gatk
gatk copied to clipboard
broadinstitute
Address log4j vulnerability in workflows
Tag 4.2.4.0 doesn't appear to address the fact that WDLs still reference older GATK Docker images and therefore are still vulnerable. This is a quick replacement of all references to outdated GATK images that I could find in this repo's WDLs and WDL-specific JSONs. Note that these changes may be breaking, especially for older workflows; I do not have the bandwidth to individually test each one.
The following images were not updated as I couldn't find a suitable replacement, although I suspect several could be replaced with the standard GATK image
- pkrusche/hap.py (I'm not sure this would even be affected by the vulnerability)
- broad-gotc-prod/genomes-in-the-cloud
- gatksv/sv-base-mini -- referenced as gatksv/sv-base-mini:b3af2e3 in joint_call_exome_cnvs.wdl
- broadinstitute/oncotator -- referenced as broadinstitute/oncotator:1.9.5.0-eval-gatk-protected in cnv_somatic_oncotator_workflow.wdl, but is a fallback option
- us.gcr.io/broad-dsde-methods/haplochecker
- us.gcr.io/broad-gotc-prod/genomes-in-the-cloud:2.4.2-1552931386
If this PR is accepted, note that all affected WDLs should also have their default tag on Dockstore changed -- only MitochondriaPipeline defaults to master in Dockstore if I recall correctly. gatk4-rnaseq-germline-snps-indels defaults to master but is in the gatk-workflows repo, not this one.
Seeking assistance on the build errors -- I don't quite have the bandwidth to decode the logs to figure out what is failing.
@lbergelson @droazen Both of you committed changes to the Dockerfile recently, but as far as I can tell they are not security related. Should I keep this PR at 4.2.4.1?
@lbergelson @droazen @ahaessly Sorry for the ping, but I believe this vulnerability still persists.