Skip to content

Snyk fix f83e2319f63a812f2483f6c46f230f1a #147

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Snyk fix f83e2319f63a812f2483f6c46f230f1a #147

wants to merge 3 commits into from

Conversation

@tylerwhardy
Copy link
Contributor

@tylerwhardy tylerwhardy commented May 11, 2025

Security Fix PR

Snyk and manual analysis has created this pull request to fix 4 high-severity vulnerabilities found in the Dockerfile dependencies for this project. Keeping your Docker base image up to date ensures your application benefits from critical security patches and upstream improvements.

🔧 Changes made:

  • Updated base image from a vulnerable version to python:3.12-alpine, which is currently supported and stable.
  • Avoided using python:3.14-rc-alpine3.20 due to incompatibilities with native bindings, particularly with the cryptography package (which relies on Python C-ABI compatibility).

🛡️ Vulnerabilities addressed:

Severity Issue Snyk ID Score
High Resource Exhaustion SNYK-ALPINE316-EXPAT-6241145 614
High Improper Restriction of Recursive Entity References in DTDs (XML Entity Expansion) SNYK-ALPINE316-EXPAT-6446350 614
High Out-of-bounds Write SNYK-ALPINE316-NCURSES-5606597 614
High Out-of-Bounds SNYK-ALPINE316-SQLITE-6179509 614

📝 Additional Notes:

  • The cryptographic layer was preserved by staying on a stable Python 3.12 release, ensuring compatibility with the cryptography and cffi libraries.
    • Please note this is not the most recent build; however, this is the most recent image that allows pinned dependencies to work correctly still.

Please review and test this PR. If your application works as expected, we recommend merging it to ensure continued security hardening.

@grahamgilbert
Copy link
Owner

grahamgilbert commented May 15, 2025

Hi @tylerwhardy - this is failing CI, could you please take a look and get the tests passing before I can accept this.

grahamgilbert
grahamgilbert requested changes May 15, 2025
View reviewed changes
Copy link
Owner

@grahamgilbert grahamgilbert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This fails to build, please fix the CI errors.

@tylerwhardy
Copy link
Contributor Author

tylerwhardy commented May 15, 2025

Hi @grahamgilbert . The problem appears to be a missing environmental variable from your CircleCI configuration.
This appears to be the reason that other CICD pipes are failing.

Youll need to open Circle CI, click the Crypt-Server project > Environmental Variables > Add Environment Variable >
NAME: FIELD_ENCRYPTION_KEY
VALUE:
where you generate a fernet key with this Python script:
from cryptography.fernet import Fernet
key = Fernet.generate_key()
print(key.decode())

Since CircleCI runs in an isolated container, it does not appear to be possible to dynamically inject environment variables. This appears to pass tests under my CircleCI account after following the above steps:
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@grahamgilbert grahamgilbert grahamgilbert requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tylerwhardy @grahamgilbert @snyk-bot