Merge pull request #508 from ansforge/chore/security/fix-cve-chatbot

chore/security : fix des vulnérabilités du chatbot

Author: issam71100

.github/config/build-matrices.yaml

@@ -19,14 +19,6 @@ projects:
         tag: hub-healthcheck
         artifact-name: trivy-reports-healthcheck
 
-  chatbot:
-    description: "AI chatbot service"
-    include:
-      - name: chatbot
-        context: ./tools/chatbot
-        tag: hub-chatbot
-        artifact-name: trivy-reports-chatbot
-
   openssl:
     description: "OpenSSL utilities"
     include:
@@ -50,3 +42,11 @@ projects:
         context: ./tools/annuaire
         tag: hub-annuaire
         artifact-name: trivy-reports-annuaire
+
+  chatbot:
+    description: "AI chatbot assistant"
+    include:
+      - name: chatbot
+        context: ./tools/chatbot
+        tag: hub-chatbot
+        artifact-name: trivy-reports-chatbot

.github/workflows/build-images.yml

@@ -1,15 +1,15 @@
-name: Build images (landing, healthcheck, chatbot, openSSL, specs, annuaire)
+name: Build images (landing, healthcheck, openSSL, specs, annuaire, chatbot)
 
 on:
   workflow_dispatch:
   push:
     tags:
       - 'landing-*'
       - 'healthcheck-*'
-      - 'chatbot-*'
       - 'openssl-*'
       - 'specs-*'
       - 'annuaire-*'
+      - 'chatbot-*'
 
 permissions:
   contents: read
@@ -87,6 +87,13 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
+      - name: Login to Docker Hardened Images
+        uses: docker/login-action@v3
+        with:
+          registry: dhi.io
+          username: ${{ secrets.DHI_USERNAME }}
+          password: ${{ secrets.DHI_PASSWORD }}
+      
       - name: Login to Container Registry
         uses: docker/login-action@v3
         with:
@@ -101,27 +108,23 @@ jobs:
           tags: ghcr.io/${{ github.repository_owner }}/${{ matrix.tag }}:${{ needs.extract-release-info.outputs.version }}
           context: ${{ matrix.context }}
 
+      - name: Check for trivyignore file
+        id: check-trivyignore
+        run: |
+          if [ -f "${{ matrix.context }}/.trivyignore" ]; then
+            echo "exists=true" >> $GITHUB_OUTPUT
+            echo "path=${{ matrix.context }}/.trivyignore" >> $GITHUB_OUTPUT
+          else
+            echo "exists=false" >> $GITHUB_OUTPUT
+          fi
+
       - name: Scan Docker image
+        id: trivy-scan
         continue-on-error: true
         uses: aquasecurity/trivy-action@0.33.1
         with:
           image-ref: ghcr.io/${{ github.repository_owner }}/${{ matrix.tag }}:${{ needs.extract-release-info.outputs.version }}
-          format: 'sarif'
-          output: 'trivy-${{ matrix.name }}-image.sarif'
+          format: 'table'
           severity: 'HIGH,CRITICAL'
           exit-code: '1'
-
-      - name: Upload image scan results to GitHub Security tab
-        if: always() && hashFiles('trivy-${{ matrix.name }}-image.sarif') != ''
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: 'trivy-${{ matrix.name }}-image.sarif'
-          category: 'trivy-${{ matrix.name }}-image'
-
-      - name: Upload image scan reports as artifacts
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: ${{ matrix.artifact-name }}
-          path: '*.sarif'
-          retention-days: 30
+          trivyignores: ${{ steps.check-trivyignore.outputs.exists == 'true' && steps.check-trivyignore.outputs.path || '' }}

tools/chatbot/.trivyignore

@@ -0,0 +1,19 @@
+# Vulnérabilités HIGH sans correctif disponible
+# Dernière révision: 27 janvier 2026
+
+# CVE-2026-0994 - protobuf (Python package)
+# DoS via nested google.protobuf.Any messages
+# Status: No fix available
+# Justification: Dépendance transitive de chromadb, impact faible (pas de parsing JSON externe malveillant)
+CVE-2026-0994
+
+# CVE-2026-0861 - glibc/libc6 (Debian system package)
+# Integer overflow in memalign leads to heap corruption
+# Status: No fix available
+# Justification: Exploitation nécessite contrôle des paramètres memalign (peu probable dans notre contexte)
+CVE-2026-0861
+
+# DS026 - HEALTHCHECK instruction missing
+# Justification: Utilisation de Kubernetes avec livenessProbe/readinessProbe
+# Le HEALTHCHECK Docker est ignoré par Kubernetes
+DS026

tools/chatbot/Dockerfile

@@ -1,40 +1,42 @@
-# Use an official Python runtime as a parent image
-FROM python:3.13-slim
+# Builder stage - use Debian Python image for building (onnxruntime needs glibc/manylinux)
+FROM dhi.io/python:3.13-dev AS builder
+
+COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/
 
 # Set environment variables
 ENV PYTHONDONTWRITEBYTECODE=1 \
     PYTHONUNBUFFERED=1 \
-    UV_CACHE_DIR=/opt/uv-cache \
+    UV_CACHE_DIR=/tmp/uv-cache \
     UV_LINK_MODE=copy
 
-# Install system dependencies and uv
-RUN apt-get update && apt-get install -y \
-    curl \
-    ca-certificates \
-    && rm -rf /var/lib/apt/lists/* \
-    && curl -LsSf https://astral.sh/uv/install.sh | sh \
-    && mv /root/.local/bin/uv /usr/local/bin/uv \
-    && mv /root/.local/bin/uvx /usr/local/bin/uvx
+# Set the working directory
+WORKDIR /app
 
-# Create a non-root user and group
-RUN groupadd -r -g 1000 chatbot && useradd -r -u 1000 -g chatbot chatbot
+# Copy dependency files
+COPY pyproject.toml uv.lock ./
 
-# Set the working directory in the container
-WORKDIR /app
+# Install dependencies
+RUN uv sync --frozen --no-dev
 
-# Create UV cache directory with proper permissions and set ownership of working directory
-RUN mkdir -p $UV_CACHE_DIR && \
-    chown -R chatbot:chatbot $UV_CACHE_DIR && \
-    chown -R chatbot:chatbot /app
+# Final stage - use standard Debian slim (DHI too minimal for venv)
+FROM dhi.io/python:3.13
 
-# Switch to the non-root user
-USER chatbot
+# Set environment variables
+ENV PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1 \
+    PATH="/app/.venv/bin:$PATH"
 
-# Copy the current directory contents into the container at /app
-COPY --chown=chatbot:chatbot . .
+# Set the working directory
+WORKDIR /app
 
-# Install dependencies and project in one step
-RUN uv sync --frozen --no-dev
+# Copy virtual environment from builder
+COPY --from=builder --chown=1000:1000 /app/.venv /app/.venv
+
+# Copy application code
+COPY chatbot.py chatbot.py
+
+# Explicit non-root user (already set by base image)
+USER 1000
 
-# Run the application (--no-sync prevents any dependency downloads at runtime)
-CMD ["uv", "run", "--no-sync", "python", "chatbot.py"]
+# Run the application
+CMD ["python", "chatbot.py"]

tools/chatbot/pyproject.toml

@@ -7,7 +7,7 @@ dependencies = [
     "slack-bolt~=1.26.0",
     "langchain-openai~=1.0.1",
     "langchain-community~=0.4.1",
-    "langchain-core~=1.0.2",
+    "langchain-core>=1.2.5",
     "langchain-chroma~=1.0.0",
     "chromadb~=1.3.0",
     "openai~=2.6.1",