Merge pull request #8 from instantlinux/SYS-576_update

SYS-579 docs requirements

.gitlab-ci.yml

@@ -3,16 +3,19 @@
 #   PYPI_PASSWORD, PYPI_USER, REGISTRY_URI
 
 variables:
-  PLATFORMS: linux/amd64,linux/arm64,linux/arm/v6,linux/arm/v7
+  PLATFORMS: linux/amd64,linux/arm64
+  IMAGE: example-media
+  REGISTRY: $REGISTRY_URI/$CI_PROJECT_PATH
 
 stages:
   - Analyze and Unit Test
   - Images
   - Functional Tests
+  - Security Scan
   - Publish Packages
   - Clean
 
-image: instantlinux/python-builder:3.9.7-r4
+image: instantlinux/python-builder:3.11.4-r0
 
 before_script:
   - export TAG=bld_$CI_PIPELINE_IID_${CI_COMMIT_SHA:0:7}
@@ -51,6 +54,39 @@ test:
   stage: Functional Tests
   script: make test_functional
 
+security_scan_trivy:
+  services: [ "docker:dind" ]
+  image:
+    name: aquasec/trivy:latest
+    entrypoint: [""]
+  stage: Security Scan
+  variables:
+    GIT_STRATEGY: none
+    TRIVY_CACHE_DIR: .trivycache/
+    TRIVY_DEBUG: "true"
+    TRIVY_EXIT_CODE: 1
+    TRIVY_FORMAT: json
+    TRIVY_OUTPUT: gl-container-scanning-report.json
+    TRIVY_SEVERITY: HIGH,CRITICAL
+    TRIVY_VULN_TYPE: os,library
+  script:
+  - export TAG=bld_$CI_PIPELINE_IID_${CI_COMMIT_SHA:0:7}
+  - trivy image --clear-cache
+  - trivy image --download-db-only --no-progress
+  - trivy image "${REGISTRY}/${IMAGE}:${TAG}" --severity LOW,MEDIUM
+      --exit-code 0 --format table --output medium-vulns.txt
+  - cat medium-vulns.txt
+  - trivy image "${REGISTRY}/${IMAGE}:${TAG}"
+  cache:
+    paths: [ .trivycache ]
+  interruptible: true
+  timeout: 5m
+  artifacts:
+    reports:
+      container_scanning: gl-container-scanning-report.json
+    expire_in: 30 days
+    paths: [ medium-vulns.txt ]
+
 promote_images:
   stage: Publish Packages
   <<: *registry_login

Dockerfile.media

@@ -1,4 +1,4 @@
-FROM instantlinux/python-wsgi:3.9.7-r4
+FROM instantlinux/python-wsgi:3.11.4-r0
 
 MAINTAINER Rich Braun "richb@instantlinux.net"
 ARG BUILD_DATE

Dockerfile.media-worker

@@ -1,4 +1,4 @@
-FROM instantlinux/python-wsgi:3.9.7-r4
+FROM instantlinux/python-wsgi:3.11.4-r0
 MAINTAINER Rich Braun "richb@instantlinux.net"
 
 ARG BUILD_DATE

Makefile

@@ -59,9 +59,13 @@ openapi_deploy:
 
 dev_requirements: python_env requirements-dev.txt
 
-requirements-dev.txt: python_env
-	@echo Updating Pipfile.lock and requirements-dev.txt
-	. $(VDIR)/bin/activate && pipenv lock --requirements --dev > $@ || rm $@
+Pipfile.lock: Pipfile
+	@echo Updating $@
+	. $(VDIR)/bin/activate && pipenv lock --dev || rm $@
+
+requirements-dev.txt: python_env Pipfile.lock
+	@echo Updating $@
+	. $(VDIR)/bin/activate && pipenv requirements --dev > $@ || rm $@
 	@echo "Installing dev requirements"
 	. $(VDIR)/bin/activate && pip install -r $@
 

Pipfile

@@ -1,49 +1,44 @@
 [packages]
-apicrud = "==0.2.9"
-# TODO put this back when alpine 3.16 comes out
-# Pillow = "==9.0.0"
+apicrud = "==0.3.0"
+Pillow = "==9.5.0"
 
 # for faster builds, keep these versions in sync with images
 # instantlinux/python-builder and instantlinux/python-uwsgi
 alembic = "*"
-celery = "*"
-connexion = "==2.7.0"
+connexion = "*"
 "connexion[swagger-ui]" = "*"
 dollar-ref = "*"
 # 1.4.1 throws shitloads of warnings
 SQLAlchemy = "<1.4.0"
 SQLAlchemy-Utils = "*"
 swagger-ui-bundle = "*"
-# Held back due to
-# AttributeError: 'LocalStack' object has no attribute '__ident_func__'
-werkzeug = "==2.0.2"
-# Held back due to
-# AttributeError: module 'jinja2.ext' has no attribute 'autoescape'
-jinja2 = "==3.0.3"
+werkzeug = "==2.2.3"
+jinja2 = "==3.1.2"
 
 # Transitive dependencies pinned to versions of python-wsgi base image
-arrow = "==1.2.1"
-b2sdk = "==1.16.0"
-boto3 = "==1.18.49"
-botocore = "==1.21.49"
-cffi = "==1.14.5"
-cryptography = "==3.3.2"
-# TODO update to support 0.3.x
-openapi-spec-validator = "==0.2.9"
-packaging = "==20.9"
-pycryptodomex = "==3.10.1"
-PyJWT = "*"
+b2sdk = "==1.22.1"
+billiard = "==4.1.0"
+boto3 = "==1.26.132"
+botocore = "==1.29.132"
+cachetools = "==5.3.0"
+celery = "==5.3.1"
+cffi = "==1.15.1"
+cryptography = "==40.0.2"
+flask = "==2.2.5"
+flask-babel = "==2.0.0"
+greenlet = "==2.0.2"
+openapi-spec-validator = "==0.6.0"
+packaging = "==23.1"
+pycryptodomex = "==3.17"
+redis = "4.6.0"
+referencing = "==0.29.3"
+tqdm = "==4.65.1"
 six = "==1.16.0"
 
-# I don't f'ing understand why this fixes the click 7.1.2 dependency
-click-didyoumean = "==0.0.3"
-# fakeredis doesn't handle newest redis
-redis = "<4.1.0"
-
 [dev-packages]
-coverage = "==6.3.3"
+coverage = "==7.2.7"
 fakeredis = "*"
-flake8 = "4.0.1"
+flake8 = "6.1.0"
 moto = "*"
 pytest = "*"
 pytest-cov = "*"