From 92978622ea464d10aa093463f0ccd07bcd55169b Mon Sep 17 00:00:00 2001
From: Adrian Gonzalez-Martin <agm@seldon.io>
Date: Fri, 14 Apr 2023 09:08:12 +0200
Subject: [PATCH] Move protobuf requirement to docker-specific requirements.txt
 (#1092)

Co-authored-by: adriangonz <adriangonz@users.noreply.github.com>
---
 Dockerfile              |  2 ++
 Makefile                |  1 +
 requirements/docker.txt |  3 +++
 setup.cfg               | 13 ++++++++++---
 setup.py                |  4 +---
 5 files changed, 17 insertions(+), 6 deletions(-)
 create mode 100644 requirements/docker.txt

diff --git a/Dockerfile b/Dockerfile
index 325f6ad94..11e503434 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -65,6 +65,7 @@ RUN useradd -u 1000 -s /bin/bash mlserver -d $MLSERVER_PATH && \
     chmod -R 776 $MLSERVER_PATH
 
 COPY --from=wheel-builder /opt/mlserver/dist ./dist
+COPY ./requirements/docker.txt ./requirements/docker.txt
 # NOTE: if runtime is "all" we install mlserver-<version>-py3-none-any.whl
 # we have to use this syntax to return the correct file: $(ls ./dist/mlserver-*.whl)
 # NOTE: Temporarily excluding mllib from the main image due to:
@@ -90,6 +91,7 @@ RUN . $CONDA_PATH/etc/profile.d/conda.sh && \
         done \
     fi && \
     pip install $(ls "./dist/mlserver-"*.whl) && \
+    pip install -r ./requirements/docker.txt && \
     rm -f /opt/conda/lib/python3.8/site-packages/spacy/tests/package/requirements.txt && \
     rm -rf /root/.cache/pip
 
diff --git a/Makefile b/Makefile
index 290942e8a..037f95c20 100644
--- a/Makefile
+++ b/Makefile
@@ -16,6 +16,7 @@ install-dev:
 		fi \
 	done
 	pip install --editable .
+	pip install -r ./requirements/docker.txt
 
 _generate: # "private" target to call `fmt` after `generate`
 	./hack/generate-types.sh
diff --git a/requirements/docker.txt b/requirements/docker.txt
new file mode 100644
index 000000000..73cf47a66
--- /dev/null
+++ b/requirements/docker.txt
@@ -0,0 +1,3 @@
+# Force patch for CVE-2022-1941
+# Otherwise, TF <2.12 will force a vulnerable version of `protobuf`
+protobuf==3.20.3
diff --git a/setup.cfg b/setup.cfg
index 30865d724..74ee8af6d 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -36,6 +36,7 @@ envlist =
 deps = 
   -e{toxinidir}
   -r{toxinidir}/requirements/dev.txt
+  -r{toxinidir}/requirements/docker.txt
 commands =
   # Upgrade setuptools, pip and wheel to ensure we mimic the Docker image's
   # environment
@@ -47,6 +48,7 @@ deps =
   -e{toxinidir}
   -e{toxinidir}/runtimes/sklearn
   -r{toxinidir}/requirements/dev.txt
+  -r{toxinidir}/requirements/docker.txt
 commands =
   pip install --upgrade setuptools pip wheel
   python -m pytest {posargs} {toxinidir}/runtimes/sklearn
@@ -56,6 +58,7 @@ deps =
   -e{toxinidir}
   -e{toxinidir}/runtimes/xgboost
   -r{toxinidir}/requirements/dev.txt
+  -r{toxinidir}/requirements/docker.txt
 commands =
   pip install --upgrade setuptools pip wheel
   python -m pytest {posargs} {toxinidir}/runtimes/xgboost
@@ -65,6 +68,7 @@ deps =
   -e{toxinidir}
   -e{toxinidir}/runtimes/lightgbm
   -r{toxinidir}/requirements/dev.txt
+  -r{toxinidir}/requirements/docker.txt
 commands =
   pip install --upgrade setuptools pip wheel
   python -m pytest {posargs} {toxinidir}/runtimes/lightgbm
@@ -74,6 +78,7 @@ deps =
   -e{toxinidir}
   -e{toxinidir}/runtimes/mlflow
   -r{toxinidir}/requirements/dev.txt
+  -r{toxinidir}/requirements/docker.txt
   -r{toxinidir}/runtimes/mlflow/requirements/dev.txt
 commands =
   pip install --upgrade setuptools pip wheel
@@ -86,7 +91,7 @@ deps =
 commands =
   # Avoid conflicts and ensure `protobuf==3.20.3` is used (CVE-2022-1941)
   # https://github.com/huggingface/optimum/issues/733
-  pip install -e{toxinidir}
+  pip install -e{toxinidir} -r{toxinidir}/requirements/docker.txt
   pip install --upgrade setuptools pip wheel
   python -m pytest {posargs} {toxinidir}/runtimes/huggingface
 
@@ -95,6 +100,7 @@ deps =
   -e{toxinidir}/runtimes/alibi-explain
   -e{toxinidir}
   -r{toxinidir}/requirements/dev.txt
+  -r{toxinidir}/requirements/docker.txt
   -r{toxinidir}/runtimes/alibi-explain/requirements/dev.txt
 setenv =
   CUDA_VISIBLE_DEVICES =
@@ -111,7 +117,7 @@ setenv =
   CUDA_VISIBLE_DEVICES =
 commands =
   # Avoid conflicts and ensure `protobuf==3.20.3` is used (CVE-2022-1941)
-  pip install -e{toxinidir}
+  pip install -e{toxinidir} -r{toxinidir}/requirements/docker.txt
   pip install --upgrade setuptools pip wheel
   python -m pytest {posargs} {toxinidir}/runtimes/alibi-detect
 
@@ -135,7 +141,8 @@ commands =
   pip install \
     # Avoid conflicts with TF to ensure `protobuf==3.20.3` is used
     # (CVE-2022-1941)
-    -e{toxinidir}
+    -e{toxinidir} \
+    -r{toxinidir}/requirements/docker.txt
   python -m pytest {posargs} \
     {toxinidir}/tests \
     {toxinidir}/runtimes/alibi-explain \
diff --git a/setup.py b/setup.py
index f35ca3eea..12e03e0cd 100644
--- a/setup.py
+++ b/setup.py
@@ -52,9 +52,7 @@ def _load_description() -> str:
         "importlib-resources",
         "numpy",
         "pandas",
-        # Force patch for CVE-2022-1941
-        # https://github.com/huggingface/optimum/issues/733
-        "protobuf == 3.20.3",
+        "protobuf",
         "uvicorn",
         "starlette_exporter",
         "py-grpc-prometheus",