fix: fixes docker build and trivy scan

There is a transitiv dependency on frozenlist, which updated their package for python 3.11, but didn't add the package to pypi wheels. Thus, building on python >= 3.11 fails the whole docker building process ([issue](aio-libs/frozenlist#342)). Need to add gcc and libc to docker container as well as upgrade pip to resolve this. Secondly, there are two more vulnerabilities due to cosign, which cannot be fixed on our side. Ignore listing them until cosign publishes a new version.

.github/actions/safety/action.yaml

@@ -4,7 +4,10 @@ runs:
   using: "composite"
   steps:
     - name: Install packages
-      run: pip3 install -r requirements_dev.txt
+      run: |
+        apt update && apt install gcc build-essential -y
+        pip3 install --upgrade pip
+        pip3 install -r requirements_dev.txt
       shell: sh
     - name: Freeze packages
       run: pip3 freeze > actual_package_versions.txt

.github/workflows/cicd.yaml

@@ -72,7 +72,10 @@ jobs:
       - uses: actions/checkout@v3
       - name: Install packages
         # Since we run inside an alpine based container, we cannot compile yarl and multidic
-        run: YARL_NO_EXTENSIONS=1 MULTIDICT_NO_EXTENSIONS=1 pip3 install -r requirements_dev.txt
+        run: |
+          apk add gcc libc-dev
+          pip3 install --upgrade pip
+          YARL_NO_EXTENSIONS=1 MULTIDICT_NO_EXTENSIONS=1 pip3 install -r requirements_dev.txt
       - name: Lint
         run: pylint --ignore-patterns=tests,coverage connaisseur
 
@@ -83,7 +86,10 @@ jobs:
     steps:
       - uses: actions/checkout@v3
       - name: Install packages
-        run: pip3 install -r requirements_dev.txt && pip3 install .
+        run: |
+          apt update && apt install gcc build-essential -y
+          pip3 install --upgrade pip
+          pip3 install -r requirements_dev.txt && pip3 install .
       - name: Install Git and curl
         run: apt update && apt install -y git curl
       - name: Test

.trivyignore

@@ -1,3 +1,2 @@
-CVE-2022-23628
-CVE-2022-28946
-CVE-2022-28948
+CVE-2022-32149
+GHSA-69ch-w2m2-3vjp

docker/Dockerfile

@@ -1,13 +1,17 @@
-FROM python:3-alpine as base
+FROM python:alpine as base
 
 # Build dependencies
 FROM base as builder
 
 RUN mkdir /install
 WORKDIR /install
 COPY requirements.txt /requirements.txt
+
+# Have to upgrade pip and install extra packages due to error when installing frozenlist
 # Since we run inside an alpine based container, we cannot compile yarl and multidict
-RUN YARL_NO_EXTENSIONS=1 MULTIDICT_NO_EXTENSIONS=1 pip install --no-cache-dir --prefix=/install -r /requirements.txt
+RUN apk add --no-cache gcc~=11.2.1_git20220219-r2 libc-dev~=0.7.2-r3 \
+ && pip install --no-cache-dir --upgrade pip~=22.3 \
+ && YARL_NO_EXTENSIONS=1 MULTIDICT_NO_EXTENSIONS=1 pip install --no-cache-dir --prefix=/install -r /requirements.txt
 
 # Load and verify Cosign
 FROM debian:bullseye-slim as cosign_loader

helm/Chart.yaml

@@ -3,7 +3,7 @@ name: connaisseur
 description: Helm chart for Connaisseur - a Kubernetes admission controller to integrate container image signature verification and trust pinning into a cluster.
 type: application
 version: 1.4.4
-appVersion: 2.6.4
+appVersion: 2.6.5
 keywords:
   - container image
   - signature

helm/values.yaml

@@ -1,7 +1,7 @@
 # configure Connaisseur deployment
 deployment:
   replicasCount: 3
-  image: securesystemsengineering/connaisseur:v2.6.4
+  image: securesystemsengineering/connaisseur:v2.6.5
   imagePullPolicy: IfNotPresent
   # imagePullSecrets contains an optional list of Kubernetes Secrets, in Connaisseur namespace,
   # that are needed to access the registry containing Connaisseur image.