From cdfe4608b5be07a439b7c4477a3b5dc8677f3a07 Mon Sep 17 00:00:00 2001 From: Hector Machin Date: Mon, 21 Aug 2023 21:03:46 -0400 Subject: [PATCH 1/4] Remediating certify vulnerability --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 9d0b861..4f81e76 100644 --- a/requirements.txt +++ b/requirements.txt @@ -15,7 +15,7 @@ buildpg==0.4 # via # dbami # swoop (pyproject.toml) -certifi==2023.5.7 +certifi==2023.7.22 # via minio click==8.1.3 # via uvicorn From a1333379deb21c5f10ff091c6f51e02cb20cbf5c Mon Sep 17 00:00:00 2001 From: Hector Machin Date: Mon, 21 Aug 2023 21:28:32 -0400 Subject: [PATCH 2/4] Changing swoop-api base image to use python:slim-bookworm --- Dockerfile | 35 +++-------------------------------- 1 file changed, 3 insertions(+), 32 deletions(-) diff --git a/Dockerfile b/Dockerfile index 3da3c35..c5be0fc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,40 +1,11 @@ -FROM debian:bookworm-slim +FROM python:slim-bookworm WORKDIR /app COPY . /app -RUN apt-get update - -RUN apt-get install -y gcc musl-dev python3-dev python3-pip - -# Resolving libcurl4 vulnerability https://security-tracker.debian.org/tracker/CVE-2023-23914 -# Resolving libcurl4 vulnerability https://security.snyk.io/vuln/SNYK-DEBIAN12-CURL-5561883 -# Resolving libcurl4 vulnerability https://security.snyk.io/vuln/SNYK-DEBIAN12-CURL-5561882 -RUN apt-get install -y libcurl4>=7.88.1-10 curl>=7.88.1-10 - -# Resolving libcap2 vulnerability https://security.snyk.io/vuln/SNYK-DEBIAN12-LIBCAP2-5537069 -RUN apt-get install -y libcap2>=1:2.66-4 - -# Resolving libwebp7 vulnerability https://security.snyk.io/vuln/SNYK-DEBIAN12-LIBWEBP-5489176 -RUN apt-get install -y libwebp7>=1.2.4-0.2 - -# Resolving libx11-data vulnerability https://security.snyk.io/vuln/SNYK-DEBIAN12-LIBX11-5710892 -RUN apt-get install -y libx11-data>=2:1.8.4-2+deb12u1 - -# Resolving libssl3 vulnerability https://security.snyk.io/vuln/SNYK-DEBIAN12-OPENSSL-5661565 -# Resolving libssl3 vulnerability https://security.snyk.io/vuln/SNYK-DEBIAN12-OPENSSL-3368733 -RUN apt-get install -y libssl3>=3.0.9-1 - -# Resolving libaom vulnerabilities: -# - https://security-tracker.debian.org/tracker/CVE-2021-30473 -# - https://security-tracker.debian.org/tracker/CVE-2021-30474 -# - https://security-tracker.debian.org/tracker/CVE-2021-30475 -RUN apt-get install -y libaom-dev>=3.6.0-1 - -RUN python3 -m pip install --break-system-packages --upgrade pip && \ - pip install --break-system-packages -r requirements.txt && \ - pip install --break-system-packages '.[dev]' +RUN pip install -r requirements.txt && \ + pip install '.[dev]' ENV SWOOP_ACCESS_KEY_ID=$SWOOP_ACCESS_KEY_ID \ SWOOP_SECRET_ACCESS_KEY=$SWOOP_ACCESS_KEY_ID \ From 0508e9a2bd2ae691e9f15a1a362b3447973caf23 Mon Sep 17 00:00:00 2001 From: Hector Machin Date: Tue, 22 Aug 2023 10:09:41 -0400 Subject: [PATCH 3/4] Snoozing postgres15 alerts since we're not installing it in our base image --- .snyk | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.snyk b/.snyk index ddbc294..cb0b8dd 100644 --- a/.snyk +++ b/.snyk @@ -1,5 +1,9 @@ # Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities. version: v1.22.1 -ignore: {} +ignore: + SNYK-DEBIAN12-POSTGRESQL15-5838227: + - '*': + reason: Although postgresql-15 package has been flagged as vulnerable, we're not installing postgres-15 on our base image. + expires: 2023-09-30T17:33:45.004Z patch: {} From 4afb0e15cea46202d87d76e6ee1e23b44f352969 Mon Sep 17 00:00:00 2001 From: Hector Machin Date: Tue, 22 Aug 2023 16:54:23 -0400 Subject: [PATCH 4/4] Building image on python venv, improvements to image publishing --- .github/workflows/publish-image.yml | 67 ++++++++++++++++++++++------- Dockerfile | 24 ++++++++--- pyproject.toml | 2 + version.json | 3 -- 4 files changed, 71 insertions(+), 25 deletions(-) delete mode 100644 version.json diff --git a/.github/workflows/publish-image.yml b/.github/workflows/publish-image.yml index f2f5d52..d1b1f14 100644 --- a/.github/workflows/publish-image.yml +++ b/.github/workflows/publish-image.yml @@ -1,40 +1,77 @@ name: Publish Image on: + release: + types: + - published push: branches: - main - tags: + pull_request: + branches: - '*' - paths: - - ./version.json jobs: build: env: context: . image_name: swoop + image_registry: "${{ secrets.REGISTRY_URI }}" + image_repository: "${{ secrets.REGISTRY_REPOSITORY }}" runs-on: ubuntu-latest steps: - uses: actions/checkout@main + + - name: Set up Python ${{ matrix.python-version }} + uses: actions/setup-python@v4 + with: + python-version: '3.x' + + - name: Install dependencies + run: pip install setuptools-scm + - name: Get image tags id: image_tags run: | - echo -n ::set-output name=IMAGE_TAGS:: - VERSION=$(jq -r '.version' ${context}/version.json) - TAGS=('latest') - if [ "${VERSION}" ] && [ "${VERSION}" != "latest" ]; then - TAGS+=("${VERSION}") + VERSION="$(python -m setuptools_scm | tr + -)" + TAGS=("${VERSION}") + + if [ -n "${{ github.event.release.tag_name }}" ]; then + MAJOR="$(<<<"${VERSION}" cut -d '.' -f 1)" + MINOR="${MAJOR}.$(<<<"${VERSION}" cut -d '.' -f 2)" + TAGS+=('latest' "${MAJOR}" "${MINOR}") fi + if [[ "${GITHUB_REF}" =~ refs/tags/(.*) ]]; then TAGS+=("git-${BASH_REMATCH[1]}") fi - ( IFS=$','; echo "${TAGS[*]}" ) - - name: Build and publish image to Quay - uses: docker/build-push-action@v1 + + PREFIX="${{ env.image_registry }}/${{ env.image_repository }}/${{ env.image_name }}" + EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) + echo "IMAGE_TAGS<<$EOF" >> "$GITHUB_ENV" + for tag in "${TAGS[@]}"; do + echo "${PREFIX}:${tag}" >> "$GITHUB_ENV" + done + echo "$EOF" >> "$GITHUB_ENV" + + - name: Set up QEMU + uses: docker/setup-qemu-action@v2 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + with: + buildkitd-flags: --debug + + - name: Login to Quay.io + uses: docker/login-action@v2 with: - path: ${{ env.context }} - registry: ${{ secrets.REGISTRY_URI }} - repository: ${{ secrets.REGISTRY_REPOSITORY }}/${{ env.image_name }} + registry: ${{ env.image_registry }} username: ${{ secrets.REGISTRY_USERNAME }} password: ${{ secrets.REGISTRY_PASSWORD }} - tags: "${{ steps.image_tags.outputs.IMAGE_TAGS }}" + + - name: Build and publish image to Quay + uses: docker/build-push-action@v4 + with: + context: ${{ env.context }} + platforms: linux/amd64,linux/arm64 + push: ${{ github.event_name == 'release' }} + tags: ${{ env.IMAGE_TAGS }} diff --git a/Dockerfile b/Dockerfile index c5be0fc..8b062d8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,11 +1,15 @@ -FROM python:slim-bookworm - -WORKDIR /app - -COPY . /app +# build python venv for inclusion into image +FROM python:slim-bookworm as APP +RUN apt-get update && apt-get install -y git python3-venv +WORKDIR /opt/swoop/api +RUN python3 -m venv --copies swoop-api-venv +COPY requirements.txt . +COPY workflow-config.yml . +RUN ./swoop-api-venv/bin/pip install -r requirements.txt +RUN --mount=source=.git,target=.git,type=bind git clone . clone +RUN ./swoop-api-venv/bin/pip install ./clone -RUN pip install -r requirements.txt && \ - pip install '.[dev]' +FROM python:slim-bookworm ENV SWOOP_ACCESS_KEY_ID=$SWOOP_ACCESS_KEY_ID \ SWOOP_SECRET_ACCESS_KEY=$SWOOP_ACCESS_KEY_ID \ @@ -17,6 +21,12 @@ ENV SWOOP_ACCESS_KEY_ID=$SWOOP_ACCESS_KEY_ID \ PGHOST=$PGHOST \ PGUSER=$PGUSER +COPY --from=APP /opt/swoop/api/swoop-api-venv /opt/swoop/api/swoop-api-venv +COPY --from=APP /opt/swoop/api/$SWOOP_WORKFLOW_CONFIG_FILE /opt/swoop/api/swoop-api-venv +ENV PATH=/opt/swoop/api/swoop-api-venv/bin:$PATH + RUN env +WORKDIR /opt/swoop/api/swoop-api-venv + CMD ["uvicorn", "swoop.api.main:app", "--host", "0.0.0.0", "--port", "8000"] diff --git a/pyproject.toml b/pyproject.toml index 3937c6a..1bbf0dd 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -55,6 +55,8 @@ dev = [ "isort >=5.12.0", ] +[tool.setuptools_scm] + [tool.setuptools.dynamic] version = {attr = "swoop.api.__version__"} readme = {file = "README.md"} diff --git a/version.json b/version.json deleted file mode 100644 index 1159bb1..0000000 --- a/version.json +++ /dev/null @@ -1,3 +0,0 @@ -{ - "version": "v0.0.1" -}