From 071a8ea9f523e704e2860a11738af1e179e140a3 Mon Sep 17 00:00:00 2001 From: Tim Date: Fri, 14 Feb 2025 14:21:10 -0500 Subject: [PATCH] Apply patches in backend container to address CVE findings by Defender (#246) --- docker/Dockerfile-backend | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/docker/Dockerfile-backend b/docker/Dockerfile-backend index ce0bb3d..a90ce35 100644 --- a/docker/Dockerfile-backend +++ b/docker/Dockerfile-backend @@ -4,6 +4,16 @@ # For more information about the base image: https://mcr.microsoft.com/en-us/artifact/mar/devcontainers/python/about FROM mcr.microsoft.com/devcontainers/python:3.10-bookworm +# Patch Debian to remediate CVE findings +# Apply Debian bookworm-updates by running a full system upgrade +RUN echo "deb http://deb.debian.org/debian bookworm-updates main" >> /etc/apt/sources.list.d/bookworm-updates.list \ + && echo "deb http://deb.debian.org/debian bookworm-backports main" >> /etc/apt/sources.list.d/backports.list \ + && apt-get update \ + && apt-get upgrade -y \ + && apt-get autoremove -y \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* + # default graphrag version will be 0.0.0 unless overridden by --build-arg ARG GRAPHRAG_VERSION=0.0.0 ENV GRAPHRAG_VERSION=v${GRAPHRAG_VERSION} @@ -12,6 +22,9 @@ ENV PIP_DISABLE_PIP_VERSION_CHECK=1 ENV SETUPTOOLS_USE_DISTUTILS=stdlib ENV TIKTOKEN_CACHE_DIR=/opt/tiktoken_cache/ +# CVE finding in pip < 23.3 - Upgrade pip to version 23.3 or greater +RUN pip install --upgrade pip + COPY backend /backend RUN cd backend \ && pip install poetry \ @@ -23,6 +36,9 @@ RUN python -c "import nltk;nltk.download(['punkt','averaged_perceptron_tagger',' # download tiktoken model encodings RUN python -c "import tiktoken; tiktoken.encoding_for_model('gpt-3.5-turbo'); tiktoken.encoding_for_model('gpt-4'); tiktoken.encoding_for_model('gpt-4o');" +# CVE finding in cryptography <= 44.0.0 - cache version 44.0.1 of cryptography via pip +RUN pip install cryptography==44.0.1 + WORKDIR /backend EXPOSE 80 CMD ["uvicorn", "graphrag_app.main:app", "--host", "0.0.0.0", "--port", "80"]