From 51e9cd72c1b890c1bd13cd9ee7d83dace2946379 Mon Sep 17 00:00:00 2001
From: lrochette <laurent.rochette@gmail.com>
Date: Wed, 20 Nov 2024 14:07:18 -0700
Subject: [PATCH 01/17] Fix CVE multistage for smaller image
Signed-off-by: lrochette <laurent.rochette@gmail.com>
---
incubating/argocd-app-status/.gitignore | 3 +++
incubating/argocd-app-status/CHANGELOG.md | 10 +++++++++-
incubating/argocd-app-status/Dockerfile | 14 ++++++++++++--
incubating/argocd-app-status/requirements.txt | 2 +-
incubating/argocd-app-status/step.yaml | 6 +++---
5 files changed, 28 insertions(+), 7 deletions(-)
create mode 100644 incubating/argocd-app-status/.gitignore
diff --git a/incubating/argocd-app-status/.gitignore b/incubating/argocd-app-status/.gitignore
new file mode 100644
index 000000000..d8de0e924
--- /dev/null
+++ b/incubating/argocd-app-status/.gitignore
@@ -0,0 +1,3 @@
+build
+dist
+argocd_app_status.spec
diff --git a/incubating/argocd-app-status/CHANGELOG.md b/incubating/argocd-app-status/CHANGELOG.md
index 56d755a2f..7eb2f22c0 100644
--- a/incubating/argocd-app-status/CHANGELOG.md
+++ b/incubating/argocd-app-status/CHANGELOG.md
@@ -1,4 +1,12 @@
# Changelog
+## [1.1.3] - 2024-11-20
+
+### Fixed
+* CVE-2024-45491 - upgrade libexpat1
+* CVE-2024-45492 - upgrade libexpat1
+* CVE-2024-37371 - upgrade libkrb5
+* CVE-2023-45853 - upgrade zlib1g
+
## [1.1.2] - 2023-09-18
### Changed
@@ -8,7 +16,7 @@
## [1.1.1] - 2023-06-03
### Changed
-- Upgrade pythpn version to 3.11.3
+- Upgrade python version to 3.11.3
### Fixed
- Link for application
diff --git a/incubating/argocd-app-status/Dockerfile b/incubating/argocd-app-status/Dockerfile
index 8deaa6f87..e668b9e20 100644
--- a/incubating/argocd-app-status/Dockerfile
+++ b/incubating/argocd-app-status/Dockerfile
@@ -1,7 +1,17 @@
-FROM python:3.11.5-slim-bookworm
+# stage 1 Build
+FROM python:3.13.0-slim-bookworm AS builder
WORKDIR /app
COPY requirements.txt requirements.txt
RUN pip3 install -r requirements.txt
COPY queries queries/
COPY argocd_app_status.py argocd_app_status.py
-CMD [ "python3", "argocd_app_status.py"]
+
+RUN pip3 install pyinstaller
+RUN pyinstaller --onefile app_status.py
+
+# stage 2 : Prod
+FROM scratch
+WORKDIR /app
+COPY queries queries/
+COPY dist/argocd_app_status argocd_app_status
+CMD argocd_app_status
diff --git a/incubating/argocd-app-status/requirements.txt b/incubating/argocd-app-status/requirements.txt
index 325dd8188..a2abe0047 100644
--- a/incubating/argocd-app-status/requirements.txt
+++ b/incubating/argocd-app-status/requirements.txt
@@ -5,7 +5,7 @@ docopt==0.6.2
gql==3.4.0
graphql-core==3.2.3
idna==3.4
-multidict==6.0.4
+multidict==6.1.0
pipreqs==0.4.13
requests==2.31.0
requests-toolbelt==0.10.1
diff --git a/incubating/argocd-app-status/step.yaml b/incubating/argocd-app-status/step.yaml
index 60fb10237..9134e676c 100644
--- a/incubating/argocd-app-status/step.yaml
+++ b/incubating/argocd-app-status/step.yaml
@@ -1,7 +1,7 @@
kind: step-type
metadata:
name: argocd-app-status
- version: 1.1.2
+ version: 1.1.3
isPublic: true
description: Get Argo CD App status and return its sybc and health status
sources:
@@ -61,7 +61,7 @@ spec:
},
"IMAGE_TAG": {
"type": "string",
- "default": "1.1.2",
+ "default": "1.1.3",
"description": "OPTIONAL - To overwrite the tag to use"
}
}
@@ -97,7 +97,7 @@ spec:
[[- end ]]
commands:
- cd /app
- - python3 argocd_app_status.py
+ - ./argocd_app_status
delimiters:
left: '[['
right: ']]'
From 027e15a2075bde33b626e14cd969f867dab841ca Mon Sep 17 00:00:00 2001
From: lrochette <laurent.rochette@gmail.com>
Date: Wed, 20 Nov 2024 14:15:23 -0700
Subject: [PATCH 02/17] Upgrade yarl to 1.17.2
Signed-off-by: lrochette <laurent.rochette@gmail.com>
---
incubating/argocd-app-status/CHANGELOG.md | 4 +++-
incubating/argocd-app-status/requirements.txt | 2 +-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/incubating/argocd-app-status/CHANGELOG.md b/incubating/argocd-app-status/CHANGELOG.md
index 7eb2f22c0..4de9dd45c 100644
--- a/incubating/argocd-app-status/CHANGELOG.md
+++ b/incubating/argocd-app-status/CHANGELOG.md
@@ -1,5 +1,7 @@
# Changelog
## [1.1.3] - 2024-11-20
+### Changed
+* upgrade yarl to 1.17.2
### Fixed
* CVE-2024-45491 - upgrade libexpat1
@@ -8,7 +10,7 @@
* CVE-2023-45853 - upgrade zlib1g
## [1.1.2] - 2023-09-18
-### Changed
+
### Fixed
- PYSEC-2023-135 - upgrade Python module certifi to 2023.7.22
diff --git a/incubating/argocd-app-status/requirements.txt b/incubating/argocd-app-status/requirements.txt
index a2abe0047..3268aed14 100644
--- a/incubating/argocd-app-status/requirements.txt
+++ b/incubating/argocd-app-status/requirements.txt
@@ -11,4 +11,4 @@ requests==2.31.0
requests-toolbelt==0.10.1
urllib3==1.26.16
yarg==0.1.9
-yarl==1.9.2
+yarl==1.17.2
From 49dedacc74daae1eb84f31068f01a34ff5b45345 Mon Sep 17 00:00:00 2001
From: lrochette <laurent.rochette@gmail.com>
Date: Wed, 20 Nov 2024 14:21:13 -0700
Subject: [PATCH 03/17] Fix source file name
Signed-off-by: lrochette <laurent.rochette@gmail.com>
---
incubating/argocd-app-status/Dockerfile | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/incubating/argocd-app-status/Dockerfile b/incubating/argocd-app-status/Dockerfile
index e668b9e20..601f76acd 100644
--- a/incubating/argocd-app-status/Dockerfile
+++ b/incubating/argocd-app-status/Dockerfile
@@ -7,10 +7,15 @@ COPY queries queries/
COPY argocd_app_status.py argocd_app_status.py
RUN pip3 install pyinstaller
-RUN pyinstaller --onefile app_status.py
+RUN pyinstaller --onefile argocd app_status.py
# stage 2 : Prod
FROM scratch
+
+# USER codefresh
+RUN useradd -d /home/codefresh -m -s /usr/bin/bash codefresh
+USER codefresh
+
WORKDIR /app
COPY queries queries/
COPY dist/argocd_app_status argocd_app_status
From 754c981500373a669e700dfd23317b096a2d0dbe Mon Sep 17 00:00:00 2001
From: lrochette <laurent.rochette@gmail.com>
Date: Wed, 20 Nov 2024 14:24:48 -0700
Subject: [PATCH 04/17] Fix source file name
Signed-off-by: lrochette <laurent.rochette@gmail.com>
---
incubating/argocd-app-status/Dockerfile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/incubating/argocd-app-status/Dockerfile b/incubating/argocd-app-status/Dockerfile
index 601f76acd..ab3279a9e 100644
--- a/incubating/argocd-app-status/Dockerfile
+++ b/incubating/argocd-app-status/Dockerfile
@@ -7,7 +7,7 @@ COPY queries queries/
COPY argocd_app_status.py argocd_app_status.py
RUN pip3 install pyinstaller
-RUN pyinstaller --onefile argocd app_status.py
+RUN pyinstaller --onefile argocd_app_status.py
# stage 2 : Prod
FROM scratch
From 619adf18c0c2201f1239ace45bf9380e77df0fa1 Mon Sep 17 00:00:00 2001
From: lrochette <laurent.rochette@gmail.com>
Date: Wed, 20 Nov 2024 14:34:18 -0700
Subject: [PATCH 05/17] Add entrypoint
Signed-off-by: lrochette <laurent.rochette@gmail.com>
---
incubating/argocd-app-status/Dockerfile | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/incubating/argocd-app-status/Dockerfile b/incubating/argocd-app-status/Dockerfile
index ab3279a9e..8bc2d3b8d 100644
--- a/incubating/argocd-app-status/Dockerfile
+++ b/incubating/argocd-app-status/Dockerfile
@@ -2,12 +2,12 @@
FROM python:3.13.0-slim-bookworm AS builder
WORKDIR /app
COPY requirements.txt requirements.txt
-RUN pip3 install -r requirements.txt
COPY queries queries/
COPY argocd_app_status.py argocd_app_status.py
-RUN pip3 install pyinstaller
-RUN pyinstaller --onefile argocd_app_status.py
+RUN pip3 install -r requirements.txt
+RUN pip3 install pyinstaller
+RUN pyinstaller --onefile argocd_app_status.py
# stage 2 : Prod
FROM scratch
@@ -18,5 +18,5 @@ USER codefresh
WORKDIR /app
COPY queries queries/
-COPY dist/argocd_app_status argocd_app_status
-CMD argocd_app_status
+COPY --from=builder dist/argocd_app_status argocd_app_status
+ENTRYPOINT ["/app/argocd_app_status"]
From 33218263f29a6a35190faab73f565a0488dbce4e Mon Sep 17 00:00:00 2001
From: lrochette <laurent.rochette@gmail.com>
Date: Wed, 20 Nov 2024 14:48:06 -0700
Subject: [PATCH 06/17] use alpine
Signed-off-by: lrochette <laurent.rochette@gmail.com>
---
incubating/argocd-app-status/Dockerfile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/incubating/argocd-app-status/Dockerfile b/incubating/argocd-app-status/Dockerfile
index 8bc2d3b8d..e1c8b1fc6 100644
--- a/incubating/argocd-app-status/Dockerfile
+++ b/incubating/argocd-app-status/Dockerfile
@@ -10,7 +10,7 @@ RUN pip3 install pyinstaller
RUN pyinstaller --onefile argocd_app_status.py
# stage 2 : Prod
-FROM scratch
+FROM alpine:3.20.3
# USER codefresh
RUN useradd -d /home/codefresh -m -s /usr/bin/bash codefresh
From 8eda454a1b67a9a149515adc40622622f6176cdf Mon Sep 17 00:00:00 2001
From: lrochette <laurent.rochette@gmail.com>
Date: Wed, 20 Nov 2024 15:12:32 -0700
Subject: [PATCH 07/17] adduser syntax
Signed-off-by: lrochette <laurent.rochette@gmail.com>
---
incubating/argocd-app-status/Dockerfile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/incubating/argocd-app-status/Dockerfile b/incubating/argocd-app-status/Dockerfile
index e1c8b1fc6..aeb0d9b88 100644
--- a/incubating/argocd-app-status/Dockerfile
+++ b/incubating/argocd-app-status/Dockerfile
@@ -13,7 +13,7 @@ RUN pyinstaller --onefile argocd_app_status.py
FROM alpine:3.20.3
# USER codefresh
-RUN useradd -d /home/codefresh -m -s /usr/bin/bash codefresh
+RUN adduser -h /home/codefresh -D -s /usr/bin/bash codefresh
USER codefresh
WORKDIR /app
From 804363bcc2f4251a56f050c3dc1872f9f9e8bfd3 Mon Sep 17 00:00:00 2001
From: lrochette <laurent.rochette@gmail.com>
Date: Wed, 20 Nov 2024 15:20:42 -0700
Subject: [PATCH 08/17] spaces
Signed-off-by: lrochette <laurent.rochette@gmail.com>
---
incubating/argocd-app-status/Dockerfile | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/incubating/argocd-app-status/Dockerfile b/incubating/argocd-app-status/Dockerfile
index aeb0d9b88..ef7c7d48b 100644
--- a/incubating/argocd-app-status/Dockerfile
+++ b/incubating/argocd-app-status/Dockerfile
@@ -5,9 +5,9 @@ COPY requirements.txt requirements.txt
COPY queries queries/
COPY argocd_app_status.py argocd_app_status.py
-RUN pip3 install -r requirements.txt
-RUN pip3 install pyinstaller
-RUN pyinstaller --onefile argocd_app_status.py
+RUN pip3 install -r requirements.txt
+RUN pip3 install pyinstaller
+RUN pyinstaller --onefile argocd_app_status.py
# stage 2 : Prod
FROM alpine:3.20.3
From 4b5e9fa2434aeb608e6f6b4910ea0d9d207dad80 Mon Sep 17 00:00:00 2001
From: lrochette <laurent.rochette@gmail.com>
Date: Wed, 20 Nov 2024 15:26:47 -0700
Subject: [PATCH 09/17] Add binutils fix path
Signed-off-by: lrochette <laurent.rochette@gmail.com>
---
incubating/argocd-app-status/Dockerfile | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/incubating/argocd-app-status/Dockerfile b/incubating/argocd-app-status/Dockerfile
index ef7c7d48b..9e8d8481d 100644
--- a/incubating/argocd-app-status/Dockerfile
+++ b/incubating/argocd-app-status/Dockerfile
@@ -5,6 +5,7 @@ COPY requirements.txt requirements.txt
COPY queries queries/
COPY argocd_app_status.py argocd_app_status.py
+RUN apt-get update && apt-get install -y binutils
RUN pip3 install -r requirements.txt
RUN pip3 install pyinstaller
RUN pyinstaller --onefile argocd_app_status.py
@@ -18,5 +19,5 @@ USER codefresh
WORKDIR /app
COPY queries queries/
-COPY --from=builder dist/argocd_app_status argocd_app_status
+COPY --from=builder /app/dist/argocd_app_status argocd_app_status
ENTRYPOINT ["/app/argocd_app_status"]
From 31e8239635a6cb0dc724f59b49b407a35d7a7b04 Mon Sep 17 00:00:00 2001
From: lrochette <laurent.rochette@gmail.com>
Date: Wed, 20 Nov 2024 15:59:22 -0700
Subject: [PATCH 10/17] using CMD instead of ENTRYPOINT
Signed-off-by: lrochette <laurent.rochette@gmail.com>
---
incubating/argocd-app-status/Dockerfile | 2 +-
incubating/argocd-app-status/step.yaml | 3 +--
2 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/incubating/argocd-app-status/Dockerfile b/incubating/argocd-app-status/Dockerfile
index 9e8d8481d..4badbf7b2 100644
--- a/incubating/argocd-app-status/Dockerfile
+++ b/incubating/argocd-app-status/Dockerfile
@@ -20,4 +20,4 @@ USER codefresh
WORKDIR /app
COPY queries queries/
COPY --from=builder /app/dist/argocd_app_status argocd_app_status
-ENTRYPOINT ["/app/argocd_app_status"]
+CMD ["/app/argocd_app_status"]
diff --git a/incubating/argocd-app-status/step.yaml b/incubating/argocd-app-status/step.yaml
index 9134e676c..551dd6f44 100644
--- a/incubating/argocd-app-status/step.yaml
+++ b/incubating/argocd-app-status/step.yaml
@@ -96,8 +96,7 @@ spec:
- '[[ $key ]]=[[ $val ]]'
[[- end ]]
commands:
- - cd /app
- - ./argocd_app_status
+
delimiters:
left: '[['
right: ']]'
From ddf3e768802f481e053b0138a28e475038d63781 Mon Sep 17 00:00:00 2001
From: lrochette <laurent.rochette@gmail.com>
Date: Wed, 20 Nov 2024 16:51:35 -0700
Subject: [PATCH 11/17] back to multi
Signed-off-by: lrochette <laurent.rochette@gmail.com>
---
incubating/argocd-app-status/Dockerfile | 13 +++++++------
incubating/argocd-app-status/step.yaml | 3 ++-
2 files changed, 9 insertions(+), 7 deletions(-)
diff --git a/incubating/argocd-app-status/Dockerfile b/incubating/argocd-app-status/Dockerfile
index 4badbf7b2..d536c3436 100644
--- a/incubating/argocd-app-status/Dockerfile
+++ b/incubating/argocd-app-status/Dockerfile
@@ -1,4 +1,5 @@
# stage 1 Build
+# Bookworm is debian based
FROM python:3.13.0-slim-bookworm AS builder
WORKDIR /app
COPY requirements.txt requirements.txt
@@ -8,16 +9,16 @@ COPY argocd_app_status.py argocd_app_status.py
RUN apt-get update && apt-get install -y binutils
RUN pip3 install -r requirements.txt
RUN pip3 install pyinstaller
-RUN pyinstaller --onefile argocd_app_status.py
+RUN pyinstaller --strip --onefile argocd_app_status.py
# stage 2 : Prod
-FROM alpine:3.20.3
+FROM debian:bookworm-slim
-# USER codefresh
-RUN adduser -h /home/codefresh -D -s /usr/bin/bash codefresh
-USER codefresh
+# USER cfuser
+RUN adduser cfuser --home /home/codefresh --shel /bin/sh
+USER cfuser
WORKDIR /app
COPY queries queries/
COPY --from=builder /app/dist/argocd_app_status argocd_app_status
-CMD ["/app/argocd_app_status"]
+ENTRYPOINT ["/app/argocd_app_status"]
diff --git a/incubating/argocd-app-status/step.yaml b/incubating/argocd-app-status/step.yaml
index 551dd6f44..bafae52c7 100644
--- a/incubating/argocd-app-status/step.yaml
+++ b/incubating/argocd-app-status/step.yaml
@@ -96,7 +96,8 @@ spec:
- '[[ $key ]]=[[ $val ]]'
[[- end ]]
commands:
-
+ - cd /app
+ - python3 argocd_app_status
delimiters:
left: '[['
right: ']]'
From b8883352a8f61b847fe2578ee039dec3e87adcce Mon Sep 17 00:00:00 2001
From: lrochette <laurent.rochette@gmail.com>
Date: Wed, 20 Nov 2024 16:58:44 -0700
Subject: [PATCH 12/17] Fix command in step
Signed-off-by: lrochette <laurent.rochette@gmail.com>
---
incubating/argocd-app-status/step.yaml | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/incubating/argocd-app-status/step.yaml b/incubating/argocd-app-status/step.yaml
index bafae52c7..ac38eb071 100644
--- a/incubating/argocd-app-status/step.yaml
+++ b/incubating/argocd-app-status/step.yaml
@@ -95,9 +95,7 @@ spec:
[[ range $key, $val := .Arguments ]]
- '[[ $key ]]=[[ $val ]]'
[[- end ]]
- commands:
- - cd /app
- - python3 argocd_app_status
+
delimiters:
left: '[['
right: ']]'
From cff0dbc2c3b8710ea47edc6d1de615f0afa8962e Mon Sep 17 00:00:00 2001
From: lrochette <laurent.rochette@gmail.com>
Date: Wed, 20 Nov 2024 17:04:33 -0700
Subject: [PATCH 13/17] commands are back
Signed-off-by: lrochette <laurent.rochette@gmail.com>
---
incubating/argocd-app-status/step.yaml | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/incubating/argocd-app-status/step.yaml b/incubating/argocd-app-status/step.yaml
index ac38eb071..4c8124eba 100644
--- a/incubating/argocd-app-status/step.yaml
+++ b/incubating/argocd-app-status/step.yaml
@@ -95,7 +95,9 @@ spec:
[[ range $key, $val := .Arguments ]]
- '[[ $key ]]=[[ $val ]]'
[[- end ]]
-
+ commands:
+ - cd /app
+ - /app/argocd_app_status
delimiters:
left: '[['
right: ']]'
From 3644ded49dd9412727df2d91d1163be75bdd5618 Mon Sep 17 00:00:00 2001
From: lrochette <laurent.rochette@codefresh.io>
Date: Thu, 2 Jan 2025 11:44:49 -0700
Subject: [PATCH 14/17] Upgrading python image
Signed-off-by: lrochette <laurent.rochette@codefresh.io>
---
incubating/argocd-app-status/Dockerfile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/incubating/argocd-app-status/Dockerfile b/incubating/argocd-app-status/Dockerfile
index d536c3436..f2f4fd975 100644
--- a/incubating/argocd-app-status/Dockerfile
+++ b/incubating/argocd-app-status/Dockerfile
@@ -1,6 +1,6 @@
# stage 1 Build
# Bookworm is debian based
-FROM python:3.13.0-slim-bookworm AS builder
+FROM python:3.13.1-slim-bookworm AS builder
WORKDIR /app
COPY requirements.txt requirements.txt
COPY queries queries/
From 8598f7291fcd398033143cade72acc72568c3c48 Mon Sep 17 00:00:00 2001
From: Mikhail Klimko <mikhail.klimko@octopus.com>
Date: Fri, 10 Jan 2025 11:40:33 +0300
Subject: [PATCH 15/17] empty
From af9aa23603e9256a6b890dd34e5e5b715a0c1370 Mon Sep 17 00:00:00 2001
From: Mikhail Klimko <mikhail.klimko@octopus.com>
Date: Fri, 10 Jan 2025 11:47:17 +0300
Subject: [PATCH 16/17] empty
From b616329ee88d3953d782caccfa0c4869308dfd14 Mon Sep 17 00:00:00 2001
From: Mikhail Klimko <mikhail.klimko@octopus.com>
Date: Fri, 10 Jan 2025 15:59:48 +0300
Subject: [PATCH 17/17] empty