From 68003781d7dc4cc0add3bdc738aea24cc53f50ec Mon Sep 17 00:00:00 2001
From: Martin Zibricky <mzibrick@redhat.com>
Date: Thu, 28 Aug 2025 05:32:13 +0200
Subject: [PATCH] LCORE-534: Mitigate CVE GHSA-wj6h-64fc-37mp - remove
 python-ecdsa

---
 Containerfile | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/Containerfile b/Containerfile
index c47cb4fe..947be3e7 100644
--- a/Containerfile
+++ b/Containerfile
@@ -27,6 +27,13 @@ COPY ${LSC_SOURCE_DIR}/pyproject.toml ${LSC_SOURCE_DIR}/LICENSE ${LSC_SOURCE_DIR
 # Bundle additional dependencies for library mode.
 RUN uv sync --locked --no-dev --group llslibdev
 
+# Explicitly remove some packages to mitigate some CVEs
+# - GHSA-wj6h-64fc-37mp: python-ecdsa package won't fix it upstream.
+#   This package is required by python-jose. python-jose supports multiple
+#   backends. By default it uses python-cryptography package instead of
+#   python-ecdsa. It is safe to remove python-ecdsa package.
+RUN uv pip uninstall ecdsa
+
 # Final image without uv package manager
 FROM registry.access.redhat.com/ubi9/python-312-minimal
 ARG APP_ROOT=/app-root