Remediating certifi vulnerability (#37)

Author: hectormachin

.github/workflows/publish-image.yml

@@ -1,40 +1,77 @@
 name: Publish Image
 on:
+  release:
+    types:
+      - published
   push:
     branches:
       - main
-    tags:
+  pull_request:
+    branches:
       - '*'
-    paths:
-      - ./version.json
 
 jobs:
   build:
     env:
       context: .
       image_name: swoop
+      image_registry: "${{ secrets.REGISTRY_URI }}"
+      image_repository: "${{ secrets.REGISTRY_REPOSITORY }}"
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@main
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.x'
+
+      - name: Install dependencies
+        run: pip install setuptools-scm
+
       - name: Get image tags
         id: image_tags
         run: |
-          echo -n ::set-output name=IMAGE_TAGS::
-          VERSION=$(jq -r '.version' ${context}/version.json)
-          TAGS=('latest')
-          if [ "${VERSION}" ] && [ "${VERSION}" != "latest" ]; then
-              TAGS+=("${VERSION}")
+          VERSION="$(python -m setuptools_scm | tr + -)"
+          TAGS=("${VERSION}")
+
+          if [ -n "${{ github.event.release.tag_name }}" ]; then
+            MAJOR="$(<<<"${VERSION}" cut -d '.' -f 1)"
+            MINOR="${MAJOR}.$(<<<"${VERSION}" cut -d '.' -f 2)"
+            TAGS+=('latest' "${MAJOR}" "${MINOR}")
           fi
+
           if [[ "${GITHUB_REF}" =~ refs/tags/(.*) ]]; then
               TAGS+=("git-${BASH_REMATCH[1]}")
           fi
-          ( IFS=$','; echo "${TAGS[*]}" )
-      - name: Build and publish image to Quay
-        uses: docker/build-push-action@v1
+
+          PREFIX="${{ env.image_registry }}/${{ env.image_repository }}/${{ env.image_name }}"
+          EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
+          echo "IMAGE_TAGS<<$EOF" >> "$GITHUB_ENV"
+          for tag in "${TAGS[@]}"; do
+              echo "${PREFIX}:${tag}" >> "$GITHUB_ENV"
+          done
+          echo "$EOF" >> "$GITHUB_ENV"
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          buildkitd-flags: --debug
+
+      - name: Login to Quay.io
+        uses: docker/login-action@v2
         with:
-          path: ${{ env.context }}
-          registry: ${{ secrets.REGISTRY_URI }}
-          repository: ${{ secrets.REGISTRY_REPOSITORY }}/${{ env.image_name }}
+          registry: ${{ env.image_registry }}
           username: ${{ secrets.REGISTRY_USERNAME }}
           password: ${{ secrets.REGISTRY_PASSWORD }}
-          tags: "${{ steps.image_tags.outputs.IMAGE_TAGS }}"
+
+      - name: Build and publish image to Quay
+        uses: docker/build-push-action@v4
+        with:
+          context: ${{ env.context }}
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name == 'release' }}
+          tags: ${{ env.IMAGE_TAGS }}

.snyk

@@ -1,5 +1,9 @@
 # Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
 version: v1.22.1
 
-ignore: {}
+ignore:
+  SNYK-DEBIAN12-POSTGRESQL15-5838227:
+    - '*':
+        reason: Although postgresql-15 package has been flagged as vulnerable, we're not installing postgres-15 on our base image.
+        expires: 2023-09-30T17:33:45.004Z
 patch: {}

Dockerfile

@@ -1,40 +1,15 @@
-FROM debian:bookworm-slim
-
-WORKDIR /app
-
-COPY . /app
-
-RUN apt-get update
-
-RUN apt-get install -y gcc musl-dev python3-dev python3-pip
-
-# Resolving libcurl4 vulnerability https://security-tracker.debian.org/tracker/CVE-2023-23914
-# Resolving libcurl4 vulnerability https://security.snyk.io/vuln/SNYK-DEBIAN12-CURL-5561883
-# Resolving libcurl4 vulnerability https://security.snyk.io/vuln/SNYK-DEBIAN12-CURL-5561882
-RUN apt-get install -y libcurl4>=7.88.1-10 curl>=7.88.1-10
-
-# Resolving libcap2 vulnerability https://security.snyk.io/vuln/SNYK-DEBIAN12-LIBCAP2-5537069
-RUN apt-get install -y libcap2>=1:2.66-4
-
-# Resolving libwebp7 vulnerability https://security.snyk.io/vuln/SNYK-DEBIAN12-LIBWEBP-5489176
-RUN apt-get install -y libwebp7>=1.2.4-0.2
-
-# Resolving libx11-data vulnerability https://security.snyk.io/vuln/SNYK-DEBIAN12-LIBX11-5710892
-RUN apt-get install -y libx11-data>=2:1.8.4-2+deb12u1
-
-# Resolving libssl3 vulnerability https://security.snyk.io/vuln/SNYK-DEBIAN12-OPENSSL-5661565
-# Resolving libssl3 vulnerability https://security.snyk.io/vuln/SNYK-DEBIAN12-OPENSSL-3368733
-RUN apt-get install -y libssl3>=3.0.9-1
-
-# Resolving libaom vulnerabilities:
-#  - https://security-tracker.debian.org/tracker/CVE-2021-30473
-#  - https://security-tracker.debian.org/tracker/CVE-2021-30474
-#  - https://security-tracker.debian.org/tracker/CVE-2021-30475
-RUN apt-get install -y libaom-dev>=3.6.0-1
-
-RUN python3 -m pip install --break-system-packages --upgrade pip && \
-    pip install  --break-system-packages -r requirements.txt && \
-    pip install  --break-system-packages '.[dev]'
+# build python venv for inclusion into image
+FROM python:slim-bookworm as APP
+RUN apt-get update && apt-get install -y git python3-venv
+WORKDIR /opt/swoop/api
+RUN python3 -m venv --copies swoop-api-venv
+COPY requirements.txt .
+COPY workflow-config.yml .
+RUN ./swoop-api-venv/bin/pip install -r requirements.txt
+RUN --mount=source=.git,target=.git,type=bind git clone . clone
+RUN ./swoop-api-venv/bin/pip install ./clone
+
+FROM python:slim-bookworm
 
 ENV SWOOP_ACCESS_KEY_ID=$SWOOP_ACCESS_KEY_ID  \
     SWOOP_SECRET_ACCESS_KEY=$SWOOP_ACCESS_KEY_ID  \
@@ -46,6 +21,12 @@ ENV SWOOP_ACCESS_KEY_ID=$SWOOP_ACCESS_KEY_ID  \
     PGHOST=$PGHOST \
     PGUSER=$PGUSER
 
+COPY --from=APP /opt/swoop/api/swoop-api-venv /opt/swoop/api/swoop-api-venv
+COPY --from=APP /opt/swoop/api/$SWOOP_WORKFLOW_CONFIG_FILE /opt/swoop/api/swoop-api-venv
+ENV PATH=/opt/swoop/api/swoop-api-venv/bin:$PATH
+
 RUN env
 
+WORKDIR /opt/swoop/api/swoop-api-venv
+
 CMD ["uvicorn", "swoop.api.main:app", "--host", "0.0.0.0", "--port", "8000"]

pyproject.toml

@@ -55,6 +55,8 @@ dev = [
     "isort >=5.12.0",
 ]
 
+[tool.setuptools_scm]
+
 [tool.setuptools.dynamic]
 version = {attr = "swoop.api.__version__"}
 readme = {file = "README.md"}

requirements.txt

@@ -15,7 +15,7 @@ buildpg==0.4
     # via
     #   dbami
     #   swoop (pyproject.toml)
-certifi==2023.5.7
+certifi==2023.7.22
     # via minio
 click==8.1.3
     # via uvicorn