+COPY languagepacks.json $XDG_DATA_HOME/code-server/
 
-RUN VS_PYTHON_VERSION="2020.5.86806" && \
+RUN VS_PYTHON_VERSION="2021.5.829140558" && \
     wget --quiet --no-check-certificate https://github.com/microsoft/vscode-python/releases/download/$VS_PYTHON_VERSION/ms-python-release.vsix && \
     echo "${SHA256py} ms-python-release.vsix" | sha256sum -c - && \
     code-server --install-extension ms-python-release.vsix && \
     rm ms-python-release.vsix && \
-    code-server --install-extension [email protected].2 && \
-    code-server --install-extension MS-CEINTL.vscode-language-pack-fr@1.51.2 && \
+    code-server --install-extension [email protected].6 && \
+    code-server --install-extension MS-CEINTL.vscode-language-pack-fr@1.56.2 && \
     fix-permissions $XDG_DATA_HOME
 
 # Default environment
@@ -87,16 +89,15 @@ RUN julia -e 'using Pkg; Pkg.add("LanguageServer")' \
     && \
     conda install -c conda-forge \
       'r-languageserver' \
-      'python-language-server' \
+      'python-lsp-server' \
     && \
-    npm install --save-dev \
+    jlpm add --dev \
       'bash-language-server' \
       'dockerfile-language-server-nodejs' \
       'javascript-typescript-langserver' \
       'sql-language-server' \
       'unified-language-server' \
-      'vscode-json-languageserver-bin' \
-      'yaml-language-server' \
+      '[email protected]' \
     && \
     conda clean --all -f -y && \
     fix-permissions $CONDA_DIR && \

Diff for: docker-bits/7_remove_vulnerabilities.Dockerfile

@@ -0,0 +1,6 @@
+# Remove libpdfbox-java due to CVE-2019-0228. See https://github.com/StatCan/kubeflow-containers/issues/249#issuecomment-834808115 for details.
+# Issue opened https://github.com/jupyter/docker-stacks/issues/1299.
+# This line of code should be removed once a solution or better alternative is found.
+RUN apt-get update --yes \
+    && dpkg -r --force-depends libpdfbox-java \
+    && rm -rf /var/lib/apt/lists/*

Diff for: output/docker-stacks-datascience-notebook/Dockerfile

@@ -1,4 +1,4 @@
-FROM jupyter/datascience-notebook:r-4.0.3
+FROM jupyter/datascience-notebook:512afd49b925
 
 ###############################
 ###  docker-bits/∞_CMD.Dockerfile

Diff for: output/docker-stacks-datascience-notebook/languagepacks.json

@@ -27,7 +27,7 @@ if [ -n "${KF_LANG}" ]; then
         export LANG="en_US.utf8"
     else
         export LANG="fr_CA.utf8"
-        #  User's browser lang is set to french, open jupyterlab in french (fr_FR)
+        #  User's browser lang is set to French, open jupyterlab and vs_code in French (fr_FR)
         if [ "${DEFAULT_JUPYTER_URL}" != "/rstudio" ]; then
           export LANG="fr_FR"
           lang_file="/home/${NB_USER}/.jupyter/lab/user-settings/@jupyterlab/translation-extension/plugin.jupyterlab-settings"
@@ -42,6 +42,8 @@ if [ -n "${KF_LANG}" ]; then
             echo     '   "locale": "'${LANG}'"'
             echo     '}'
           ) >> $lang_file
+          vscode_language="${XDG_DATA_HOME}/code-server/User/argv.json"
+          echo "{\"locale\":\"fr\"}" >> $vscode_language
         fi
     fi
 fi

Diff for: output/docker-stacks-datascience-notebook/start-custom.sh

@@ -8,10 +8,16 @@
 ###  docker-bits/0_cpu.Dockerfile
 ###############################
 
-ARG BASE_VERSION=r-4.0.3
+# Docker-stacks version tags (eg: `r-4.0.3`) are LIVE images that are frequently updated.  To avoid unexpected
+# image updates, pin to the docker-stacks git commit SHA tag.
+# It can be obtained by running `docker inspect repo/imagename:tag@digest` or from 
+# https://github.com/jupyter/docker-stacks/wiki
+
+ARG BASE_VERSION=512afd49b925
 FROM jupyter/datascience-notebook:$BASE_VERSION
 
 USER root
+
 ENV PATH="/home/jovyan/.local/bin/:${PATH}"
 
 RUN apt-get update --yes \
@@ -117,7 +123,7 @@ RUN apt-get update && \
 
 # installs vscode server, python & conda packages and jupyter lab extensions.
 
-# Using JupyterLab 3.0 inherited docker-stacks base image. A few extensions we used to install do not yet support 
+# Using JupyterLab 3.0 inherited docker-stacks base image. A few extensions we used to install do not yet support
 # this version of Jupyterlab and/or are not OL-compliant so they have been removed until new compatible versions are available:
     # jupyterlab-kale
     # jupyterlab-variableinspector
@@ -128,8 +134,8 @@ RUN apt-get update && \
 # TODO: use official package jupyterlab-language-pack-fr-FR when released by Jupyterlab instead of the StatCan/jupyterlab-language-pack-fr_FR repo.
 
 # Install vscode
-ARG VSCODE_VERSION=3.8.0
-ARG VSCODE_SHA=ee10f45b570050939cafd162fbdc52feaa03f2da89d7cdb8c42bea0a0358a32a
+ARG VSCODE_VERSION=3.10.0
+ARG VSCODE_SHA=ce4e252a47682319e27d836bb443d6246938db4be2c3bfbc80793a5939e35604
 ARG VSCODE_URL=https://github.com/cdr/code-server/releases/download/v${VSCODE_VERSION}/code-server_${VSCODE_VERSION}_amd64.deb
 
 USER root
@@ -146,15 +152,17 @@ RUN wget -q "${VSCODE_URL}" -O ./vscode.deb \
 ENV XDG_DATA_HOME=/etc/share
 ENV SERVICE_URL=https://extensions.coder.com/api
 COPY vscode-overrides.json $XDG_DATA_HOME/code-server/User/settings.json
-ARG SHA256py=a4191fefc0e027fbafcd87134ac89a8b1afef4fd8b9dc35f14d6ee7bdf186348
+ARG SHA256py=d32d8737858661451705faa9f176f8a1a03485b2d9984de40d45cc0403a3bcf4
+# Languagepacks.json needs to exist for code-server to recognize the languagepack
+COPY languagepacks.json $XDG_DATA_HOME/code-server/
 
-RUN VS_PYTHON_VERSION="2020.5.86806" && \
+RUN VS_PYTHON_VERSION="2021.5.829140558" && \
     wget --quiet --no-check-certificate https://github.com/microsoft/vscode-python/releases/download/$VS_PYTHON_VERSION/ms-python-release.vsix && \
     echo "${SHA256py} ms-python-release.vsix" | sha256sum -c - && \
     code-server --install-extension ms-python-release.vsix && \
     rm ms-python-release.vsix && \
-    code-server --install-extension [email protected].2 && \
-    code-server --install-extension MS-CEINTL.vscode-language-pack-fr@1.51.2 && \
+    code-server --install-extension [email protected].6 && \
+    code-server --install-extension MS-CEINTL.vscode-language-pack-fr@1.56.2 && \
     fix-permissions $XDG_DATA_HOME
 
 # Default environment
@@ -204,16 +212,15 @@ RUN julia -e 'using Pkg; Pkg.add("LanguageServer")' \
     && \
     conda install -c conda-forge \
       'r-languageserver' \
-      'python-language-server' \
+      'python-lsp-server' \
     && \
-    npm install --save-dev \
+    jlpm add --dev \
       'bash-language-server' \
       'dockerfile-language-server-nodejs' \
       'javascript-typescript-langserver' \
       'sql-language-server' \
       'unified-language-server' \
-      'vscode-json-languageserver-bin' \
-      'yaml-language-server' \
+      '[email protected]' \
     && \
     conda clean --all -f -y && \
     fix-permissions $CONDA_DIR && \
@@ -225,6 +232,17 @@ COPY jupyterlab-overrides.json /opt/conda/share/jupyter/lab/settings/overrides.j
 ENV DEFAULT_JUPYTER_URL=/lab
 ENV GIT_EXAMPLE_NOTEBOOKS=https://github.com/statcan/jupyter-notebooks
 
+###############################
+###  docker-bits/7_remove_vulnerabilities.Dockerfile
+###############################
+
+# Remove libpdfbox-java due to CVE-2019-0228. See https://github.com/StatCan/kubeflow-containers/issues/249#issuecomment-834808115 for details.
+# Issue opened https://github.com/jupyter/docker-stacks/issues/1299.
+# This line of code should be removed once a solution or better alternative is found.
+RUN apt-get update --yes \
+    && dpkg -r --force-depends libpdfbox-java \
+    && rm -rf /var/lib/apt/lists/*
+
 ###############################
 ###  docker-bits/∞_CMD.Dockerfile
 ###############################

Diff for: output/jupyterlab-cpu/Dockerfile

@@ -27,7 +27,7 @@ if [ -n "${KF_LANG}" ]; then
         export LANG="en_US.utf8"
     else
         export LANG="fr_CA.utf8"
-        #  User's browser lang is set to french, open jupyterlab in french (fr_FR)
+        #  User's browser lang is set to French, open jupyterlab and vs_code in French (fr_FR)
         if [ "${DEFAULT_JUPYTER_URL}" != "/rstudio" ]; then
           export LANG="fr_FR"
           lang_file="/home/${NB_USER}/.jupyter/lab/user-settings/@jupyterlab/translation-extension/plugin.jupyterlab-settings"
@@ -42,6 +42,8 @@ if [ -n "${KF_LANG}" ]; then
             echo     '   "locale": "'${LANG}'"'
             echo     '}'
           ) >> $lang_file
+          vscode_language="${XDG_DATA_HOME}/code-server/User/argv.json"
+          echo "{\"locale\":\"fr\"}" >> $vscode_language
         fi
     fi
 fi

Diff for: output/jupyterlab-cpu/languagepacks.json

@@ -8,10 +8,16 @@
 ###  docker-bits/0_cpu.Dockerfile
 ###############################
 
-ARG BASE_VERSION=r-4.0.3
+# Docker-stacks version tags (eg: `r-4.0.3`) are LIVE images that are frequently updated.  To avoid unexpected
+# image updates, pin to the docker-stacks git commit SHA tag.
+# It can be obtained by running `docker inspect repo/imagename:tag@digest` or from 
+# https://github.com/jupyter/docker-stacks/wiki
+
+ARG BASE_VERSION=512afd49b925
 FROM jupyter/datascience-notebook:$BASE_VERSION
 
 USER root
+
 ENV PATH="/home/jovyan/.local/bin/:${PATH}"
 
 RUN apt-get update --yes \
@@ -214,7 +220,7 @@ RUN apt-get update && \
 
 # installs vscode server, python & conda packages and jupyter lab extensions.
 
-# Using JupyterLab 3.0 inherited docker-stacks base image. A few extensions we used to install do not yet support 
+# Using JupyterLab 3.0 inherited docker-stacks base image. A few extensions we used to install do not yet support
 # this version of Jupyterlab and/or are not OL-compliant so they have been removed until new compatible versions are available:
     # jupyterlab-kale
     # jupyterlab-variableinspector
@@ -225,8 +231,8 @@ RUN apt-get update && \
 # TODO: use official package jupyterlab-language-pack-fr-FR when released by Jupyterlab instead of the StatCan/jupyterlab-language-pack-fr_FR repo.
 
 # Install vscode
-ARG VSCODE_VERSION=3.8.0
-ARG VSCODE_SHA=ee10f45b570050939cafd162fbdc52feaa03f2da89d7cdb8c42bea0a0358a32a
+ARG VSCODE_VERSION=3.10.0
+ARG VSCODE_SHA=ce4e252a47682319e27d836bb443d6246938db4be2c3bfbc80793a5939e35604
 ARG VSCODE_URL=https://github.com/cdr/code-server/releases/download/v${VSCODE_VERSION}/code-server_${VSCODE_VERSION}_amd64.deb
 
 USER root
@@ -243,15 +249,17 @@ RUN wget -q "${VSCODE_URL}" -O ./vscode.deb \
 ENV XDG_DATA_HOME=/etc/share
 ENV SERVICE_URL=https://extensions.coder.com/api
 COPY vscode-overrides.json $XDG_DATA_HOME/code-server/User/settings.json
-ARG SHA256py=a4191fefc0e027fbafcd87134ac89a8b1afef4fd8b9dc35f14d6ee7bdf186348
+ARG SHA256py=d32d8737858661451705faa9f176f8a1a03485b2d9984de40d45cc0403a3bcf4
+# Languagepacks.json needs to exist for code-server to recognize the languagepack
+COPY languagepacks.json $XDG_DATA_HOME/code-server/
 
-RUN VS_PYTHON_VERSION="2020.5.86806" && \
+RUN VS_PYTHON_VERSION="2021.5.829140558" && \
     wget --quiet --no-check-certificate https://github.com/microsoft/vscode-python/releases/download/$VS_PYTHON_VERSION/ms-python-release.vsix && \
     echo "${SHA256py} ms-python-release.vsix" | sha256sum -c - && \
     code-server --install-extension ms-python-release.vsix && \
     rm ms-python-release.vsix && \
-    code-server --install-extension [email protected].2 && \
-    code-server --install-extension MS-CEINTL.vscode-language-pack-fr@1.51.2 && \
+    code-server --install-extension [email protected].6 && \
+    code-server --install-extension MS-CEINTL.vscode-language-pack-fr@1.56.2 && \
     fix-permissions $XDG_DATA_HOME
 
 # Default environment
@@ -301,16 +309,15 @@ RUN julia -e 'using Pkg; Pkg.add("LanguageServer")' \
     && \
     conda install -c conda-forge \
       'r-languageserver' \
-      'python-language-server' \
+      'python-lsp-server' \
     && \
-    npm install --save-dev \
+    jlpm add --dev \
       'bash-language-server' \
       'dockerfile-language-server-nodejs' \
       'javascript-typescript-langserver' \
       'sql-language-server' \
       'unified-language-server' \
-      'vscode-json-languageserver-bin' \
-      'yaml-language-server' \
+      '[email protected]' \
     && \
     conda clean --all -f -y && \
     fix-permissions $CONDA_DIR && \
@@ -322,6 +329,17 @@ COPY jupyterlab-overrides.json /opt/conda/share/jupyter/lab/settings/overrides.j
 ENV DEFAULT_JUPYTER_URL=/lab
 ENV GIT_EXAMPLE_NOTEBOOKS=https://github.com/statcan/jupyter-notebooks
 
+###############################
+###  docker-bits/7_remove_vulnerabilities.Dockerfile
+###############################
+
+# Remove libpdfbox-java due to CVE-2019-0228. See https://github.com/StatCan/kubeflow-containers/issues/249#issuecomment-834808115 for details.
+# Issue opened https://github.com/jupyter/docker-stacks/issues/1299.
+# This line of code should be removed once a solution or better alternative is found.
+RUN apt-get update --yes \
+    && dpkg -r --force-depends libpdfbox-java \
+    && rm -rf /var/lib/apt/lists/*
+
 ###############################
 ###  docker-bits/∞_CMD.Dockerfile
 ###############################

Diff for: output/jupyterlab-cpu/start-custom.sh

@@ -27,7 +27,7 @@ if [ -n "${KF_LANG}" ]; then
         export LANG="en_US.utf8"
     else
         export LANG="fr_CA.utf8"
-        #  User's browser lang is set to french, open jupyterlab in french (fr_FR)
+        #  User's browser lang is set to French, open jupyterlab and vs_code in French (fr_FR)
         if [ "${DEFAULT_JUPYTER_URL}" != "/rstudio" ]; then
           export LANG="fr_FR"
           lang_file="/home/${NB_USER}/.jupyter/lab/user-settings/@jupyterlab/translation-extension/plugin.jupyterlab-settings"
@@ -42,6 +42,8 @@ if [ -n "${KF_LANG}" ]; then
             echo     '   "locale": "'${LANG}'"'
             echo     '}'
           ) >> $lang_file
+          vscode_language="${XDG_DATA_HOME}/code-server/User/argv.json"
+          echo "{\"locale\":\"fr\"}" >> $vscode_language
         fi
     fi
 fi