LCORE-534: Mitigate CVE GHSA-wj6h-64fc-37mp - remove python-ecdsa

[matysek]

Description

LCORE-534: Mitigate CVE GHSA-wj6h-64fc-37mp - remove python-ecdsa

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement

Related Tickets & Documents

• Related Issue #
• Closes #

Checklist before requesting a review

• I have performed a self-review of my code.
• PR has passed all pre-merge test jobs.
• If it is a core feature, I have added thorough tests.

Testing

• Please provide detailed steps to perform tests related to this code change.
• How were the fix/results from this change verified? Please provide relevant screenshots or results.

Summary by CodeRabbit

• Bug Fixes

  • Mitigated a security vulnerability by removing an unneeded cryptography-related dependency from the final container image, reducing attack surface with no impact to functionality.

• Chores

  • Updated the build process to enforce the dependency removal during image creation and documented the rationale within the build steps. No changes to runtime behavior or performance.

[coderabbitai]

Walkthrough

Adds a builder-stage step in Containerfile to uninstall the Python package ecdsa using uv pip uninstall after bundle sync, with comments referencing CVE GHSA-wj6h-64fc-37mp and noting python-jose defaults to cryptography. Ensures ecdsa is absent from the app-root copied into the final image. No other logic changed.

Changes

Cohort / File(s)	Summary
Container hardening: remove ecdsa in builder Containerfile	Inserted a builder-stage command uv pip uninstall ecdsa post-bundle sync, with explanatory comments referencing CVE GHSA-wj6h-64fc-37mp and rationale (python-jose uses cryptography backend). No other build or runtime steps modified.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Dev as Containerfile
  participant Builder as Builder Stage
  participant AppRoot as /opt/app-root
  participant Final as Final Image

  Dev->>Builder: Build with uv + bundle sync
  Builder->>Builder: Uninstall ecdsa (uv pip uninstall ecdsa)
  note right of Builder: Remove ecdsa to mitigate GHSA-wj6h-64fc-37mp
  Builder->>AppRoot: Produce cleaned app-root (no ecdsa)
  AppRoot->>Final: Copy app-root into final image
  Final-->>Dev: Image built without ecdsa

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• tisnik

Poem

Thump-thump, I hop through Docker’s glade,
Plucked one leaf—ecdsa—unafraid.
CVEs whisper in the pines at night;
I tidy the build by moonlit light.
Cryptography’s burrow keeps us snug—
Carrot-secure, I give the image a hug. 🥕🐇

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbit in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbit in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbit gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbit read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbit help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbit ignore or @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbit summary or @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbit or @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

Containerfile (2)

30-35: Prefer removing ecdsa at the source (pyproject/lock) rather than post-sync uninstall

Uninstalling post-sync makes the image correct but leaves the repo state inconsistent: a fresh uv sync will reintroduce ecdsa. Recommend:

• Declare python-jose[cryptography] in pyproject to force the cryptography backend.
• Regenerate uv.lock so ecdsa is no longer resolved.

Example (pyproject snippet):

- python-jose>=3.x
+ python-jose[cryptography]>=3.x

---

30-34: Tiny doc nit: clarify scope of safety claim

The comment says it’s safe to remove because python-jose defaults to cryptography. Consider adding “provided no code forces the ecdsa backend at runtime or relies on its specific API.” This keeps expectations explicit for future readers.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 3e2d883 and 6800378.

📒 Files selected for processing (1)

• Containerfile (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: build-pr
• GitHub Check: e2e_tests

🔇 Additional comments (1)

Containerfile (1)

30-35: No ecdsa imports, dependency references, or ES usages detected and python-jose is pinned with only the “cryptography” extra. Removal is safe.*

[tisnik]

maybe the -y CLI option will be good to have there

[tisnik]

LGTM