containerfile: fix jaraco.context CVE and consolidate
- explicitly install jaraco.context>=6.1.0 in runtime stage to override vendored copy in setuptools (GHSA-58pv-8j8x-9vj2) - remove redundant installs from builder (requirements.txt already pins setuptools>=80.0 and jaraco.context>=6.1.0) - consolidate runtime pip install into single command - remove redundant comments
This commit is contained in:
Username
@@ -7,18 +7,16 @@ FROM python:3.11-slim AS builder
|
||||
|
||||
WORKDIR /build
|
||||
|
||||
# Install build dependencies and clean up
|
||||
# Install build dependencies
|
||||
RUN apt update && apt install -y --no-install-recommends gcc \
|
||||
&& apt clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
|
||||
&& apt clean && rm -rf /var/lib/apt/lists/*
|
||||
|
||||
# Create virtual environment
|
||||
# Create virtual environment and upgrade pip
|
||||
RUN python -m venv /opt/venv
|
||||
ENV PATH="/opt/venv/bin:$PATH"
|
||||
RUN pip install --no-cache-dir --upgrade pip wheel
|
||||
|
||||
# Upgrade pip/setuptools first (pulls in security-fixed jaraco.context)
|
||||
RUN pip install --no-cache-dir --upgrade pip setuptools wheel
|
||||
|
||||
# Install Python dependencies
|
||||
# Install Python dependencies (includes security pins for setuptools, jaraco.context)
|
||||
COPY requirements.txt .
|
||||
RUN pip install --no-cache-dir -r requirements.txt gunicorn
|
||||
|
||||
@@ -29,19 +27,19 @@ FROM python:3.11-slim
|
||||
LABEL maintainer="FlaskPaste"
|
||||
LABEL description="Lightweight secure pastebin REST API"
|
||||
|
||||
# Clean base image caches, upgrade system pip/setuptools, create non-root user
|
||||
# Cleanup base image, fix base image vulnerabilities, create non-root user
|
||||
# Note: System packages upgraded for Trivy scan; app runs from venv
|
||||
RUN apt clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* \
|
||||
&& pip install --no-cache-dir --upgrade pip setuptools \
|
||||
&& pip install --no-cache-dir --upgrade pip 'setuptools>=80.0' 'jaraco.context>=6.1.0' \
|
||||
&& groupadd -r flaskpaste && useradd -r -g flaskpaste flaskpaste
|
||||
|
||||
# Copy virtual environment from builder
|
||||
COPY --from=builder /opt/venv /opt/venv
|
||||
ENV PATH="/opt/venv/bin:$PATH"
|
||||
|
||||
# Set working directory
|
||||
WORKDIR /app
|
||||
|
||||
# Copy only necessary application files
|
||||
# Copy application files
|
||||
COPY app/ ./app/
|
||||
COPY wsgi.py .
|
||||
COPY fpaste .
|
||||
@@ -49,7 +47,6 @@ COPY fpaste .
|
||||
# Create data directory with correct ownership
|
||||
RUN mkdir -p /app/data && chown -R flaskpaste:flaskpaste /app
|
||||
|
||||
# Switch to non-root user
|
||||
USER flaskpaste
|
||||
|
||||
# Environment defaults
|
||||
@@ -58,12 +55,9 @@ ENV FLASKPASTE_DB=/app/data/pastes.db
|
||||
ENV PYTHONUNBUFFERED=1
|
||||
ENV PYTHONDONTWRITEBYTECODE=1
|
||||
|
||||
# Expose port
|
||||
EXPOSE 5000
|
||||
|
||||
# Health check
|
||||
HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \
|
||||
CMD python -c "import urllib.request; urllib.request.urlopen('http://localhost:5000/health')" || exit 1
|
||||
|
||||
# Run with gunicorn
|
||||
CMD ["gunicorn", "--bind", "0.0.0.0:5000", "--workers", "2", "--access-logfile", "-", "wsgi:application"]
|
||||
|
||||
Reference in New Issue
Block a user