chore: update code-server for vuln

[Jose-Matsuda]

Description

What your PR adds/fixes/removes
Closes #293

Tests / Quality Checks

Automated Testing/build and deployment

• [?] Does the image pass CI successfully (build, pass vulnerability scan, and pass automated test suite)?
• [?] If new features are added (new image, new binary, etc), have new automated tests been added to cover these?
• If new features are added that require in-cluster testing (e.g. a new feature that needs to interact with kubernetes), have you added the auto-deploy tag to the PR before pushing in order to build and push the image to ACR so you can test it in cluster as a custom image?

JupyterLab extensions

• [?] Are all extensions "enabled" (jupyter labextension list from inside the notebook)?

VS Code tests

• [?] Does VS Code open?
• [?] Can you install extensions?

Code review

• Have you added the auto-deploy tag to your PR before your most recent push to this repo? This causes CI to build the image and push to our ACR, letting reviewers access the built image without having to create it themselves
• Have you chosen a reviewer, attached them as a reviewer to this PR, and messaged them with the SHA-pinned image name for the final image to test (e.g. k8scc01covidacr.azurecr.io/machine-learning-notebook-cpu:746d058e2f37e004da5ca483d121bfb9e0545f2b)?

[Jose-Matsuda]

New errors of

appeared recently, I'm trying to update the FROM image like

but as you can see in the error there are some shenanigans going on.
^ cant update because ml-metadata is not supported in python 3.9 yet and that new image uses python 3.9

google/ml-metadata#56
and
google/ml-metadata#37

Seem to indicate it's resolved but I guess I will need to do more digging, in the meantime I will try to build the image without it and scan it

[Jose-Matsuda]

Did some scanning locally using the following command trivy image --severity CRITICAL jupyter/datascience-notebook:tag and here are some results.

This first screenshot is what we currently use

The second is the result after updating to a recent push from 8 days ago

Running it on our actual built image jupyterlab-cpu (this was with a recent image as well) we get

(as well as the vulnerability from code-server)

Using our current file we get the two critical vulnerabilities

Going through our current image

[Jose-Matsuda]

Yea we might want to evaluate the importance of the sql-language-server that we install as this is where the vulnerabilities come from.

ssh2 is fixed in the patch for 1.4.0 but upon digging to the most recent commit for sql-language-server 3 days ago it relies on "node-ssh-forward": "^0.6.3", and going looking at node-ssh-forward and then going into the repo -which has not been updated in over a year- uses "ssh2": "^0.8.9"

Upon removing the sql-language-server and building it and then running the trivy scan both vulnerabilities are now gone

[Jose-Matsuda]

I think we should ignore the one issue for pyyaml due to

GHSA-8q59-q68h-6hv4 and
GHSA-6757-jp84-gxfx <--- this issue fix is 'incomplete' so maybe we will add this to allowed vulnerabilities

So we should pin pyyaml to 5.4.1 at the least and not 5.3.1

[Jose-Matsuda]

This last error of Cryptography is funky as when I do a pip list inside vscode I get `

vs in terminal

Using pip show

So the vulnerable one is in the conda environment

[skyeturriff]

Looks ok to me