fix(schematic): updated schematic api python version to 3.10.14

[linglp]

Problem

Related to https://sagebionetworks.jira.com/browse/FDS-1942
Got an error message when trying to build docker image:

#14 ERROR: process "/bin/sh -c pip install --no-cache-dir poetry==1.6.1   && poetry config --local virtualenvs.create false   && poetry run pip install \"cython<3.0.0\"   && poetry run pip install --no-build-isolation pyyaml==5.4.1   && poetry install --with prod --no-root --no-interaction --no-ansi   && mkdir /root/.synapseCache /app/app/manifests   && echo \"This is a test file.\" > /root/.synapseCache/test.txt   && chmod -R 777 /root /app" did not complete successfully: exit code: 1

and also:

#14 11.64 The currently activated Python version 3.10.14 is not supported by the project (3.10.13).

The cause is because our project is using python version 3.10.13 but 3.10.14 is required.

The docker file that we are using is usingFROM tiangolo/uwsgi-nginx-flask:python3.10. When I looked into the base image of that docker file, I saw: FROM tiangolo/uwsgi-nginx:python3.10. And in this docker file, I saw: FROM python:3.10-bullseye. I then checked the docker file related to python:3.10-bulleye here and saw that ENV PYTHON_VERSION 3.10.14.

I also checked the commit history of python:3.10-bulleye docker file and found that two weeks ago, they updated the image to use Python 3.10.14 instead of Python 3.10.13. (See commit here)

Temporary solution

Updated our project to use python 3.10.14

FDS-1942

[andrewelamb]

@linglp This seems to have failed

[linglp]

@tschaffter I looked at the security issues raised by trivy, and here's a summary of how I plan to address them:

• python-cryptography: this has to be addressed by turning pyopenssl package optional in schematic. See PR here: feat: turn pyopenssl package optional  schematic#1413 because cryptography is a dependency of pyopenssl. This means that we could update cryptography and pyopenssl after another release of schematic

• flask: updating flask to a later version requires updating connexion. The latest version of connexion is 3.0.6 but the current version that we are using is 2.14.1. I tried updating connexion to the latest but got an error message::

Thus, connexion (>=3.0.6,<4.0.0) requires MarkupSafe (>=2.1.1).
And because schematicpy (24.2.1) depends on MarkupSafe (2.1.0), connexion (>=3.0.6,<4.0.0) is incompatible with schematicpy (24.2.1).
So, because schematic-api depends on both schematicpy (24.2.1) and connexion (^3.0.6), version solving failed.

I then double checked schematicpy version 24.2.1 and found out that in the lock file, MarkupSafe version is indeed 2.1.0. But the current schematic in develop branch is already using MarkupSafe 2.1.5. This means that we could update connexion and flask after another release of schematic

• updating werkzeug
  This is a package related to flask. I think after updating flask to a newer version, this error should go away.

Note: How about making MarkupSafe optional?
I did a poetry show markupsafe in schematic repo, and I could see:
required by

• jinja2 >=2.0
• nbconvert >=2.0
• pdoc *
• werkzeug >=2.1.1

And nbconvert is required by jupyter-server.. which means that to turn it optional, we have to turn jupyter-server optional.. that’s possible, but should be its own PR and ticket.

• Issues created:

1. https://sagebionetworks.jira.com/browse/FDS-1966
2. https://sagebionetworks.jira.com/browse/FDS-1967

[sonarqubecloud]

Quality Gate passed for 'schematic-api'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud