Fix vulnerabilities in openlcs image (#104)

.gitlab-ci.yml

@@ -80,6 +80,7 @@ build-ci-image:
       --build-arg ENG_CA_URL=${ENG_CA_URL}
       --build-arg OPENSHIFT_CLI_URL=${OPENSHIFT_CLI_URL}
       --build-arg RHEL8_REPO_URL=${RHEL8_REPO_URL}
+      --build-arg RHEL8_APPSTREAM_REPO_URL=${RHEL8_APPSTREAM_REPO_URL}
       --build-arg TITO_REPO_URL=${TITO_REPO_URL}
       --build-arg CORGI_API_STAGE=${CORGI_API_STAGE}
       --build-arg CORGI_API_PROD=${CORGI_API_PROD}

.pylintrc

@@ -7,7 +7,7 @@ load-plugins=pylint_django
 disable=django-not-configured
 jobs=2
 [MESSAGES CONTROL]
-disable=R,C,no-member,fixme,no-init,unused-argument,deprecated-lambda,
+disable=R,C,no-member,fixme,no-init,unused-argument,
         broad-except,redefined-builtin,protected-access,abstract-method,
         useless-super-delegation,arguments-differ,model-missing-unicode,
         attribute-defined-outside-init,unpacking-non-sequence

containers/docker-ci/Dockerfile

@@ -1,10 +1,11 @@
-FROM registry.access.redhat.com/ubi8/python-38:1-75
+FROM registry.access.redhat.com/ubi8/python-38
 
 ARG PRODSEC_DEV_OPENLCS_MAIL
 ARG ROOT_CA_URL
 ARG ENG_CA_URL
 ARG TITO_REPO_URL
 ARG RHEL8_REPO_URL
+ARG RHEL8_APPSTREAM_REPO_URL
 ARG OPENSHIFT_CLI_URL
 ARG CORGI_API_STAGE
 ARG CORGI_API_PROD
@@ -38,15 +39,18 @@ RUN cd /etc/pki/ca-trust/source/anchors/ && \
         curl -skO "${ENG_CA_URL}" && \
         update-ca-trust && \
         cd - && \
+    dnf -y upgrade && \
     dnf config-manager --add-repo "${TITO_REPO_URL}" \
-        --add-repo "${RHEL8_REPO_URL}" && \
+        --add-repo "${RHEL8_REPO_URL}" \
+        --add-repo "${RHEL8_APPSTREAM_REPO_URL}" && \
     dnf install --nogpgcheck --nodoc -y cpio-2.12 atool-0.39.0 && \
+    # Remove it caused by vulnerabilities CVE-2021-33503 and CVE-2020-26137
+    dnf remove python2-urllib3 && \
     dnf clean all && \
     # To make docker cache pip package, install dependencies
-    pip install --upgrade pip && pip install -r /tmp/devel.txt && \
+    pip install --upgrade pip && pip install -r /tmp/devel.txt --use-pep517 && \
     # This download url is from currently ocp cluster console
     curl -k "${OPENSHIFT_CLI_URL}" | tar xf - -C /usr/local/bin/ && \
-    pip install --upgrade pip && pip install -r /tmp/devel.txt && \
     # Link the site-packages to correct location, so that tox can find it when use current-env plugin
     # CI image site packages path is /usr/local/lib/python3.8/site-packages.
     # But tox will use one of ['/usr/local/lib64/python3.8/site-packages',

containers/docker-openlcs/Dockerfile

@@ -1,6 +1,6 @@
 # https://catalog.redhat.com/software/containers/ubi8/python-38/5dde9cacbed8bd164a0af24a?container-tabs=overview
 # FROM registry.access.redhat.com/ubi8/python-38:1-75
-FROM registry.access.redhat.com/ubi8/python-38:1-75
+FROM registry.access.redhat.com/ubi8/python-38
 
 ARG PRODSEC_DEV_OPENLCS_MAIL
 ARG ROOT_CA_URL
@@ -45,14 +45,15 @@ RUN cd /etc/pki/ca-trust/source/anchors/ && \
         curl -skO "${ENG_CA_URL}" && \
         update-ca-trust && \
         cd - && \
+    dnf -y upgrade && \
     dnf config-manager --add-repo "${TITO_REPO_URL}" \
         --add-repo "${RHEL8_REPO_URL}" \
         --add-repo "${RHEL8_APPSTREAM_REPO_URL}" \
         --add-repo "${DOCKER_REPO_URL}" && \
     dnf install --nogpgcheck --nodoc -y cpio-2.12 atool-0.39.0 vim krb5-workstation docker-ce-cli skopeo && \
     dnf clean all && \
     # To make docker cache pip package, install dependencies
-    pip install --upgrade pip && pip install -r /tmp/devel.txt && \
+    pip install --upgrade pip && pip install -r /tmp/devel.txt --use-pep517 && \
     # Add permissions for openlcs 
     mkdir -p /var/openlcs/static /var/log/openlcs/ /var/cache/ && \
     chmod a+rwX -R /var/log/openlcs/ /var/cache/ /var/openlcs/static "${HOME}" /etc/passwd && \

openlcs/libs/corgi.py

@@ -56,7 +56,7 @@ def get_component_and_links(self, nvr, component_type):
         if nvr:
             params = {'type': component_type, 'nvr': nvr}
             response = requests.get(
-                f"{self.base_url}{route}", params=params)
+                f"{self.base_url}{route}", params=params, timeout=10)
             if response.status_code == 200:
                 try:
                     results = response.json().get('results')
@@ -196,7 +196,8 @@ def get_product_version(self, name, fields=None) -> dict:
         params = {"name": name}
         if fields is None:
             fields = ["name", "ofuri", "description", "products", "components"]
-        data = requests.get(f"{self.base_url}{route}", params=params).json()
+        data = requests.get(f"{self.base_url}{route}", params=params,
+                            timeout=10).json()
         # 0 or 1 result for product version name query
         retval = dict()
         if data["count"] > 0:
@@ -224,7 +225,7 @@ def get_paginated_data(self, query_params=None, api_path="components"):
         url = f"{self.base_url}{api_path}"
         while url:
             try:
-                response = requests.get(url, params=query_params)
+                response = requests.get(url, params=query_params, timeout=10)
                 response.raise_for_status()
                 data = response.json()
                 yield from data["results"]

openlcs/libs/driver.py

@@ -104,7 +104,8 @@ def get_abs_url(self, url):
 
     def get(self, url, params=None):
         abs_url = self.get_abs_url(url)
-        return requests.get(abs_url, headers=self.headers, params=params)
+        return requests.get(abs_url, headers=self.headers,
+                            params=params, timeout=10)
 
     def post(self, url, data):
         abs_url = self.get_abs_url(url)
@@ -116,7 +117,7 @@ def date_handler(obj):
             return obj.isoformat() if hasattr(obj, 'isoformat') else obj
         return requests.post(
             abs_url, headers=self.headers, data=json.dumps(
-                data, default=date_handler))
+                data, default=date_handler), timeout=10)
 
     def patch(self, url, data):
         abs_url = self.get_abs_url(url)
@@ -128,4 +129,4 @@ def date_handler(obj):
             return obj.isoformat() if hasattr(obj, 'isoformat') else obj
         return requests.patch(
             abs_url, headers=self.headers, data=json.dumps(
-                data, default=date_handler))
+                data, default=date_handler), timeout=10)

openlcs/products/management/commands/dump_corgi_components.py

@@ -74,7 +74,7 @@ def get_product_version(self, name, env='stage', fields=None) -> dict:
         params = {'name': name}
         if fields is None:
             fields = ['name', 'ofuri', 'description', 'products', 'components']
-        data = requests.get(endpoint, params=params).json()
+        data = requests.get(endpoint, params=params, timeout=10).json()
         # 0 or 1 result for product version name query
         retval = dict()
         if data['count'] > 0:

requirements/base.txt

@@ -1,9 +1,9 @@
 Django==3.2.16
 psycopg2==2.9.2 # Python-PostgreSQL Database Adapter
 celery==5.2.7 # The latest version for Python3.8
-requests==2.28.1 # An HTTP library for Python
+requests==2.28.2 # An HTTP library for Python
 redis==4.3.4  # Celery broker, make sure it matches celery
-SQLAlchemy==1.4.28  # The Database Toolkit for Python
+SQLAlchemy==2.0.0  # The Database Toolkit for Python
 kobo==0.20.1
 filetype==1.0.8
 extractcode==31.0.0

requirements/devel.txt

@@ -1,14 +1,14 @@
 -r base.txt
 
 flake8==4.0.1
-pylint==2.12.2
-pylint-django==2.4.4
-pytest==6.2.5
-tox==3.24.4
+pylint==2.16.0
+pylint-django==2.5.3
+pytest==7.2.1
+tox==4.4.4
 libmagic==1.0
 coverage==6.2
 # To avoid duplicate install dependencies
-tox-current-env==0.0.6
+tox-current-env==0.0.11
 # pytest dependency
 pytest-django==4.5.2
 pytest-redis==2.4.0