updating Dockerfiles to remove packages with vulnerabilities

SuperCowPowers · Aug 18, 2024 · 1d16e26 · 1d16e26
1 parent c91bfb6
commit 1d16e26
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 8 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,11 +1,24 @@
-# Use Python 3.10
-FROM python:3.10.13
+# Use Python 3.12 as the base image
+FROM python:3.12.5-bookworm
+
+# Remove git from the base image (vulnerability)
+RUN apt-get remove --purge -y git && apt-get autoremove -y && apt-get clean
+
+# Remove AOM from the base image (vulnerability)
+RUN apt-get remove --purge -y libaom3 && apt-get autoremove -y && apt-get clean
+
+# Upgrade the nghttp2 package to fix a vulnerability
+RUN apt-get update && apt-get install -y libnghttp2-dev && apt-get clean
 
 # Install SageWorks dependencies
 COPY requirements.txt .
 COPY requirements-no-dash.txt .
 RUN pip install --no-cache-dir -r requirements-no-dash.txt
 
 # Install latest Sageworks (no dependencies)
-RUN pip install --no-cache-dir --no-deps 'sageworks[ml-tools,chem]'==0.7.0
+RUN pip install --no-cache-dir --no-deps 'sageworks[ml-tools,chem]'==0.8.2
 
+# Remove pip (vulnerability)
+RUN python -m pip uninstall -y pip && \
+    rm -rf /usr/local/lib/python*/dist-packages/pip /usr/local/bin/pip* && \
+    apt-get autoremove -y && apt-get clean \
diff --git a/applications/aws_dashboard/Dockerfile b/applications/aws_dashboard/Dockerfile
@@ -1,5 +1,5 @@
-# Use Python 3.10
-FROM python:3.10.13
+# Use Python 3.12 as the base image
+FROM python:3.12.5-bookworm
 
 # Set the working directory
 WORKDIR /app
@@ -16,16 +16,30 @@ RUN pip install --no-cache-dir gunicorn
 # Inform Docker that the container is listening on port 8000
 EXPOSE 8000
 
+# Remove git from the base image (vulnerability)
+RUN apt-get remove --purge -y git && apt-get autoremove -y && apt-get clean
+
+# Remove AOM from the base image (vulnerability)
+RUN apt-get remove --purge -y libaom3 && apt-get autoremove -y && apt-get clean
+
+# Upgrade the nghttp2 package to fix a vulnerability
+RUN apt-get update && apt-get install -y libnghttp2-dev && apt-get clean
+
 # Install app-specific dependencies
-COPY requirements.txt /app/
-RUN pip install --no-cache-dir -r requirements.txt
+COPY requirements-all.txt /app/
+RUN pip install --no-cache-dir -r requirements-all.txt
 
 # Copy the Nginx and Supervisor configuration files
 COPY nginx.conf /etc/nginx/sites-available/default
 COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf
 
 # Install Sageworks (changes often)
-RUN pip install --no-cache-dir sageworks==0.6.15
+RUN pip install --no-cache-dir sageworks==0.8.2
+
+# Remove pip (vulnerability)
+RUN python -m pip uninstall -y pip && \
+    rm -rf /usr/local/lib/python*/dist-packages/pip /usr/local/bin/pip* && \
+    apt-get autoremove -y && apt-get clean \
 
 # Copy the current directory contents into the container at /app
 COPY . /app