Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / b3cefe1ed5449050d73bff1882ea38f6a51b8415^! / .
commitb3cefe1ed5449050d73bff1882ea38f6a51b8415[log] [tgz]
authorMohammed Naser <mnaser@vexxhost.com>Mon Jan 22 16:36:05 2024 -0500
committerMohammed Naser <mnaser@vexxhost.com>Mon Jan 22 16:36:05 2024 -0500
tree3e7cc120511d9ba471cd48c1126e3ce8c35b539e
parent161e0dffa7ccd26878a9ebd486b607e780948fe5 [diff]
fix(barbican): remove cves from image

diff --git a/images/barbican/Earthfile b/images/barbican/Earthfile
index 0c843ff..df1d927 100644
--- a/images/barbican/Earthfile
+++ b/images/barbican/Earthfile

@@ -6,10 +6,13 @@
 
 build:
   FROM ../openstack-service+builder --RELEASE=${RELEASE}
+  # NOTE(mnaser): pykmip includes some demo certificates which trigger
+  #               security scanners.  We remove them here.
   DO ../openstack-service+BUILD_VENV \
     --PROJECT=${PROJECT} \
     --PROJECT_REF=${PROJECT_REF} \
-    --PIP_PACKAGES="pykmip"
+    --PIP_PACKAGES="pykmip" \
+    --PURGE_PATHS="kmip/demos"
 
 image:
   FROM ../openstack-service+image --RELEASE ${RELEASE} --PROJECT ${PROJECT}

diff --git a/images/openstack-service/Earthfile b/images/openstack-service/Earthfile
index 11fb292..6cafda3 100644
--- a/images/openstack-service/Earthfile
+++ b/images/openstack-service/Earthfile

@@ -31,6 +31,10 @@
   ARG EXTRAS=""
   ARG PIP_PACKAGES=""
   DO +PIP_INSTALL --PACKAGES "/src${EXTRAS} ${PIP_PACKAGES}"
+  ARG PURGE_PATHS
+  FOR PURGE_PATH IN ${PURGE_PATHS}
+    RUN rm -rfv /var/lib/openstack/lib/python3.10/site-packages/${PURGE_PATH}
+  END
   SAVE ARTIFACT /var/lib/openstack venv
 
 requirements:
@@ -44,9 +48,13 @@
   GIT CLONE --branch ${BRANCH} https://github.com/openstack/requirements /src
   RUN \
     sed -i 's/cryptography===40.0.2/cryptography===41.0.7/' /src/upper-constraints.txt && \
+    sed -i 's/Flask===2.2.3/Flask===2.2.5/' /src/upper-constraints.txt && \
     sed -i 's/Django===3.2.18/Django===3.2.23/' /src/upper-constraints.txt && \
+    sed -i 's/Jinja2===3.1.2/Jinja2===3.1.3/' /src/upper-constraints.txt && \
+    sed -i 's/paramiko===3.1.0/paramiko===3.4.0/' /src/upper-constraints.txt && \
     sed -i 's/pyOpenSSL===23.1.1/pyOpenSSL===23.3.0/' /src/upper-constraints.txt && \
     sed -i 's/requests===2.28.2/requests===2.31.0/' /src/upper-constraints.txt && \
+    sed -i 's/Werkzeug===2.2.3/Werkzeug===2.3.8/' /src/upper-constraints.txt && \
     sed -i 's/urllib3===1.26.15/urllib3===1.26.18/' /src/upper-constraints.txt && \
     sed -i '/glance-store/d' /src/upper-constraints.txt && \
     sed -i '/horizon/d' /src/upper-constraints.txt