diff --git a/.trivyignore b/.trivyignore index df0a0bf..16863bd 100644 --- a/.trivyignore +++ b/.trivyignore @@ -18,3 +18,30 @@ CVE-2026-26007 # Vulnerable OpenSSL statically bundled in the cryptography manylinux wheel. # Blocked by the same sshkey-tools <44 cap. Tracked for removal at next review. GHSA-537c-gmf6-5ccf + +# --------------------------------------------------------------------------- +# Unfixable base-image OS packages (Debian slim). All are status "affected" or +# "fix_deferred" with NO fixed version available upstream — apt cannot patch +# them. They are deep base packages we cannot remove without breaking the image +# (perl/dpkg tooling, ncurses for terminal libs, sqlite via Python stdlib). +# None are reachable from the app's input paths (no Archive::Tar on untrusted +# input, no curl, sqlite3 stdlib unused with untrusted DB files). +# +# Reviewed: 2026-06-23 | Next review: 2026-09-23 +# Strategic fix: migrate to a distroless / Chainguard Python base, which drops +# perl, ncurses tooling and sqlite entirely. Revisit then. +# --------------------------------------------------------------------------- + +# perl-base (Archive::Tar / IO-Compress) — no fix available +CVE-2026-42496 +CVE-2026-42497 +CVE-2026-48962 +CVE-2026-9538 +CVE-2026-8376 + +# ncurses (libtinfo6 / libncursesw6 / ncurses-base / ncurses-bin) — no fix +CVE-2025-69720 + +# libsqlite3-0 — no fix +CVE-2026-11822 +CVE-2026-11824 diff --git a/Dockerfile b/Dockerfile index 99cb35d..0c76819 100644 --- a/Dockerfile +++ b/Dockerfile @@ -29,14 +29,21 @@ FROM python:3.11-slim # Install runtime dependencies # apt-get upgrade pulls patched openssl/openssh/etc. so the image isn't pinned to # whatever was current when the base layer was published. -# NOTE: openssh-client carries 3 CVEs (CVE-2026-35385/35386/35414). SSH CA signing -# uses sshkey-tools (pure Python), so drop this line if nothing shells out to ssh/scp. +# curl intentionally omitted: it was only used by HEALTHCHECK (now a stdlib Python +# check), and dropping it removes libcurl4t64 + libssh2 and their unfixed CVEs. +# NOTE: openssh-client retained for SSH CA workflows; drop it too if nothing shells +# out to ssh/scp (sshkey-tools signing is pure Python). RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \ libpq5 \ - curl \ openssh-client \ && rm -rf /var/lib/apt/lists/* +# Patch the base image's system-level build tooling that Trivy flags in +# /usr/local site-packages: wheel (CVE-2026-24049) and the jaraco.context +# (CVE-2026-23949) vendored by setuptools. Runs against system pip before the +# venv takes over PATH below. +RUN pip install --no-cache-dir --upgrade pip setuptools wheel + # Create non-root user RUN groupadd --gid 1000 appgroup && \ useradd --uid 1000 --gid appgroup --shell /bin/bash --create-home appuser @@ -58,9 +65,9 @@ USER appuser # Expose port EXPOSE 5000 -# Health check +# Health check (stdlib urllib — avoids shipping curl) HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \ - CMD curl -f http://localhost:5000/api/health || exit 1 + CMD ["python", "-c", "import urllib.request,sys; sys.exit(0 if urllib.request.urlopen('http://localhost:5000/api/health', timeout=5).getcode()==200 else 1)"] # Run gunicorn with gevent workers CMD ["gunicorn", "--bind", "0.0.0.0:5000", \ diff --git a/Dockerfile.job b/Dockerfile.job index 1c75478..ce56936 100644 --- a/Dockerfile.job +++ b/Dockerfile.job @@ -21,6 +21,10 @@ RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-reco libpq5 \ && rm -rf /var/lib/apt/lists/* +# Patch system-level wheel (CVE-2026-24049) + setuptools-vendored jaraco.context +# (CVE-2026-23949) that Trivy flags in /usr/local site-packages. +RUN pip install --no-cache-dir --upgrade pip setuptools wheel + RUN groupadd --gid 1000 appgroup && \ useradd --uid 1000 --gid appgroup --shell /bin/bash --create-home appuser