GitHub CVE warning for flask

[MichaelTiemannOSC]

GitHub warns that flask < 2.3.2 in requirements.txt suffers from CVE-2023-30861. flask ~> 2.3.2 is a fix (but may require other libraries be updated, depending on dependencies).

@HeatherAck

[MichaelTiemannOSC]

GitHub sent another ping about this. Can you please fix in the various branches? Thanks!

[DaBeIDS]

I started to test the new flask version.
For the rule-based-docker we can change to Flask 2.3.2
For the model and extraction docker there seems to be an issue, maybe due to the Python version underlying the Pytorch Image.

I checked the error message and for Flask < 2.2,5 we can also use version 2.2.5 as a solution:

I will test that next and hope that this will work. Let you know afterwards.

Test details:
Build Docker on Open Shift and see if issues in the creation pop up.

[MichaelTiemannOSC]

Thanks so much! If 2.2.5 does the job, we can move conservatively at first, and then when we have the new ODH environment (which will upgrade LOTS of dependencies) we can see how much needs to be done to upgrade to 2.3.2 (or later).

[DaBeIDS]

Hi Michael,
unfortunately flask 2.2.5 has the following dependency on werkzeug:

On the other hand we use farm 0.5.0 which has the fixed dependecy:

Obviously farm is important for us and so we have here an unresolvable issue in the moment.

Unfortunately we can not just upgrade farm in the moment as we can not test which version is compatible as we can still not run a full train_on_pdf.py. We will think about how we could resolve the issue. One solution could be to just drop flask completely and run everything in one docker file. Maybe discuss on wednesday.

[DaBeIDS]

Hi Michael,
i just checked. Even the newest version of farm has the requirement Werkzeug==0.16.1.
There was also a discussion in the past about that:

deepset-ai/FARM#764

Seems that this is a real showstopper for the new flask version.
So we have to think about another solution...

[MichaelTiemannOSC]

Thanks for your continued diligence into this problem. Maybe it's time to take the past discussion to heart and either switch from Farm to Haystack or consider other methods for training models. @Shreyanand how have folks on your team dealt with this question?

[Shreyanand]

@MichaelTiemannOSC thanks for the tag! We have not encountered the exact Flask problem in this issue but when we were implementing the sparsity models, we ran into incompatibilities with the old Farm version. In order to train the sparse models, we had to port the training and inference code to use the Huggingface transformers package. The notebook here shows how it can work in this use case.
Haystack is built on top of transformers so it may be easier to develop with but the original transformers package does offer more flexibility and easy integrations with other frameworks. Hope that helps.

[ModeSevenIndustrialSolutions]

Think this issue needs some priority; I will try and talk to Michael about it this week.