Abhisheku/mmlab model selection #3692

abhishekMS2024 · 2024-12-18T09:29:19Z

Update import_model component to support MMLab models.

Sample run:

vizhur

Those conda specs can't be a part of any AzureML asset

vizhur · 2025-01-22T18:16:06Z

assets/training/model_management/src/azureml/model/mgmt/processors/pyfunc/vision/conda_is.yaml

+- python=3.9.19
+- pip<=24.0
+- pip:
+  - mlflow==2.12.1


"vulnerabilities": [ { "aliases": [ "CVE-2024-37057" ], "details": "Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.0.0rc0 or newer, enabling a maliciously uploaded Tensorflow model to run arbitrary code on an end user’s system when interacted with.", "fixed_in": [], "id": "GHSA-j8mg-pqc5-x9gj", "link": "https://osv.dev/vulnerability/GHSA-j8mg-pqc5-x9gj", "source": "osv", "summary": null, "withdrawn": null }, { "aliases": [ "CVE-2024-37052" ], "details": "Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with.", "fixed_in": [], "id": "GHSA-76cg-cfhx-373f", "link": "https://osv.dev/vulnerability/GHSA-76cg-cfhx-373f", "source": "osv", "summary": null, "withdrawn": null }, { "aliases": [ "CVE-2024-37053" ], "details": "Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with.", "fixed_in": [], "id": "GHSA-43c4-9qgj-x742", "link": "https://osv.dev/vulnerability/GHSA-43c4-9qgj-x742", "source": "osv", "summary": null, "withdrawn": null }, { "aliases": [ "CVE-2024-37056" ], "details": "Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.23.0 or newer, enabling a maliciously uploaded LightGBM scikit-learn model to run arbitrary code on an end user’s system when interacted with.", "fixed_in": [], "id": "GHSA-7p8j-qv6x-f4g4", "link": "https://osv.dev/vulnerability/GHSA-7p8j-qv6x-f4g4", "source": "osv", "summary": null, "withdrawn": null }, { "aliases": [ "CVE-2024-37060" ], "details": "Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.27.0 or newer, enabling a maliciously crafted Recipe to execute arbitrary code on an end user’s system when run.", "fixed_in": [], "id": "GHSA-cv6c-7963-wxcg", "link": "https://osv.dev/vulnerability/GHSA-cv6c-7963-wxcg", "source": "osv", "summary": null, "withdrawn": null }, { "aliases": [ "CVE-2024-37055" ], "details": "Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.24.0 or newer, enabling a maliciously uploaded pmdarima model to run arbitrary code on an end user’s system when interacted with.", "fixed_in": [], "id": "GHSA-x38x-g6gr-jqff", "link": "https://osv.dev/vulnerability/GHSA-x38x-g6gr-jqff", "source": "osv", "summary": null, "withdrawn": null }, { "aliases": [ "CVE-2024-37054" ], "details": "Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.9.0 or newer, enabling a maliciously uploaded PyFunc model to run arbitrary code on an end user’s system when interacted with.", "fixed_in": [], "id": "GHSA-ghv6-9r9j-wh4j", "link": "https://osv.dev/vulnerability/GHSA-ghv6-9r9j-wh4j", "source": "osv", "summary": null, "withdrawn": null }, { "aliases": [ "CVE-2024-37058" ], "details": "Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.5.0 or newer, enabling a maliciously uploaded Langchain AgentExecutor model to run arbitrary code on an end user’s system when interacted with.", "fixed_in": [], "id": "GHSA-cwgg-w6mp-w9hg", "link": "https://osv.dev/vulnerability/GHSA-cwgg-w6mp-w9hg", "source": "osv", "summary": null, "withdrawn": null }, { "aliases": [ "CVE-2024-37061" ], "details": "Remote Code Execution can occur in versions of the MLflow platform running version 1.11.0 or newer, enabling a maliciously crafted MLproject to execute arbitrary code on an end user’s system when run due to unfiltered input.", "fixed_in": [], "id": "GHSA-pqcv-qw2r-r859", "link": "https://osv.dev/vulnerability/GHSA-pqcv-qw2r-r859", "source": "osv", "summary": null, "withdrawn": null }, { "aliases": [ "CVE-2024-37059" ], "details": "Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.5.0 or newer, enabling a maliciously uploaded PyTorch model to run arbitrary code on an end user’s system when interacted with.", "fixed_in": [], "id": "GHSA-wf7f-8fxf-xfxc", "link": "https://osv.dev/vulnerability/GHSA-wf7f-8fxf-xfxc", "source": "osv", "summary": null, "withdrawn": null }, { "aliases": [ "CVE-2024-27134" ], "details": "Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf. This behavior can be exploited by a local attacker to gain elevated permissions by using a ToCToU attack. The issue is only relevant when the spark_udf() MLflow API is called.", "fixed_in": [ "2.16.0" ], "id": "GHSA-qpgc-w4mg-6v92", "link": "https://osv.dev/vulnerability/GHSA-qpgc-w4mg-6v92", "source": "osv", "summary": null, "withdrawn": null } ]

}

vizhur · 2025-01-22T18:16:33Z

assets/training/model_management/src/azureml/model/mgmt/processors/pyfunc/vision/conda_is.yaml

+dependencies:
+- python=3.9.19
+- pip<=24.0
+- pip:


below is the list of vulnerabilities just for the first package https://pypi.org/pypi/mlflow/2.12.1/json

Roopa G and others added 20 commits November 12, 2024 14:32

initial commit

9069624

Review comments

476a37f

Fixes

71ad8a3

Fixes

1256ae7

Fixes

a13de9f

Fixes

1e45634

Merge branch 'main' into groopa/vision/mmd

5de9a42

If else rough

74de879

test conditional block changes

970d78e

test conditional block changes

1e76215

test conditional block changes

2241eaf

test conditional block changes

a3459aa

test conditional block changes

a88e05a

test conditional block changes

1cc8bb5

test conditional block changes

246d532

test conditional block changes

a5f4628

Removed unused code

346c228

Added output selector

cfde392

Added output selector

6c6fb01

remove un-needed components

e05036b

abhishekMS2024 requested a review from a team as a code owner December 18, 2024 09:29

abhishekMS2024 added 2 commits December 18, 2024 15:09

updated component versions

2d01260

removed unused code

031a310

deepanshMS assigned roopavidhya Dec 18, 2024

roopavidhya previously approved these changes Dec 18, 2024

View reviewed changes

updated the download component for mmlab

fa226b4

abhishekMS2024 dismissed roopavidhya’s stale review via fa226b4 December 24, 2024 03:41

updated the download component for mmlab

7cabbf1

abhishekMS2024 temporarily deployed to Testing December 24, 2024 05:09 — with GitHub Actions Inactive

abhishekMS2024 requested a review from roopavidhya December 24, 2024 05:25

Addi-11 previously approved these changes Dec 24, 2024

View reviewed changes

code refactoring

067952c

abhishekMS2024 dismissed Addi-11’s stale review via 067952c December 24, 2024 06:38

abhishekMS2024 temporarily deployed to Testing December 24, 2024 06:39 — with GitHub Actions Inactive

abhishekMS2024 added the safe to publish Pull request containing new asset has been tested properly label Dec 24, 2024

Fixed syntax issue

79817c8

abhishekMS2024 temporarily deployed to Testing December 24, 2024 07:15 — with GitHub Actions Inactive

Merge branch 'main' into abhisheku/mmlab_model_selection

1b683a9

abhishekMS2024 temporarily deployed to Testing December 24, 2024 07:16 — with GitHub Actions Inactive

abhishekMS2024 temporarily deployed to Testing December 24, 2024 07:17 — with GitHub Actions Inactive

abhishekMS2024 marked this pull request as ready for review December 26, 2024 03:21

vizhur removed the safe to publish Pull request containing new asset has been tested properly label Jan 7, 2025

amitthakur-ms approved these changes Jan 21, 2025

View reviewed changes

Merge branch 'main' into abhisheku/mmlab_model_selection

a72c14c

abhishekMS2024 had a problem deploying to Testing January 21, 2025 09:38 — with GitHub Actions Failure

deepanshMS unassigned roopavidhya Jan 21, 2025

Merge branch 'main' into abhisheku/mmlab_model_selection

f38333d

deepanshMS temporarily deployed to Testing January 22, 2025 10:29 — with GitHub Actions Inactive

itzasifmd approved these changes Jan 22, 2025

View reviewed changes

vizhur requested changes Jan 22, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Abhisheku/mmlab model selection #3692

Abhisheku/mmlab model selection #3692

abhishekMS2024 commented Dec 18, 2024

vizhur left a comment

vizhur Jan 22, 2025

vizhur Jan 22, 2025

Abhisheku/mmlab model selection #3692

Are you sure you want to change the base?

Abhisheku/mmlab model selection #3692

Conversation

abhishekMS2024 commented Dec 18, 2024

vizhur left a comment

Choose a reason for hiding this comment

vizhur Jan 22, 2025

Choose a reason for hiding this comment

vizhur Jan 22, 2025

Choose a reason for hiding this comment