diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000000000000000000000000000000000000..dfe0770424b2a19faf507a501ebfc23be8f54e7b --- /dev/null +++ b/.gitattributes @@ -0,0 +1,2 @@ +# Auto detect text files and perform LF normalization +* text=auto diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000000000000000000000000000000000000..1c9348364716699cf7428036b1d9883df761a18b --- /dev/null +++ b/.gitignore @@ -0,0 +1,9 @@ +*.whl +*.rpm +*.tar.gz +*.ps1 +packages.txt +repo/** +test_commands.txt +anchore-reports/** +report.txt diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000000000000000000000000000000000000..bf8123c6315691c907722d7f5c8bb30584b82ebc --- /dev/null +++ b/Dockerfile @@ -0,0 +1,100 @@ +ARG STAGE_REGISTRY=registry1.dso.mil +ARG STAGE_IMAGE=ironbank/carnegie-mellon/python-ai/python38-ai +ARG STAGE_TAG=3.8 +ARG BASE_REGISTRY=registry1.dso.mil +ARG BASE_IMAGE=ironbank/opensource/jupyter/jupyterlab +ARG BASE_TAG=3.0.14 +FROM ${STAGE_REGISTRY}/${STAGE_IMAGE}:${STAGE_TAG} AS multi-stage +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} + +COPY --from=multi-stage /opt/python /opt/python + +# Makes the python packages accessable +ENV PATH="/opt/python/venv/bin:$PATH" + +USER root +#Workaround for perl issue preventing yum upgrade +RUN yum remove -y perl-threads +RUN yum upgrade -y \ + && yum clean all -y \ + && yum install -y \ + vim \ + zip \ + unzip \ + net-tools \ + # gcc is needed for prophet + gcc-c++ \ + git + +# Needed to use packges from multi-stage build in Jupyterlab +RUN mkdir /tmp/repo +COPY *.whl /tmp/repo +RUN python3.8 -m pip install --no-index --find-links /tmp/repo \ + ipykernel \ + && rm -rf /tmp/repo + +######################### +# Compliance Mitigation # +######################### + +# Removing unneeded vulnerable binaries +RUN yum remove -y \ + binutils \ + # Medium - CVE-2021-20197, CVE-2021-20294, CVE-2021-3487 + glibc-devel \ + # High - CVE-2019-25013 + # Medium - CVE-2021-3326 + # Low - CVE-2020-27618, CVE-2021-27645 + glibc-headers \ + # High - CVE-2019-25013 + # Medium - CVE-2021-3326 + # Low - CVE-2020-27618, CVE-2021-27645 + #glibc-langpack-en \ + kernel-headers + # High - CVE-2020-12362, CVE-2020-36313 + # Medium - CVE-2019-20794, CVE-2020-0404, CVE-2020-0427, CVE-2020-0431, CVE-2020-10741, CVE-2020-12114, CVE-2020-12363, CVE-2020-12364, CVE-2020-13844, CVE-2020-14314, CVE-2020-14356, CVE-2020-14416, CVE-2020-15437, CVE-2020-15802, CVE-2020-24394, CVE-2020-24502, CVE-2020-24503, CVE-2020-24504, CVE-2020-25212, CVE-2020-25284, CVE-2020-25285, CVE-2020-25643, CVE-2020-25645, CVE-2020-25704, CVE-2020-26541, CVE-2020-27170, CVE-2020-27171, CVE-2020-27777, CVE-2020-27786, CVE-2020-27835, CVE-2020-28915, CVE-2020-28974, CVE-2020-29660, CVE-2020-35508, CVE-2020-36158, CVE-2020-4788, CVE-2020-8694, CVE-2021-0342, CVE-2021-20194, CVE-2021-20268, CVE-2021-28950, CVE-2021-28971, CVE-2021-28972, CVE-2021-29154, CVE-2021-29650, CVE-2021-3178, CVE-2021-3348, CVE-2021-3411, CVE-2021-3428, CVE-2021-3444 + # Low - CVE-2019-20095, CVE-2020-11608, CVE-2020-14390, CVE-2020-35501, CVE-2021-20239 + + +# Removing identified secret and SUID files +RUN rm -rf /usr/share/doc/perl-IO-Socket-SSL/certs/ \ + && rm -rf /usr/share/doc/perl-IO-Socket-SSL/example/ \ + && rm -rf /usr/share/doc/perl-IO-Socket-SSL/example/ \ + && rm -rf /usr/share/doc/perl-Net-SSLeay/examples/server_key.pem \ + && rm -rf /opt/python/venv/lib/python3.8/site-packages/tornado/test/test.key \ + && chmod g-s /usr/libexec/openssh/ssh-keysign + + +USER jovyan + +# Needed to use packges from multi-stage build in Jupyterlab +# A new kernel is displayed and available for use within JupyterLab +RUN python3.8 -m ipykernel install --name='AI_Packages' --user + +WORKDIR $HOME + +EXPOSE 8888 + +HEALTHCHECK CMD pgrep "jupyter" > /dev/null || exit 1 + +################# +# Test Commands # +################# +# import sqlite3 +# import plotly +# import pandas +# import matplot +# import seaborn +# import numba +# import numpy +# import scipy +# import sklearn +# import tqdm +# import urllib3 +# import requests +# from bs4 import BeautifulSoup +# from wordcloud import WordCloud +# import statsmodels +# import prophet +# import django +# import flask diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000000000000000000000000000000000000..dba80cfd4a2ae29a59d1f421c99b1397899681a6 --- /dev/null +++ b/LICENSE @@ -0,0 +1,33 @@ +Copyright (c) 2015 Project Jupyter Contributors +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +1. Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + +2. Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + +3. Neither the name of the copyright holder nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +Semver File License +=================== + +The semver.py file is from https://github.com/podhmo/python-semver +which is licensed under the "MIT" license. See the semver.py file for details. diff --git a/README.md b/README.md index 5dc6fa6db4361c22da2f35edf0544d83ba6001e2..d18657c81d5980937a144eb99016728dba5ac39a 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,9 @@ -# +# -Project template for all Iron Bank container repositories. \ No newline at end of file +## Description + +A minimal jupyterlab notebook container implementing the jupyterlab interface (with left-navigation tabs etc.), Python3.8 (Iron Bank python36 base image) and pip version 21.0.1. + +This image is also inherits all the AI/ML packages from the python38-ai image. + +This image is an UBI 8 refactor of the opensource Dockerfile here: https://github.com/jupyter/docker-stacks/tree/master/base-notebook. diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml new file mode 100644 index 0000000000000000000000000000000000000000..8711954bf2101084859914c17fb17aa01a68fa1f --- /dev/null +++ b/hardening_manifest.yaml @@ -0,0 +1,151 @@ +--- +apiVersion: v1 + +# The repository name in registry1, excluding /ironbank/ +name: "aiml/jupyter/jlab-eda" + +# List of tags to push for the repository in registry1 +# The most specific version should be the first tag and will be shown +# on ironbank.dsop.io +tags: +- "3.8" +- "latest" + +# Build args passed to Dockerfile ARGs +args: + STAGE_IMAGE: "ironbank/carnegie-mellon/python-ai/python38-ai" + STAGE_TAG: "3.8" + BASE_IMAGE: "opensource/jupyter/jupyterlab" + BASE_TAG: "3.0.14" + +# Docker image labels +labels: + org.opencontainers.image.title: "JupyterLab - Exploratory Data Analysis" + org.opencontainers.image.description: "JupyterLab with AI/ML EDA related packages installed" + org.opencontainers.image.licenses: "MIT License (MIT)" + org.opencontainers.image.url: " " + org.opencontainers.image.vendor: "jupyterlab" + org.opencontainers.image.version: "3.0.14" + mil.dso.ironbank.image.keywords: "jupyter,notebook,terminal,text editor,datascience,ui,data,science,sqlite3,plotly,pandas,matplot,seaborn,numba,numpy,scipy,sklearn,tqdm,urllib3,requests,BeautifulSoup,WordCloud,statsmodels,prophet,django,flask" + mil.dso.ironbank.image.type: "opensource" + mil.dso.ironbank.product.name: "jlab-eda" + +# List of resources to make available to the offline build context +resources: +- filename: Pygments-2.8.1-py3-none-any.whl + url: https://files.pythonhosted.org/packages/3a/80/a52c0a7c5939737c6dca75a831e89658ecb6f590fb7752ac777d221937b9/Pygments-2.8.1-py3-none-any.whl + validation: + type: sha256 + value: 534ef71d539ae97d4c3a4cf7d6f110f214b0e687e92f9cb9d2a3b0d3101289c8 +- filename: backcall-0.2.0-py2.py3-none-any.whl + url: https://files.pythonhosted.org/packages/4c/1c/ff6546b6c12603d8dd1070aa3c3d273ad4c07f5771689a7b69a550e8c951/backcall-0.2.0-py2.py3-none-any.whl + validation: + type: sha256 + value: fbbce6a29f263178a1f7915c1940bde0ec2b2a967566fe1c65c1dfb7422bd255 +- filename: decorator-5.0.7-py3-none-any.whl + url: https://files.pythonhosted.org/packages/bc/b4/c208a551033a7abb67703be73dea3d917dbce528bd87bcd6f7dfceec7097/decorator-5.0.7-py3-none-any.whl + validation: + type: sha256 + value: 945d84890bb20cc4a2f4a31fc4311c0c473af65ea318617f13a7257c9a58bc98 +- filename: ipykernel-5.5.3-py3-none-any.whl + url: https://files.pythonhosted.org/packages/3a/7d/9f8ac1b1b76f2f1538b5650f0b5636bae082724b1e06939a3a9d38e1380e/ipykernel-5.5.3-py3-none-any.whl + validation: + type: sha256 + value: 21abd584543759e49010975a4621603b3cf871b1039cb3879a14094717692614 +- filename: ipython-7.22.0-py3-none-any.whl + url: https://files.pythonhosted.org/packages/c9/b1/82cbe2b856386f44f37fdae54d9b425813bd86fe33385c9d658d64826098/ipython-7.22.0-py3-none-any.whl + validation: + type: sha256 + value: c0ce02dfaa5f854809ab7413c601c4543846d9da81010258ecdab299b542d199 +- filename: ipython_genutils-0.2.0-py2.py3-none-any.whl + url: https://files.pythonhosted.org/packages/fa/bc/9bd3b5c2b4774d5f33b2d544f1460be9df7df2fe42f352135381c347c69a/ipython_genutils-0.2.0-py2.py3-none-any.whl + validation: + type: sha256 + value: 72dd37233799e619666c9f639a9da83c34013a73e8bbc79a7a6348d93c61fab8 +- filename: jedi-0.18.0-py2.py3-none-any.whl + url: https://files.pythonhosted.org/packages/f9/36/7aa67ae2663025b49e8426ead0bad983fee1b73f472536e9790655da0277/jedi-0.18.0-py2.py3-none-any.whl + validation: + type: sha256 + value: 18456d83f65f400ab0c2d3319e48520420ef43b23a086fdc05dff34132f0fb93 +- filename: jupyter_client-6.1.12-py3-none-any.whl + url: https://files.pythonhosted.org/packages/77/e8/c3cf72a32a697256608d5fa96360c431adec6e1c6709ba7f13f99ff5ee04/jupyter_client-6.1.12-py3-none-any.whl + validation: + type: sha256 + value: e053a2c44b6fa597feebe2b3ecb5eea3e03d1d91cc94351a52931ee1426aecfc +- filename: jupyter_core-4.7.1-py3-none-any.whl + url: https://files.pythonhosted.org/packages/53/40/5af36bffa0af3ac71d3a6fc6709de10e4f6ff7c01745b8bc4715372189c9/jupyter_core-4.7.1-py3-none-any.whl + validation: + type: sha256 + value: 8c6c0cac5c1b563622ad49321d5ec47017bd18b94facb381c6973a0486395f8e +- filename: parso-0.8.2-py2.py3-none-any.whl + url: https://files.pythonhosted.org/packages/a9/c4/d5476373088c120ffed82f34c74b266ccae31a68d665b837354d4d8dc8be/parso-0.8.2-py2.py3-none-any.whl + validation: + type: sha256 + value: a8c4922db71e4fdb90e0d0bc6e50f9b273d3397925e5e60a717e719201778d22 +- filename: pexpect-4.8.0-py2.py3-none-any.whl + url: https://files.pythonhosted.org/packages/39/7b/88dbb785881c28a102619d46423cb853b46dbccc70d3ac362d99773a78ce/pexpect-4.8.0-py2.py3-none-any.whl + validation: + type: sha256 + value: 0b48a55dcb3c05f3329815901ea4fc1537514d6ba867a152b581d69ae3710937 +- filename: pickleshare-0.7.5-py2.py3-none-any.whl + url: https://files.pythonhosted.org/packages/9a/41/220f49aaea88bc6fa6cba8d05ecf24676326156c23b991e80b3f2fc24c77/pickleshare-0.7.5-py2.py3-none-any.whl + validation: + type: sha256 + value: 9649af414d74d4df115d5d718f82acb59c9d418196b7b4290ed47a12ce62df56 +- filename: prompt_toolkit-3.0.18-py3-none-any.whl + url: https://files.pythonhosted.org/packages/eb/e6/4b4ca4fa94462d4560ba2f4e62e62108ab07be2e16a92e594e43b12d3300/prompt_toolkit-3.0.18-py3-none-any.whl + validation: + type: sha256 + value: bf00f22079f5fadc949f42ae8ff7f05702826a97059ffcc6281036ad40ac6f04 +- filename: ptyprocess-0.7.0-py2.py3-none-any.whl + url: https://files.pythonhosted.org/packages/22/a6/858897256d0deac81a172289110f31629fc4cee19b6f01283303e18c8db3/ptyprocess-0.7.0-py2.py3-none-any.whl + validation: + type: sha256 + value: 4b41f3967fce3af57cc7e94b888626c18bf37a083e3651ca8feeb66d492fef35 +- filename: python_dateutil-2.8.1-py2.py3-none-any.whl + url: https://files.pythonhosted.org/packages/d4/70/d60450c3dd48ef87586924207ae8907090de0b306af2bce5d134d78615cb/python_dateutil-2.8.1-py2.py3-none-any.whl + validation: + type: sha256 + value: 75bb3f31ea686f1197762692a9ee6a7550b59fc6ca3a1f4b5d7e32fb98e2da2a +- filename: pyzmq-22.0.3-cp38-cp38-manylinux2010_x86_64.whl + url: https://files.pythonhosted.org/packages/98/f0/848d7850eb8a65f3534c1f4d0e0ba8ba8de2d32a02fa9df1d41a08cc667f/pyzmq-22.0.3-cp38-cp38-manylinux2010_x86_64.whl + validation: + type: sha256 + value: 9221783dacb419604d5345d0e097bddef4459a9a95322de6c306bf1d9896559f +- filename: setuptools-56.0.0-py3-none-any.whl + url: https://files.pythonhosted.org/packages/ae/42/2876a3a136f8bfa9bd703518441c8db78ff1eeaddf174baa85c083c1fd15/setuptools-56.0.0-py3-none-any.whl + validation: + type: sha256 + value: 7430499900e443375ba9449a9cc5d78506b801e929fef4a186496012f93683b5 +- filename: six-1.15.0-py2.py3-none-any.whl + url: https://files.pythonhosted.org/packages/ee/ff/48bde5c0f013094d729fe4b0316ba2a24774b3ff1c52d924a8a4cb04078a/six-1.15.0-py2.py3-none-any.whl + validation: + type: sha256 + value: 8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced +- filename: tornado-6.1-cp38-cp38-manylinux2010_x86_64.whl + url: https://files.pythonhosted.org/packages/7a/4a/4fafa6f032f9e202ce5bc1becacef5588a34fd0f0539fdcc705fa2b5ca4a/tornado-6.1-cp38-cp38-manylinux2010_x86_64.whl + validation: + type: sha256 + value: d14d30e7f46a0476efb0deb5b61343b1526f73ebb5ed84f23dc794bdb88f9d9f +- filename: traitlets-5.0.5-py3-none-any.whl + url: https://files.pythonhosted.org/packages/f6/7d/3ecb0ebd0ce8dcdfa7bd47ab85c1d4a521e6770ef283d0824f5804994dfe/traitlets-5.0.5-py3-none-any.whl + validation: + type: sha256 + value: 69ff3f9d5351f31a7ad80443c2674b7099df13cc41fc5fa6e2f6d3b0330b0426 +- filename: wcwidth-0.2.5-py2.py3-none-any.whl + url: https://files.pythonhosted.org/packages/59/7c/e39aca596badaf1b78e8f547c807b04dae603a433d3e7a7e04d67f2ef3e5/wcwidth-0.2.5-py2.py3-none-any.whl + validation: + type: sha256 + value: beb4802a9cebb9144e99086eff703a642a13d6a0052920003a230f3294bbe784 + + +# List of project maintainers +maintainers: +- email: "daniel.komnick@gmail.com" + name: "Daniel Komnick" + username: "dkomnick" + cht_member: false +- email: "remccarthy@sei.cmu.edu" + name: "Rob McCarthy" + username: "remccarthy" + cht_member: false