From fdc53eb8c2c21a26ffdb01e159c3948408038726 Mon Sep 17 00:00:00 2001
From: Pascal Sthamer <10992664+P4sca1@users.noreply.github.com>
Date: Fri, 4 Oct 2024 11:57:14 +0200
Subject: [PATCH 1/3] remove wheel runtime dependency

It is only needed as a build dependency
---
 pyproject.toml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/pyproject.toml b/pyproject.toml
index f15f330b4..a07259653 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -85,7 +85,6 @@ dependencies = [
   "urlextract",
   "urllib3>=1.26.17",         # CVE-2023-43804
   "uvicorn",
-  "wheel",
   "deepdiff",
   "msgspec",
   "boto3",

From a5989631d259d6e3218525c4dd1dc49250271a63 Mon Sep 17 00:00:00 2001
From: Pascal Sthamer <10992664+P4sca1@users.noreply.github.com>
Date: Fri, 4 Oct 2024 12:05:57 +0200
Subject: [PATCH 2/3] dont install pip into venv

---
 Dockerfile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 2e0aae772..1c973ce67 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -10,8 +10,7 @@ ADD . /logprep
 WORKDIR /logprep
 RUN curl https://sh.rustup.rs -sSf | bash -s -- -y
 ENV PATH="/root/.cargo/bin:${PATH}"
-RUN python -m pip install --upgrade pip wheel setuptools>=72.2.0
-RUN python -m venv /opt/venv
+RUN python -m venv --without-pip /opt/venv
 # Make sure we use the virtualenv:
 ENV PATH="/opt/venv/bin:$PATH"
 

From 0d3efcab4875e6024bf594357b5b8bc7bc9466f2 Mon Sep 17 00:00:00 2001
From: Pascal Sthamer <10992664+P4sca1@users.noreply.github.com>
Date: Fri, 4 Oct 2024 12:06:11 +0200
Subject: [PATCH 3/3] remove setuptools dependency after build

---
 Dockerfile | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 1c973ce67..4525ceed2 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -19,6 +19,10 @@ RUN if [ "$LOGPREP_VERSION" = "dev" ]; then pip install .;\
     else pip install "logprep==$LOGPREP_VERSION"; fi; \
     logprep --version
 
+# geoip2 4.8.0 lists a vulnerable setuptools version as a dependency. setuptools is unneeded at runtime, so it is uninstalled.
+# More recent (currently unreleased) versions of geoip2 removed setuptools from dependencies.
+RUN pip uninstall -y setuptools
+
 
 FROM bitnami/python:${PYTHON_VERSION} as prod
 ARG http_proxy