security: upgrade some package versions

2026-06-23 03:20:58 +00:00
parent f971c4cdaa
commit ada22e6017
7 changed files with 36 additions and 13 deletions
@@ -49,6 +49,14 @@ jobs:
            --no-progress \
            "gatehouse-api:${{ steps.sha.outputs.tag }}"

+      - name: Scan job image for vulnerabilities (Trivy)
+        run: |
+          trivy image \
+            --exit-code 0 \
+            --severity HIGH,CRITICAL \
+            --no-progress \
+            "gatehouse-api-job:${{ steps.sha.outputs.tag }}"
+
  # ── 2. Deploy ─────────────────────────────────────────────────────────────────
  deploy:
    name: Deploy
@@ -48,6 +48,14 @@ jobs:
            --no-progress \
            "gatehouse-api:${{ steps.sha.outputs.tag }}"

+      - name: Scan job image for vulnerabilities (Trivy)
+        run: |
+          trivy image \
+            --exit-code 0 \
+            --severity HIGH,CRITICAL \
+            --no-progress \
+            "gatehouse-api-job:${{ steps.sha.outputs.tag }}"
+
  # ── 2. Deploy ─────────────────────────────────────────────────────────────────
  deploy:
    name: Deploy
@@ -19,14 +19,19 @@ COPY requirements/base.txt requirements/base.txt
 COPY requirements/production.txt requirements/production.txt

 # Install dependencies
-RUN pip install --no-cache-dir --upgrade pip wheel && \
+# Upgrade build tooling too: clears CVE-2026-24049 (wheel) and CVE-2026-23949 (jaraco.context)
+RUN pip install --no-cache-dir --upgrade pip setuptools wheel && \
    pip install --no-cache-dir -r requirements/production.txt

 # Production stage
 FROM python:3.11-slim

 # Install runtime dependencies
-RUN apt-get update && apt-get install -y --no-install-recommends \
+# apt-get upgrade pulls patched openssl/openssh/etc. so the image isn't pinned to
+# whatever was current when the base layer was published.
+# NOTE: openssh-client carries 3 CVEs (CVE-2026-35385/35386/35414). SSH CA signing
+# uses sshkey-tools (pure Python), so drop this line if nothing shells out to ssh/scp.
+RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
    libpq5 \
    curl \
    openssh-client \
@@ -12,12 +12,12 @@ WORKDIR /app
 COPY requirements/base.txt requirements/base.txt
 COPY requirements/production.txt requirements/production.txt

-RUN pip install --no-cache-dir --upgrade pip wheel && \
+RUN pip install --no-cache-dir --upgrade pip setuptools wheel && \
    pip install --no-cache-dir -r requirements/production.txt

 FROM python:3.11-slim

-RUN apt-get update && apt-get install -y --no-install-recommends \
+RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
    libpq5 \
    && rm -rf /var/lib/apt/lists/*

@@ -1,6 +1,6 @@
 # Core Flask
 Flask==3.0.0
-Werkzeug==3.0.1
+Werkzeug==3.0.6  # CVE-2024-34069 (debug-server RCE); stays <3.1 for Flask 3.0 compat

 # Database
 SQLAlchemy==2.0.23
@@ -19,15 +19,17 @@ Flask-Bcrypt==1.0.1
 pyotp==2.9.0

 # WebAuthn / FIDO2
-fido2==1.1.2
-cbor2==5.6.0
+# fido2 removed: unused in the codebase (WebAuthn is parsed directly via cbor2),
+# and it pinned cryptography<44, blocking the CVE-2026-26007 fix. Re-add fido2>=2.2.0
+# if migrating to the official library.
+cbor2==5.9.0  # CVE-2024-26134, CVE-2026-26209 (DoS via recursion)

 # JWT / OIDC
-PyJWT==2.8.0
-cryptography==42.0.7
+PyJWT==2.13.0  # CVE-2026-48526 (auth bypass via forged JWT), CVE-2026-32597
+cryptography==46.0.5  # CVE-2026-26007 (SECT subgroup attack)

 # CORS
-Flask-CORS==4.0.0
+Flask-CORS==6.0.0  # CVE-2024-6221 (ACAO handling)

 # Environment variables
 python-dotenv==1.0.0
@@ -36,8 +36,8 @@ requests==2.31.0
 pytz==2023.3
 python-dotenv==1.0.0
 pydantic==2.5.0
-PyJWT==2.8.0
-cryptography==42.0.7
+PyJWT==2.13.0
+cryptography==46.0.5
 pycryptodome==3.20.0
 psycopg2-binary==2.9.9
 sshkey-tools==0.11.3
@@ -1,7 +1,7 @@
 -r base.txt

 # Production WSGI server
-gunicorn==21.2.0
+gunicorn==23.0.0  # CVE-2024-1135, CVE-2024-6827 (HTTP request smuggling)

 # Monitoring & logging
 sentry-sdk[flask]==1.39.1