From f742485520098d471933756917d92f94dd2c6977 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Alberto=20Leiva=20Obando?= <56046999+jleiva-gap@users.noreply.github.com> Date: Fri, 18 Oct 2024 11:18:51 -0600 Subject: [PATCH] [APIPUB-80] Fixing vulnerabilities found with Docker Scout (#84) Update nuget packages Update System.Text.Json to version 8.0.5 Update .NET SDK alpine version to use Alpine 3.20 Update apk for openssl to use version 3.3.2 and remove vulnerability Update apk for postgres client to use version 16 --- src/Dockerfile | 7 ++++--- .../EdFi.Tools.ApiPublisher.Cli.csproj | 19 ++++++++++--------- ...ApiPublisher.ConfigurationStore.Aws.csproj | 5 +++-- ...lisher.ConfigurationStore.Plaintext.csproj | 3 +++ ...isher.ConfigurationStore.PostgreSql.csproj | 3 ++- ...lisher.ConfigurationStore.SqlServer.csproj | 9 +++++---- ....Tools.ApiPublisher.Connections.Api.csproj | 11 ++++++----- .../Modules/EdFiApiAsSourceModule.cs | 2 +- .../Modules/EdFiApiAsTargetModule.cs | 2 +- ...FiApiSourceCurrentChangeVersionProvider.cs | 9 ++++----- .../PostResourceProcessingBlocksFactory.cs | 11 ++++------- ...ols.ApiPublisher.Connections.Sqlite.csproj | 5 +++-- .../EdFi.Tools.ApiPublisher.Core.csproj | 19 ++++++++++--------- .../EdFi.Tools.ApiPublisher.Tests.csproj | 15 ++++++++------- src/dev.Dockerfile | 8 ++++---- 15 files changed, 68 insertions(+), 60 deletions(-) diff --git a/src/Dockerfile b/src/Dockerfile index 141bee2..86a7120 100644 --- a/src/Dockerfile +++ b/src/Dockerfile @@ -3,8 +3,8 @@ # The Ed-Fi Alliance licenses this file to you under the Apache License, Version 2.0. # See the LICENSE and NOTICES files in the project root for more information. -# Tag aspnet:8.0-alpine -FROM mcr.microsoft.com/dotnet/aspnet@sha256:ba398f8c6a0469436cc115bfbd278002baf4ce9423b6d8a9e904da6adc31a23d +# Tag aspnet:8.0-alpine3.20 +FROM mcr.microsoft.com/dotnet/aspnet:8.0-alpine3.20@sha256:b5b7dec8006fe016cc864f618cf60eab24fb7d7a28c8ecf4f6b90ceeaa5cf9f2 LABEL maintainer="Ed-Fi Alliance, LLC and Contributors " ARG VERSION="1.2.1" @@ -21,7 +21,8 @@ COPY ./Docker/plainTextNamedConnections.template.json /app/plainTextNamedConnect COPY ./Docker/run.sh /app/run.sh -RUN apk --no-cache add unzip=~6 dos2unix=~7 bash=~5 gettext=~0 postgresql13-client=~13 icu=~74 curl=~8 && \ +RUN apk update && \ + apk --no-cache add --upgrade unzip=~6 dos2unix=~7 bash=~5 gettext=~0 openssl=3.3.2-r0 postgresql16-client=~16 icu=~74 curl=~8 && \ wget -nv -O /app/ApiPublisher.zip https://pkgs.dev.azure.com/ed-fi-alliance/Ed-Fi-Alliance-OSS/_apis/packaging/feeds/EdFi/nuget/packages/EdFi.ApiPublisher/versions/${VERSION}/content && \ unzip /app/ApiPublisher.zip 'EdFi.ApiPublisher/**' -d /app/ && \ mv /app/EdFi.ApiPublisher/* /app/ && \ diff --git a/src/EdFi.Tools.ApiPublisher.Cli/EdFi.Tools.ApiPublisher.Cli.csproj b/src/EdFi.Tools.ApiPublisher.Cli/EdFi.Tools.ApiPublisher.Cli.csproj index c75e377..12c735b 100644 --- a/src/EdFi.Tools.ApiPublisher.Cli/EdFi.Tools.ApiPublisher.Cli.csproj +++ b/src/EdFi.Tools.ApiPublisher.Cli/EdFi.Tools.ApiPublisher.Cli.csproj @@ -7,20 +7,21 @@ NU5100, NU5124 - - - + + + - - + + - + - - + + - + + diff --git a/src/EdFi.Tools.ApiPublisher.ConfigurationStore.Aws/EdFi.Tools.ApiPublisher.ConfigurationStore.Aws.csproj b/src/EdFi.Tools.ApiPublisher.ConfigurationStore.Aws/EdFi.Tools.ApiPublisher.ConfigurationStore.Aws.csproj index 5e84a0a..f8e83b7 100644 --- a/src/EdFi.Tools.ApiPublisher.ConfigurationStore.Aws/EdFi.Tools.ApiPublisher.ConfigurationStore.Aws.csproj +++ b/src/EdFi.Tools.ApiPublisher.ConfigurationStore.Aws/EdFi.Tools.ApiPublisher.ConfigurationStore.Aws.csproj @@ -4,10 +4,11 @@ 10 - + - + + diff --git a/src/EdFi.Tools.ApiPublisher.ConfigurationStore.Plaintext/EdFi.Tools.ApiPublisher.ConfigurationStore.Plaintext.csproj b/src/EdFi.Tools.ApiPublisher.ConfigurationStore.Plaintext/EdFi.Tools.ApiPublisher.ConfigurationStore.Plaintext.csproj index 6304b42..b333299 100644 --- a/src/EdFi.Tools.ApiPublisher.ConfigurationStore.Plaintext/EdFi.Tools.ApiPublisher.ConfigurationStore.Plaintext.csproj +++ b/src/EdFi.Tools.ApiPublisher.ConfigurationStore.Plaintext/EdFi.Tools.ApiPublisher.ConfigurationStore.Plaintext.csproj @@ -3,6 +3,9 @@ net8.0 enable + + + diff --git a/src/EdFi.Tools.ApiPublisher.ConfigurationStore.PostgreSql/EdFi.Tools.ApiPublisher.ConfigurationStore.PostgreSql.csproj b/src/EdFi.Tools.ApiPublisher.ConfigurationStore.PostgreSql/EdFi.Tools.ApiPublisher.ConfigurationStore.PostgreSql.csproj index d771e33..6ea15f6 100644 --- a/src/EdFi.Tools.ApiPublisher.ConfigurationStore.PostgreSql/EdFi.Tools.ApiPublisher.ConfigurationStore.PostgreSql.csproj +++ b/src/EdFi.Tools.ApiPublisher.ConfigurationStore.PostgreSql/EdFi.Tools.ApiPublisher.ConfigurationStore.PostgreSql.csproj @@ -4,9 +4,10 @@ 10 - + + diff --git a/src/EdFi.Tools.ApiPublisher.ConfigurationStore.SqlServer/EdFi.Tools.ApiPublisher.ConfigurationStore.SqlServer.csproj b/src/EdFi.Tools.ApiPublisher.ConfigurationStore.SqlServer/EdFi.Tools.ApiPublisher.ConfigurationStore.SqlServer.csproj index c0d1faa..e5c5260 100644 --- a/src/EdFi.Tools.ApiPublisher.ConfigurationStore.SqlServer/EdFi.Tools.ApiPublisher.ConfigurationStore.SqlServer.csproj +++ b/src/EdFi.Tools.ApiPublisher.ConfigurationStore.SqlServer/EdFi.Tools.ApiPublisher.ConfigurationStore.SqlServer.csproj @@ -4,11 +4,12 @@ 10 - - + + - - + + + diff --git a/src/EdFi.Tools.ApiPublisher.Connections.Api/EdFi.Tools.ApiPublisher.Connections.Api.csproj b/src/EdFi.Tools.ApiPublisher.Connections.Api/EdFi.Tools.ApiPublisher.Connections.Api.csproj index 8308cd0..3509455 100644 --- a/src/EdFi.Tools.ApiPublisher.Connections.Api/EdFi.Tools.ApiPublisher.Connections.Api.csproj +++ b/src/EdFi.Tools.ApiPublisher.Connections.Api/EdFi.Tools.ApiPublisher.Connections.Api.csproj @@ -5,18 +5,19 @@ true - - - + + + runtime; build; native; contentfiles; analyzers; buildtransitive all - - + + runtime; build; native; contentfiles; analyzers; buildtransitive all + diff --git a/src/EdFi.Tools.ApiPublisher.Connections.Api/Modules/EdFiApiAsSourceModule.cs b/src/EdFi.Tools.ApiPublisher.Connections.Api/Modules/EdFiApiAsSourceModule.cs index 1c554fb..0668cb3 100644 --- a/src/EdFi.Tools.ApiPublisher.Connections.Api/Modules/EdFiApiAsSourceModule.cs +++ b/src/EdFi.Tools.ApiPublisher.Connections.Api/Modules/EdFiApiAsSourceModule.cs @@ -124,7 +124,7 @@ protected override void Load(ContainerBuilder builder) // API dependency metadata from Ed-Fi ODS API (using Source API) if (options.UseSourceDependencyMetadata) { - builder.RegisterType() + _ = builder.RegisterType() .As() .WithParameter( // Configure to use with Target API diff --git a/src/EdFi.Tools.ApiPublisher.Connections.Api/Modules/EdFiApiAsTargetModule.cs b/src/EdFi.Tools.ApiPublisher.Connections.Api/Modules/EdFiApiAsTargetModule.cs index f48f960..d88e763 100644 --- a/src/EdFi.Tools.ApiPublisher.Connections.Api/Modules/EdFiApiAsTargetModule.cs +++ b/src/EdFi.Tools.ApiPublisher.Connections.Api/Modules/EdFiApiAsTargetModule.cs @@ -60,7 +60,7 @@ protected override void Load(ContainerBuilder builder) // API dependency metadata from Ed-Fi ODS API (using Target API) if (!options.UseSourceDependencyMetadata) { - builder.RegisterType() + _ = builder.RegisterType() .As() .WithParameter( // Configure to use with Target API diff --git a/src/EdFi.Tools.ApiPublisher.Connections.Api/Processing/Source/Versioning/EdFiApiSourceCurrentChangeVersionProvider.cs b/src/EdFi.Tools.ApiPublisher.Connections.Api/Processing/Source/Versioning/EdFiApiSourceCurrentChangeVersionProvider.cs index 53480d1..4ed0ff4 100644 --- a/src/EdFi.Tools.ApiPublisher.Connections.Api/Processing/Source/Versioning/EdFiApiSourceCurrentChangeVersionProvider.cs +++ b/src/EdFi.Tools.ApiPublisher.Connections.Api/Processing/Source/Versioning/EdFiApiSourceCurrentChangeVersionProvider.cs @@ -46,13 +46,12 @@ public EdFiApiSourceCurrentChangeVersionProvider(ISourceEdFiApiClientProvider so try { - long maxChangeVersion = - + long maxChangeVersion + = // Versions of Ed-Fi API through at least v3.4 (JObject.Parse(versionResponseText)["NewestChangeVersion"] - - // Enhancements/fixes applied introduced as part of API Publisher work - ?? JObject.Parse(versionResponseText)["newestChangeVersion"]).Value(); + // Enhancements/fixes applied introduced as part of API Publisher work + ?? JObject.Parse(versionResponseText)["newestChangeVersion"]).Value(); return maxChangeVersion; } diff --git a/src/EdFi.Tools.ApiPublisher.Connections.Api/Processing/Target/Blocks/PostResourceProcessingBlocksFactory.cs b/src/EdFi.Tools.ApiPublisher.Connections.Api/Processing/Target/Blocks/PostResourceProcessingBlocksFactory.cs index 0561734..ee7b06e 100644 --- a/src/EdFi.Tools.ApiPublisher.Connections.Api/Processing/Target/Blocks/PostResourceProcessingBlocksFactory.cs +++ b/src/EdFi.Tools.ApiPublisher.Connections.Api/Processing/Target/Blocks/PostResourceProcessingBlocksFactory.cs @@ -333,7 +333,6 @@ await HandlePostItemMessage( // Gracefully handle authorization errors by using the retry action delegate // (if present) to post the message to the retry "resource" queue if (apiResponse.StatusCode == HttpStatusCode.Forbidden - // Determine if current resource has an authorization retry queue && postItemMessage.PostAuthorizationFailureRetry != null) { @@ -446,10 +445,9 @@ string GetResponseMessageText(HttpResponseMessage response) bool IsBadRequestForUnresolvedReferenceOfPrimaryRelationship(HttpResponseMessage postItemResponse, PostItemMessage msg) { // If response is a Bad Request, check for need to explicitly fetch dependencies - if (postItemResponse.StatusCode == HttpStatusCode.BadRequest && - + if (postItemResponse.StatusCode == HttpStatusCode.BadRequest // If resource is a "primary relationship" configured in authorization failure handling - missingDependencyByResourcePath.TryGetValue(msg.ResourceUrl, out string missingDependencyResourcePath)) + && missingDependencyByResourcePath.TryGetValue(msg.ResourceUrl, out string missingDependencyResourcePath)) { string responseMessageText = GetResponseMessageText(postItemResponse); @@ -487,10 +485,9 @@ async Task GetResponseMessageTextAsync(HttpResponseMessage response) { // If response is a Bad Request (which is the API's error response for missing Staff/Student/Parent), check for need to explicitly fetch dependencies // NOTE: If support is expanded for other missing dependencies, the response code from the API (currently) will be a 409 Conflict status. - if (postItemResponse.StatusCode == HttpStatusCode.BadRequest && - + if (postItemResponse.StatusCode == HttpStatusCode.BadRequest // If resource is a "primary relationship" configured in authorization failure handling - missingDependencyByResourcePath.TryGetValue(msg.ResourceUrl, out string missingDependencyResourcePath)) + && missingDependencyByResourcePath.TryGetValue(msg.ResourceUrl, out string missingDependencyResourcePath)) { string responseMessageText = await GetResponseMessageTextAsync(postItemResponse); diff --git a/src/EdFi.Tools.ApiPublisher.Connections.Sqlite/EdFi.Tools.ApiPublisher.Connections.Sqlite.csproj b/src/EdFi.Tools.ApiPublisher.Connections.Sqlite/EdFi.Tools.ApiPublisher.Connections.Sqlite.csproj index 914f81c..0c57438 100644 --- a/src/EdFi.Tools.ApiPublisher.Connections.Sqlite/EdFi.Tools.ApiPublisher.Connections.Sqlite.csproj +++ b/src/EdFi.Tools.ApiPublisher.Connections.Sqlite/EdFi.Tools.ApiPublisher.Connections.Sqlite.csproj @@ -4,8 +4,9 @@ enable - - + + + diff --git a/src/EdFi.Tools.ApiPublisher.Core/EdFi.Tools.ApiPublisher.Core.csproj b/src/EdFi.Tools.ApiPublisher.Core/EdFi.Tools.ApiPublisher.Core.csproj index 594ef5e..1f45a3f 100644 --- a/src/EdFi.Tools.ApiPublisher.Core/EdFi.Tools.ApiPublisher.Core.csproj +++ b/src/EdFi.Tools.ApiPublisher.Core/EdFi.Tools.ApiPublisher.Core.csproj @@ -4,22 +4,23 @@ 10 - - + + - + - + - + - - + + - + + - + \ No newline at end of file diff --git a/src/EdFi.Tools.ApiPublisher.Tests/EdFi.Tools.ApiPublisher.Tests.csproj b/src/EdFi.Tools.ApiPublisher.Tests/EdFi.Tools.ApiPublisher.Tests.csproj index d545298..24bf2a4 100644 --- a/src/EdFi.Tools.ApiPublisher.Tests/EdFi.Tools.ApiPublisher.Tests.csproj +++ b/src/EdFi.Tools.ApiPublisher.Tests/EdFi.Tools.ApiPublisher.Tests.csproj @@ -4,19 +4,20 @@ 10 - + - + - - - + + + - - + + + diff --git a/src/dev.Dockerfile b/src/dev.Dockerfile index 752e9ca..bd62452 100644 --- a/src/dev.Dockerfile +++ b/src/dev.Dockerfile @@ -5,7 +5,7 @@ # tag sdk:8.0 alpine -FROM mcr.microsoft.com/dotnet/sdk@sha256:91cb46b0ee207d0df53e2e38f2e4013fe2668ab52dcca13c971afbbef94c83ef AS build +FROM mcr.microsoft.com/dotnet/sdk:8.0-alpine3.20@sha256:07cb8622ca6c4d7600b42b2eccba968dff4b37d41b43a9bf4bd800aa02fab117 AS build WORKDIR /source COPY ./.editorconfig .editorconfig @@ -37,7 +37,7 @@ RUN dotnet publish -c Release -o /app/EdFi.Tools.ApiPiblisher.Cli --no-build --n # Tag aspnet:8.0 alpine -FROM mcr.microsoft.com/dotnet/aspnet@sha256:ba398f8c6a0469436cc115bfbd278002baf4ce9423b6d8a9e904da6adc31a23d +FROM mcr.microsoft.com/dotnet/aspnet:8.0-alpine3.20@sha256:b5b7dec8006fe016cc864f618cf60eab24fb7d7a28c8ecf4f6b90ceeaa5cf9f2 LABEL maintainer="Ed-Fi Alliance, LLC and Contributors " # Alpine image does not contain Globalization Cultures library so we need to install ICU library to get fopr LINQ expression to work @@ -53,11 +53,11 @@ COPY ./Docker/logging.template.json /app/logging.template.json COPY ./Docker/plainTextNamedConnections.template.json /app/plainTextNamedConnections.template.json COPY ./Docker/run.sh /app/run.sh -RUN apk --no-cache add unzip=~6 dos2unix=~7 bash=~5 gettext=~0 icu=~74 curl=~8 && \ +RUN apk --no-cache add --upgrade unzip=~6 dos2unix=~7 bash=~5 openssl=3.3.2-r0 gettext=~0 icu=~74 curl=~8 && \ dos2unix /app/*.json && \ dos2unix /app/*.sh && \ chmod 700 /app/*.sh -- ** && \ rm -f /app/*.pdb && \ rm -f /app/*.exe -ENTRYPOINT [ "/app/run.sh" ] \ No newline at end of file +ENTRYPOINT [ "/app/run.sh" ]