Merge pull request #101 from no10ds/fix/api-vulnerabilities

Move to a less vulnerable image and accept unimportant known vulnerab…
no10ds · Sep 30, 2024 · 397132e · 397132e
2 parents ae61e34 + 724f46e
commit 397132e
Show file tree

Hide file tree

Showing 3 changed files with 59 additions and 15 deletions.
diff --git a/Makefile b/Makefile
@@ -2,15 +2,14 @@
 export
 
 # Versions
-PYTHON_VERSION=3.10.6
+PYTHON_VERSION=3.12.6
 NODE_VERSION=lts/iron
 
 # Git references
 GITHUB_SHA=$$(git rev-parse HEAD)
 GITHUB_REF_NAME=$$(git rev-parse --abbrev-ref HEAD)
 GITHUB_SHORT_SHA=$$(git rev-parse --short HEAD)
 
-
 # API Build variables
 API_ACCOUNT_ECR_URI=$(AWS_ACCOUNT).dkr.ecr.$(AWS_REGION).amazonaws.com
 API_PUBLIC_URI=public.ecr.aws
@@ -113,15 +112,15 @@ api/format:			## Run the api code format with black
 ##
 
 api/tag-image:		## Tag the image with the latest commit hash
-	@cd api/; docker tag rapid-api-service-image:latest $(API_ACCOUNT_ECR_URI)/$(API_IMAGE_NAME):$(GITHUB_SHORT_SHA)
+	@cd api/; docker tag rapid-api/service-image:latest $(API_ACCOUNT_ECR_URI)/$(API_IMAGE_NAME):$(GITHUB_SHORT_SHA)
 
 api/upload-image:	## Upload the tagged image to the image registry
 	@aws ecr get-login-password --region $(AWS_REGION) | docker login --username AWS --password-stdin $(API_ACCOUNT_ECR_URI) && docker push $(API_ACCOUNT_ECR_URI)/$(API_IMAGE_NAME):$(GITHUB_SHORT_SHA)
 
 api/tag-and-upload:	api/tag-image api/upload-image	## Tag and upload the latest api image
 
 api/tag-release-image:			## Tag the image with the tag name
-	@cd api/; tag rapid-api-service-image:latest $(API_PUBLIC_URI)/$(API_PUBLIC_IMAGE):${GITHUB_REF_NAME}
+	@cd api/; tag rapid-api/service-image:latest $(API_PUBLIC_URI)/$(API_PUBLIC_IMAGE):${GITHUB_REF_NAME}
 
 api/upload-release-image:	## Upload the tagged release image to the image registry
 	@aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin $(API_PUBLIC_URI) && docker push $(API_PUBLIC_URI)/$(API_PUBLIC_IMAGE):${GITHUB_REF_NAME}

diff --git a/api/Dockerfile b/api/Dockerfile
@@ -1,7 +1,7 @@
 #checkov:skip=CKV_DOCKER_9: Allow for use of apt
 #checkov:skip=CKV_DOCKER_2: No need for healthcheck in container
 #checkov:skip=CKV_DOCKER_3: No need for user in container
-FROM python:3.10-slim
+FROM python:3.12-slim
 
 WORKDIR /app
 RUN apt update

diff --git a/api/vulnerability-ignore-list.txt b/api/vulnerability-ignore-list.txt
@@ -1,11 +1,56 @@
-CVE-2019-19814 https://security-tracker.debian.org/tracker/CVE-2019-19814
-CVE-2021-39686 https://security-tracker.debian.org/tracker/CVE-2021-39686
-CVE-2013-7445 https://security-tracker.debian.org/tracker/CVE-2013-7445
-CVE-2022-24765 https://security-tracker.debian.org/tracker/CVE-2022-24765
+CVE-2023-6879 https://security-tracker.debian.org/tracker/CVE-2023-6879
+CVE-2023-45853 https://security-tracker.debian.org/tracker/CVE-2023-45853
+CVE-2023-52425 https://security-tracker.debian.org/tracker/CVE-2023-52425
+CVE-2023-49462 https://security-tracker.debian.org/tracker/CVE-2023-49462
+CVE-2024-46724 https://security-tracker.debian.org/tracker/CVE-2024-46724
+CVE-2024-46738 https://security-tracker.debian.org/tracker/CVE-2024-46738
+CVE-2024-46756 https://security-tracker.debian.org/tracker/CVE-2024-46756
+CVE-2024-46731 https://security-tracker.debian.org/tracker/CVE-2024-46731
+CVE-2024-44987 https://security-tracker.debian.org/tracker/CVE-2024-44987
+CVE-2024-26913 https://security-tracker.debian.org/tracker/CVE-2024-26913
+CVE-2024-46725 https://security-tracker.debian.org/tracker/CVE-2024-46725
+CVE-2024-46759 https://security-tracker.debian.org/tracker/CVE-2024-46759
+CVE-2024-44998 https://security-tracker.debian.org/tracker/CVE-2024-44998
+CVE-2024-26952 https://security-tracker.debian.org/tracker/CVE-2024-26952
+CVE-2024-38630 https://security-tracker.debian.org/tracker/CVE-2024-38630
+CVE-2024-44974 https://security-tracker.debian.org/tracker/CVE-2024-44974
+CVE-2024-41061 https://security-tracker.debian.org/tracker/CVE-2024-41061
 CVE-2021-3847 https://security-tracker.debian.org/tracker/CVE-2021-3847
-CVE-2022-27404 https://security-tracker.debian.org/tracker/CVE-2022-27404
-CVE-2019-8457 https://security-tracker.debian.org/tracker/CVE-2019-8457
-CVE-2022-1679 https://security-tracker.debian.org/tracker/CVE-2022-1679
-CVE-2022-1652 https://security-tracker.debian.org/tracker/CVE-2022-1652
-CVE-2019-15794 https://security-tracker.debian.org/tracker/CVE-2019-15794
-CVE-2022-29187 https://security-tracker.debian.org/tracker/CVE-2022-29187
+CVE-2024-46740 https://security-tracker.debian.org/tracker/CVE-2024-46740
+CVE-2024-39479 https://security-tracker.debian.org/tracker/CVE-2024-39479
+CVE-2024-41071 https://security-tracker.debian.org/tracker/CVE-2024-41071
+CVE-2024-38570 https://security-tracker.debian.org/tracker/CVE-2024-38570
+CVE-2019-19449 https://security-tracker.debian.org/tracker/CVE-2019-19449
+CVE-2024-21803 https://security-tracker.debian.org/tracker/CVE-2024-21803
+CVE-2024-46674 https://security-tracker.debian.org/tracker/CVE-2024-46674
+CVE-2024-46673 https://security-tracker.debian.org/tracker/CVE-2024-46673
+CVE-2024-46798 https://security-tracker.debian.org/tracker/CVE-2024-46798
+CVE-2024-46782 https://security-tracker.debian.org/tracker/CVE-2024-46782
+CVE-2024-46722 https://security-tracker.debian.org/tracker/CVE-2024-46722
+CVE-2023-52452 https://security-tracker.debian.org/tracker/CVE-2023-52452
+CVE-2024-42162 https://security-tracker.debian.org/tracker/CVE-2024-42162
+CVE-2024-26930 https://security-tracker.debian.org/tracker/CVE-2024-26930
+CVE-2024-46743 https://security-tracker.debian.org/tracker/CVE-2024-46743
+CVE-2023-52827 https://security-tracker.debian.org/tracker/CVE-2023-52827
+CVE-2024-45026 https://security-tracker.debian.org/tracker/CVE-2024-45026
+CVE-2024-44941 https://security-tracker.debian.org/tracker/CVE-2024-44941
+CVE-2024-44940 https://security-tracker.debian.org/tracker/CVE-2024-44940
+CVE-2024-44942 https://security-tracker.debian.org/tracker/CVE-2024-44942
+CVE-2024-46757 https://security-tracker.debian.org/tracker/CVE-2024-46757
+CVE-2024-44999 https://security-tracker.debian.org/tracker/CVE-2024-44999
+CVE-2024-46747 https://security-tracker.debian.org/tracker/CVE-2024-46747
+CVE-2024-46723 https://security-tracker.debian.org/tracker/CVE-2024-46723
+CVE-2021-3864 https://security-tracker.debian.org/tracker/CVE-2021-3864
+CVE-2024-44986 https://security-tracker.debian.org/tracker/CVE-2024-44986
+CVE-2024-46746 https://security-tracker.debian.org/tracker/CVE-2024-46746
+CVE-2024-42228 https://security-tracker.debian.org/tracker/CVE-2024-42228
+CVE-2013-7445 https://security-tracker.debian.org/tracker/CVE-2013-7445
+CVE-2024-46800 https://security-tracker.debian.org/tracker/CVE-2024-46800
+CVE-2019-19814 https://security-tracker.debian.org/tracker/CVE-2019-19814
+CVE-2024-46758 https://security-tracker.debian.org/tracker/CVE-2024-46758
+CVE-2023-2953 https://security-tracker.debian.org/tracker/CVE-2023-2953
+CVE-2023-31484 https://security-tracker.debian.org/tracker/CVE-2023-31484
+CVE-2023-7104 https://security-tracker.debian.org/tracker/CVE-2023-7104
+CVE-2024-7006 https://security-tracker.debian.org/tracker/CVE-2024-7006
+CVE-2023-52356 https://security-tracker.debian.org/tracker/CVE-2023-52356
+CVE-2023-52355 https://security-tracker.debian.org/tracker/CVE-2023-52355