[features/conda] Address CVE-2023-0286, CVE-2023-23931, and CVE-2022-40897 vulnerabilities (#518)

* [features/conda] Address CVE-2023-0286, CVE-2023-23931, and CVE-2022-40897 vulnerabilities

- Update `install.sh` to install updates for `cryptography` and `setuptools`  packages
- Add tests to verify `cryptography` and `setuptools`  packages version

* Bump feature version

src/conda/devcontainer-feature.json

@@ -1,6 +1,6 @@
 {
     "id": "conda",
-    "version": "1.0.8",
+    "version": "1.0.9",
     "name": "Conda",
     "description": "A cross-platform, language-agnostic binary package manager",
     "documentationURL": "https://github.com/devcontainers/features/tree/main/src/conda",

src/conda/install.sh

@@ -114,8 +114,13 @@ if ! conda --version &> /dev/null ; then
     
     find "${CONDA_DIR}" -type d -print0 | xargs -n 1 -0 chmod g+s
 
-    # Temporary due to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23491
+    # Temporary fixes
+    # Due to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23491
     install_user_package certifi
+    # Due to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0286 and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23931
+    install_user_package cryptography
+    # Due to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40897
+    install_user_package setuptools
 fi
 
 # Display a notice on conda when not running in GitHub Codespaces

test/conda/test.sh

@@ -32,5 +32,11 @@ check-version-ge() {
 certifiVersion=$(python -c "import certifi; print(certifi.__version__)")
 check-version-ge "certifi" "${certifiVersion}" "2022.12.07"
 
+cryptographyVersion=$(python -c "import cryptography; print(cryptography.__version__)")
+check-version-ge "cryptography" "${cryptographyVersion}" "39.0.1"
+
+setuptoolsVersion=$(python -c "import setuptools; print(setuptools.__version__)")
+check-version-ge "setuptools" "${setuptoolsVersion}" "65.5.1"
+
 # Report result
 reportResults