add Dockerfile CVE check, update vulnerability scanning to use trivy action (#941)

* update vulnerability scanning to use trivy action
* Update Dockerfile
* update setuptools
* test k8s/helm securityContext
* update setuptools and use pip3
* move to python:3.10-slim-buster
* test Dockerfile with apt upgrade
* minor doc fixes

Author: tomkralidis

.github/workflows/vulnerabilities.yml

@@ -14,27 +14,33 @@ on:
       - released
 
 jobs:
-  clone:
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Setup Python
-        uses: actions/setup-python@v1
-        with:
-          python-version: '3.10'
-          architecture: x64
-      - name: Checkout pycsw
-        uses: actions/checkout@master
 
   vulnerabilities:
-    needs: [clone]
     runs-on: ubuntu-22.04
-
+    defaults:
+      run:
+        working-directory: .
     steps:
+    - name: Checkout pycsw
+      uses: actions/checkout@v4
     - name: Scan vulnerabilities with trivy
+      uses: aquasecurity/trivy-action@master
+      with:
+        scan-type: fs
+        exit-code: 1
+        ignore-unfixed: true
+        severity: CRITICAL,HIGH
+        scanners: vuln,misconfig,secret
+        scan-ref: .
+    - name: Build locally the image from Dockerfile
       run: |
-        sudo apt-get install -y wget apt-transport-https gnupg lsb-release
-        wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
-        echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
-        sudo apt-get update
-        sudo apt-get install -y trivy
-        trivy --exit-code 1 fs --scanners vuln,misconfig,secret --severity HIGH,CRITICAL --ignore-unfixed .
+        docker buildx build -t ${{ github.repository }}:${{ github.sha }} --platform linux/amd64 --no-cache -f Dockerfile .
+    - name: Scan locally built Docker image for vulnerabilities with trivy
+      uses: aquasecurity/trivy-action@master
+      with:
+        scan-type: image
+        exit-code: 1
+        ignore-unfixed: true
+        severity: CRITICAL,HIGH
+        vuln-type: os,library
+        image-ref: '${{ github.repository }}:${{ github.sha }}'

Dockerfile

@@ -36,17 +36,18 @@
 #
 # =================================================================
 
-FROM python:3.8-slim-buster
+FROM python:3.10-slim-buster
 LABEL maintainer="[email protected],[email protected],[email protected]"
 
 # Build arguments
 # add "--build-arg BUILD_DEV_IMAGE=true" to Docker build command when building with test/doc tools
 
 ARG BUILD_DEV_IMAGE="false"
 
-RUN apt-get update && apt-get install --yes \
-        ca-certificates libexpat1 \
-    && rm -rf /var/lib/apt/lists/*
+RUN apt-get update --yes && \
+    apt-get upgrade --yes && \
+    apt-get install --yes --no-install-recommends ca-certificates libexpat1 python3-setuptools && \
+    rm -rf /var/lib/apt/lists/*
 
 RUN adduser --uid 1000 --gecos '' --disabled-password pycsw
 
@@ -63,19 +64,19 @@ COPY --chown=pycsw \
     requirements-dev.txt \
     ./
 
-RUN pip install -U pip && \
-    python3 -m pip install \
+RUN pip3 install -U pip setuptools && \
+    pip3 install \
     --requirement requirements.txt \
     --requirement requirements-standalone.txt \
     psycopg2-binary gunicorn \
-    && if [ "$BUILD_DEV_IMAGE" = "true" ] ; then python3 -m pip install -r requirements-dev.txt; fi
+    && if [ "$BUILD_DEV_IMAGE" = "true" ] ; then python3 -m pip3 install -r requirements-dev.txt; fi
 
 COPY --chown=pycsw . .
 
 COPY docker/pycsw.yml ${PYCSW_CONFIG}
 COPY docker/entrypoint.py /usr/local/bin/entrypoint.py
 
-RUN python3 -m pip install --editable .
+RUN pip3 install --editable .
 
 WORKDIR /home/pycsw
 

docker/helm/templates/db-statefulset.yaml

@@ -36,6 +36,8 @@ spec:
         volumeMounts:
         - mountPath: {{ .Values.db.volume_path }}
           name: {{ .Values.db.volume_name }}
+        securityContext:
+          readOnlyRootFilesystem: true
       restartPolicy: Always
   volumeClaimTemplates:
     - metadata:

docker/helm/templates/pycsw-deployment.yaml

@@ -31,6 +31,8 @@ spec:
         volumeMounts:
         - mountPath: {{ .Values.pycsw.volume_path }}
           name: {{ .Values.pycsw.volume_name }}
+        securityContext:
+          readOnlyRootFilesystem: true
       restartPolicy: Always
       volumes:
       - name: {{ .Values.pycsw.volume_name }}

docker/kubernetes/db-deployment.yaml

@@ -34,6 +34,8 @@ spec:
         volumeMounts:
         - mountPath: /var/lib/postgresql/data/pgdata
           name: db-data
+        securityContext:
+          readOnlyRootFilesystem: true
       restartPolicy: Always
       volumes:
       - name: db-data

docker/kubernetes/pycsw-deployment.yaml

@@ -30,6 +30,8 @@ spec:
         volumeMounts:
         - mountPath: /etc/pycsw
           name: pycsw-config
+        securityContext:
+         readOnlyRootFilesystem: true
       restartPolicy: Always
       volumes:
       - name: pycsw-config

docs/docker.rst

@@ -165,7 +165,7 @@ The following instructions set up a fully working development environment::
 
 .. note::
 
-   Please note that the pycsw image only uses python 3.8 and that it also does
+   The pycsw image uses a specific Python version and does
    not install pycsw in editable mode. As such it is not possible to
    use ``tox``.
 

docs/installation.rst

@@ -221,9 +221,9 @@ WSGI mode, use ``pycsw/wsgi.py`` in your WSGI server environment.
 
 .. note::
 
-  ``mod_wsgi`` supports only the version of python it was compiled with. If the target server
-  already supports WSGI applications, pycsw will need to use the same python version.
-  `WSGIDaemonProcess`_ provides a ``python-path`` directive that may allow a virtualenv created from the python version ``mod_wsgi`` uses.
+  ``mod_wsgi`` supports only the version of Python it was compiled with. If the target server
+  already supports WSGI applications, pycsw will need to use the same Python version.
+  `WSGIDaemonProcess`_ provides a ``python-path`` directive that may allow a virtualenv created from the Python version ``mod_wsgi`` uses.
 
 Below is an example of configuring with Apache:
 

docs/testing.rst

@@ -289,7 +289,7 @@ Examples:
 .. code:: bash
 
    # install tox on your system
-   sudo pip install tox
+   sudo pip3 install tox
 
    # run all tests on multiple Python versions against all databases,
    # with default arguments

setup.py

@@ -85,7 +85,7 @@ def get_package_version():
         'fgdc',
         'dif',
         'ebrim',
-        'inspire',
+        'inspire'
     ]),
     author='Tom Kralidis',
     author_email='[email protected]',
@@ -97,7 +97,7 @@ def get_package_version():
     include_package_data=True,
     entry_points={
         'console_scripts': [
-            'pycsw-admin.py=pycsw.core.admin:cli',
+            'pycsw-admin.py=pycsw.core.admin:cli'
         ]
     },
     classifiers=[
@@ -108,9 +108,8 @@ def get_package_version():
         'License :: OSI Approved :: MIT License',
         'Operating System :: OS Independent',
         'Programming Language :: Python',
-        'Programming Language :: Python :: 3.6',
-        'Programming Language :: Python :: 3.7',
-        'Programming Language :: Python :: 3.8',
-        'Topic :: Scientific/Engineering :: GIS',
+        'Programming Language :: Python :: 3.10',
+        'Programming Language :: Python :: 3.11',
+        'Topic :: Scientific/Engineering :: GIS'
     ]
 )

tox.ini

@@ -1,6 +1,6 @@
 # Tox (http://tox.testrun.org/) is a tool for running tests
 # in multiple virtualenvs. This configuration file will run the
-# test suite on all supported python versions. To use it, "pip install tox"
+# test suite on all supported python versions. To use it, "pip3 install tox"
 # and then run "tox" from this directory.
 
 [tox]