Skip to content

Update Docker and CMake dependencies #34

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
msolanik wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Update Docker and CMake dependencies #34

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e5fc6a1
Update Docker and CMake dependencies
renovate-bot Jan 31, 2026
a452941
Merge branch 'main' of github.com:msolanik/Geliosphere into renovate/…
msolanik Feb 1, 2026
32683a1
Dummy commit, for testing pipeline
msolanik Feb 1, 2026
69d2836
Merge branch 'main' of github.com:msolanik/Geliosphere into renovate/…
msolanik Feb 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .devcontainer/CPU/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM ubuntu:focal-20220531
FROM ubuntu:focal-20250404

RUN apt-get update -y
RUN apt-get -y install gdb
Expand Down
4 changes: 2 additions & 2 deletions Algorithm/CMakeLists.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,14 +7,14 @@ include(FetchContent)
FetchContent_Declare(
spdlog
GIT_REPOSITORY https://github.com/gabime/spdlog.git
GIT_TAG v1.13.0
GIT_TAG v1.17.0
)
FetchContent_MakeAvailable(spdlog)

FetchContent_Declare(
toml11
GIT_REPOSITORY https://github.com/ToruNiina/toml11
GIT_TAG v3.7.0
GIT_TAG v3.8.1
Comment on lines +10 to +17

Copilot AI Jan 31, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In this CMake list, both spdlog and toml11 are fetched from GitHub using only version tags (v1.17.0, v3.8.1), which can be moved or replaced upstream, enabling a potential supply-chain attack where your build consumes malicious code without local changes. Pin these dependencies to specific commit SHAs (or vendor them) so that builds are reproducible and cannot be silently altered by upstream tag changes.

Copilot uses AI. Check for mistakes.
)
FetchContent_MakeAvailable(toml11)

Expand Down
2 changes: 1 addition & 1 deletion CMakeLists.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ include(FetchContent)
FetchContent_Declare(
spdlog
GIT_REPOSITORY https://github.com/gabime/spdlog.git
GIT_TAG v1.13.0
GIT_TAG v1.17.0

Copilot AI Jan 31, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The top-level spdlog dependency is fetched via FetchContent_Declare using only the Git tag v1.17.0, so an attacker who can move or replace that tag upstream could cause subsequent builds to compile unreviewed code. To harden your supply chain, pin this dependency to an immutable commit SHA or vendor it instead of relying solely on a mutable tag.

Copilot uses AI. Check for mistakes.
)
FetchContent_MakeAvailable(spdlog)

Expand Down
1 change: 1 addition & 0 deletions CUDAKernel/src/CosmicConstants.cu
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ __device__ __constant__ float rh = 0.0046367333333333f;
__device__ __constant__ float rInit = 1.0f;
__device__ __constant__ bool useUniformInjection = true;


void setConstants(ParamsCarrier *singleTone)
{
if (singleTone->getString("model", "1D Fp").compare("2D SolarProp-like") == 0)
Expand Down
2 changes: 1 addition & 1 deletion CpuImplementations/CMakeLists.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ include(FetchContent)
FetchContent_Declare(
spdlog
GIT_REPOSITORY https://github.com/gabime/spdlog.git
GIT_TAG v1.13.0
GIT_TAG v1.17.0

Copilot AI Jan 31, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The spdlog dependency fetched via FetchContent_Declare is pinned only by the Git tag v1.17.0, meaning a compromise or force-push of that tag in the upstream repository could inject malicious code into your build without any manifest change here. Prefer pinning to a specific commit SHA (or vendoring the code) to ensure that future builds use exactly the audited version of spdlog.

Copilot uses AI. Check for mistakes.
)
FetchContent_MakeAvailable(spdlog)

Expand Down
2 changes: 1 addition & 1 deletion Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM nvidia/cuda:11.6.1-devel-ubuntu20.04
FROM nvidia/cuda:11.8.0-devel-ubuntu20.04

RUN rm /etc/apt/sources.list.d/cuda.list
RUN rm -vf /var/lib/apt/lists/*
Expand Down
2 changes: 1 addition & 1 deletion Dockerfile.CPU
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM ubuntu:focal-20220531
FROM ubuntu:focal-20250404

RUN apt-get update -y
RUN apt-get -y install git
Expand Down
8 changes: 4 additions & 4 deletions Input/CMakeLists.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,28 +14,28 @@ include(FetchContent)
FetchContent_Declare(
rapidcsv
GIT_REPOSITORY https://github.com/d99kris/rapidcsv
GIT_TAG v8.82
GIT_TAG v8.90
)
FetchContent_MakeAvailable(rapidcsv)

FetchContent_Declare(
spdlog
GIT_REPOSITORY https://github.com/gabime/spdlog.git
GIT_TAG v1.13.0
GIT_TAG v1.17.0
)
FetchContent_MakeAvailable(spdlog)

FetchContent_Declare(
toml11
GIT_REPOSITORY https://github.com/ToruNiina/toml11
GIT_TAG v3.7.0
GIT_TAG v3.8.1
)
FetchContent_MakeAvailable(toml11)

FetchContent_Declare(
CLI11
GIT_REPOSITORY https://github.com/CLIUtils/CLI11
GIT_TAG v1.3.0
GIT_TAG v1.9.1

Copilot AI Jan 31, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Upgrading CLI11 from v1.3.0 to v1.9.1 introduces a breaking change. The codebase uses the deprecated ->requires() method (see Input/src/ParseParams.cpp:62), which was deprecated in v1.4 and replaced by ->needs(). This will likely cause compilation failures. All usages of ->requires() must be updated to ->needs() before this upgrade can be applied.

Suggested change
GIT_TAG v1.9.1
GIT_TAG v1.3.0

Copilot uses AI. Check for mistakes.
Comment on lines +17 to +38

Copilot AI Jan 31, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These FetchContent_Declare dependencies (rapidcsv, spdlog, toml11, CLI11) are pinned only to Git tags (v8.90, v1.17.0, v3.8.1, v1.9.1), so if any upstream repository or tag is compromised or force-moved, your build could transparently pull and compile attacker-controlled code. To reduce this supply-chain risk, pin these dependencies to immutable commit SHAs (or vendor them locally) instead of relying on mutable tags.

Copilot uses AI. Check for mistakes.
)
FetchContent_MakeAvailable(CLI11)

Expand Down
Loading