security: upgrade some package versions

.trivyignore

@@ -18,3 +18,30 @@ CVE-2026-26007
 # Vulnerable OpenSSL statically bundled in the cryptography manylinux wheel.
 # Blocked by the same sshkey-tools <44 cap. Tracked for removal at next review.
 GHSA-537c-gmf6-5ccf
+
+# ---------------------------------------------------------------------------
+# Unfixable base-image OS packages (Debian slim). All are status "affected" or
+# "fix_deferred" with NO fixed version available upstream — apt cannot patch
+# them. They are deep base packages we cannot remove without breaking the image
+# (perl/dpkg tooling, ncurses for terminal libs, sqlite via Python stdlib).
+# None are reachable from the app's input paths (no Archive::Tar on untrusted
+# input, no curl, sqlite3 stdlib unused with untrusted DB files).
+#
+# Reviewed: 2026-06-23  |  Next review: 2026-09-23
+# Strategic fix: migrate to a distroless / Chainguard Python base, which drops
+# perl, ncurses tooling and sqlite entirely. Revisit then.
+# ---------------------------------------------------------------------------
+
+# perl-base (Archive::Tar / IO-Compress) — no fix available
+CVE-2026-42496
+CVE-2026-42497
+CVE-2026-48962
+CVE-2026-9538
+CVE-2026-8376
+
+# ncurses (libtinfo6 / libncursesw6 / ncurses-base / ncurses-bin) — no fix
+CVE-2025-69720
+
+# libsqlite3-0 — no fix
+CVE-2026-11822
+CVE-2026-11824

Dockerfile

@@ -29,14 +29,21 @@ FROM python:3.11-slim
 # Install runtime dependencies
 # apt-get upgrade pulls patched openssl/openssh/etc. so the image isn't pinned to
 # whatever was current when the base layer was published.
-# NOTE: openssh-client carries 3 CVEs (CVE-2026-35385/35386/35414). SSH CA signing
-# uses sshkey-tools (pure Python), so drop this line if nothing shells out to ssh/scp.
+# curl intentionally omitted: it was only used by HEALTHCHECK (now a stdlib Python
+# check), and dropping it removes libcurl4t64 + libssh2 and their unfixed CVEs.
+# NOTE: openssh-client retained for SSH CA workflows; drop it too if nothing shells
+# out to ssh/scp (sshkey-tools signing is pure Python).
 RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
     libpq5 \
-    curl \
     openssh-client \
     && rm -rf /var/lib/apt/lists/*
 
+# Patch the base image's system-level build tooling that Trivy flags in
+# /usr/local site-packages: wheel (CVE-2026-24049) and the jaraco.context
+# (CVE-2026-23949) vendored by setuptools. Runs against system pip before the
+# venv takes over PATH below.
+RUN pip install --no-cache-dir --upgrade pip setuptools wheel
+
 # Create non-root user
 RUN groupadd --gid 1000 appgroup && \
     useradd --uid 1000 --gid appgroup --shell /bin/bash --create-home appuser
@@ -58,9 +65,9 @@ USER appuser
 # Expose port
 EXPOSE 5000
 
-# Health check
+# Health check (stdlib urllib — avoids shipping curl)
 HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \
-    CMD curl -f http://localhost:5000/api/health || exit 1
+    CMD ["python", "-c", "import urllib.request,sys; sys.exit(0 if urllib.request.urlopen('http://localhost:5000/api/health', timeout=5).getcode()==200 else 1)"]
 
 # Run gunicorn with gevent workers
 CMD ["gunicorn", "--bind", "0.0.0.0:5000", \

Dockerfile.job

@@ -21,6 +21,10 @@ RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-reco
     libpq5 \
     && rm -rf /var/lib/apt/lists/*
 
+# Patch system-level wheel (CVE-2026-24049) + setuptools-vendored jaraco.context
+# (CVE-2026-23949) that Trivy flags in /usr/local site-packages.
+RUN pip install --no-cache-dir --upgrade pip setuptools wheel
+
 RUN groupadd --gid 1000 appgroup && \
     useradd --uid 1000 --gid appgroup --shell /bin/bash --create-home appuser