From aaccb4541790974a97e0ad7a75d21da105f53adb Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Sat, 18 Jan 2025 20:21:16 +0000 Subject: [PATCH 1/4] fix: requirements.txt to reduce vulnerabilities The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-6091621 - https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-6091622 - https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-6209406 - https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-6209407 - https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-6645291 - https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-6808823 - https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-7675597 - https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-8383923 - https://snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-7886970 - https://snyk.io/vuln/SNYK-PYTHON-NUMPY-2321964 - https://snyk.io/vuln/SNYK-PYTHON-NUMPY-2321966 - https://snyk.io/vuln/SNYK-PYTHON-NUMPY-2321970 - https://snyk.io/vuln/SNYK-PYTHON-PILLOW-5918878 - https://snyk.io/vuln/SNYK-PYTHON-PILLOW-6043904 - https://snyk.io/vuln/SNYK-PYTHON-PILLOW-6182918 - https://snyk.io/vuln/SNYK-PYTHON-PILLOW-6219984 - https://snyk.io/vuln/SNYK-PYTHON-PILLOW-6219986 - https://snyk.io/vuln/SNYK-PYTHON-PILLOW-6514866 - https://snyk.io/vuln/SNYK-PYTHON-REQUESTS-6928867 - https://snyk.io/vuln/SNYK-PYTHON-URLLIB3-7267250 - https://snyk.io/vuln/SNYK-PYTHON-ZIPP-7430899 --- requirements.txt | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/requirements.txt b/requirements.txt index 976a52c8..1c9f7189 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,4 @@ -cryptography==42.0.8 +cryptography==43.0.1 Pillow==11.1.0 numpy==1.26.4 pandas==2.2.3 @@ -32,4 +32,8 @@ python-dateutil # setuptools>=75.6.0 # not directly required, pinned by Snyk to avoid a vulnerability # urllib3>=2.2.3 # not directly required, pinned by Snyk to avoid a vulnerability # zipp>=3.21.0 # not directly required, pinned by Snyk to avoid a vulnerability -# aiohttp>=3.10.11 # not directly required, pinned by Snyk to avoid a vulnerability \ No newline at end of file +# aiohttp>=3.10.11 # not directly required, pinned by Snyk to avoid a vulnerability +aiohttp>=3.10.11 # not directly required, pinned by Snyk to avoid a vulnerability +requests>=2.32.2 # not directly required, pinned by Snyk to avoid a vulnerability +urllib3>=2.2.2 # not directly required, pinned by Snyk to avoid a vulnerability +zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability \ No newline at end of file From e61c7fbc53c3e05bf8ac5e16e23b16951c5a88f3 Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Sat, 18 Jan 2025 20:21:16 +0000 Subject: [PATCH 2/4] fix: requirements.txt to reduce vulnerabilities The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-6091621 - https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-6091622 - https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-6209406 - https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-6209407 - https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-6645291 - https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-6808823 - https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-7675597 - https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-8383923 - https://snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-7886970 - https://snyk.io/vuln/SNYK-PYTHON-NUMPY-2321964 - https://snyk.io/vuln/SNYK-PYTHON-NUMPY-2321966 - https://snyk.io/vuln/SNYK-PYTHON-NUMPY-2321970 - https://snyk.io/vuln/SNYK-PYTHON-PILLOW-5918878 - https://snyk.io/vuln/SNYK-PYTHON-PILLOW-6043904 - https://snyk.io/vuln/SNYK-PYTHON-PILLOW-6182918 - https://snyk.io/vuln/SNYK-PYTHON-PILLOW-6219984 - https://snyk.io/vuln/SNYK-PYTHON-PILLOW-6219986 - https://snyk.io/vuln/SNYK-PYTHON-PILLOW-6514866 - https://snyk.io/vuln/SNYK-PYTHON-REQUESTS-6928867 - https://snyk.io/vuln/SNYK-PYTHON-URLLIB3-7267250 - https://snyk.io/vuln/SNYK-PYTHON-ZIPP-7430899 --- requirements.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/requirements.txt b/requirements.txt index cd81cadc..16adccee 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,5 @@ cryptography==43.0.1 +cryptography==43.0.1 Pillow==11.1.0 numpy==1.26.4 pandas==2.1.1 From da44ffdfb9156a96e5009658b67b15616eeb8151 Mon Sep 17 00:00:00 2001 From: Chris Bingham Date: Fri, 7 Feb 2025 23:53:36 +0000 Subject: [PATCH 3/4] downgrade to fix build --- requirements.txt | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/requirements.txt b/requirements.txt index 16adccee..b5329584 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,5 +1,4 @@ -cryptography==43.0.1 -cryptography==43.0.1 +cryptography==42.0.8 # ssl issue prevents upgrade Pillow==11.1.0 numpy==1.26.4 pandas==2.1.1 From ff5fbed2273dbd92ca9e28a647297ddb08716950 Mon Sep 17 00:00:00 2001 From: Chris Bingham Date: Sat, 8 Feb 2025 10:56:50 +0000 Subject: [PATCH 4/4] staged dockerfile --- test.dockerfile | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 test.dockerfile diff --git a/test.dockerfile b/test.dockerfile new file mode 100644 index 00000000..7a70d1ac --- /dev/null +++ b/test.dockerfile @@ -0,0 +1,45 @@ +# Stage 1: Build stage +FROM python:3.11-slim-bookworm AS builder + +# Avoid bytecode baggage +ENV PYTHONDONTWRITEBYTECODE=1 + +# Create a virtual environment +RUN python3 -m venv /opt/venv +ENV PATH="/opt/venv/bin:$PATH" + +# Update pip +RUN python3 -m pip install --upgrade pip --no-cache-dir + +# Copy and install Python dependencies +COPY requirements.txt . + +RUN python3 -m pip install -v \ + --prefer-binary \ + -r requirements.txt \ + --extra-index-url https://www.piwheels.org/simple \ + --no-cache-dir + +# Stage 2: Final stage +FROM python:3.11-slim-bookworm + +# Avoid bytecode baggage +ENV PYTHONDONTWRITEBYTECODE=1 + +# Install only the necessary runtime dependencies +RUN apt-get update -y && \ + apt-get install -y \ + --no-install-recommends \ + libopenblas-dev libopenjp2-7 libtiff6 libxcb1 libfreetype6-dev \ + && rm -rf /var/lib/apt/lists/* + +# Copy the virtual environment from the builder stage +COPY --from=builder /opt/venv /opt/venv +ENV PATH="/opt/venv/bin:$PATH" + +# Copy only the necessary application code +WORKDIR /code +COPY . . + +# Set the default command +CMD ["python", "run.py"] \ No newline at end of file