From 132574c683136ac2cc8daa833d25fec718993bb0 Mon Sep 17 00:00:00 2001
From: lawik974 <loic97429@gmail.com>
Date: Thu, 13 Jun 2024 21:10:33 +0200
Subject: [PATCH] Change alpine version + Fix CVE-2023-42364,CVE-2023-42364

---
 .../workflows/github-actions-docker-tags.yml  |  3 +++
 .github/workflows/github-actions-docker.yml   |  3 +++
 .github/workflows/trivy.yml                   | 10 +++++----
 .gitignore                                    |  1 +
 Dockerfile                                    | 22 +++++++++++++------
 pyproject.toml                                |  5 ++++-
 6 files changed, 32 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/github-actions-docker-tags.yml b/.github/workflows/github-actions-docker-tags.yml
index d65633d..194fa12 100644
--- a/.github/workflows/github-actions-docker-tags.yml
+++ b/.github/workflows/github-actions-docker-tags.yml
@@ -11,6 +11,9 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          fetch-tags: true
+          fetch-depth: 0
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx
diff --git a/.github/workflows/github-actions-docker.yml b/.github/workflows/github-actions-docker.yml
index 585d05c..adb9f03 100644
--- a/.github/workflows/github-actions-docker.yml
+++ b/.github/workflows/github-actions-docker.yml
@@ -11,6 +11,9 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          fetch-tags: true
+          fetch-depth: 0
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
index ad9aefb..db3b7d7 100644
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -27,18 +27,20 @@ jobs:
     runs-on: "ubuntu-20.04"
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
+        with:
+          fetch-tags: true
+          fetch-depth: 0
 
       - name: Build an image from Dockerfile
         run: |
           docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
+        uses: aquasecurity/trivy-action@0.22.0
         with:
           image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
-          format: 'template'
-          template: '@/contrib/sarif.tpl'
+          format: 'sarif'
           output: 'trivy-results.sarif'
           severity: 'CRITICAL,HIGH'
 
diff --git a/.gitignore b/.gitignore
index dab8ba1..8c326c2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 config.yaml
 *__pycache__*
 *.dat
+dist/
diff --git a/Dockerfile b/Dockerfile
index 2622653..845c467 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,21 +1,29 @@
 # Stage 1: Builder stage where the package is built using Poetry
-FROM python:3.12-alpine as builder
+FROM python:alpine3.20 as builder
 
 WORKDIR /app
-RUN apk add gcc libc-dev libffi-dev
-RUN pip install poetry
+RUN apk update \
+    # Install poetry dependencies
+    && apk add gcc libc-dev libffi-dev git \
+    # Fix CVE-2023-42364
+    && apk upgrade busybox \
+    # Clean cache
+    && apk cache clean
+RUN pip install poetry==1.8.3
 COPY . /app
 # Disable virtual env creation by poetry, it's not needed in Docker
 RUN poetry config virtualenvs.create false
+# Install poetry version plugin see https://github.com/tiangolo/poetry-version-plugin
+RUN poetry self add "poetry-dynamic-versioning[plugin]==v1.3.0"
 # Install dependencies only (to improve caching)
-RUN poetry install --no-root --no-dev
+RUN poetry install --no-root --only main
 # Build the package (this creates the package wheel)
 RUN poetry build
 
 # Stage 2: Lightweight production stage with minimal footprint
-FROM python:3.12-alpine as production
+FROM python:alpine3.20 as production
 WORKDIR /app
-COPY --from=builder /app/dist/*.whl /app/
-RUN pip install --no-cache-dir /app/*.whl
+COPY --from=builder /app/dist/*.whl /tmp/
+RUN pip install --no-cache-dir /tmp/*.whl && rm -rf /tmp/*.whl
 ENV PYTHONUNBUFFERED=1
 CMD ["kube-notify", "--config", "/app/config.yaml", "--inCluster"]
diff --git a/pyproject.toml b/pyproject.toml
index abcf57a..0a0fa37 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "kube-notify"
-version = "0.1.1"
+version = "0"
 description = "A simple python app to relay k8s events to gotify"
 authors = ["wikle <loic97429@gmail.com>"]
 license = "MIT"
@@ -28,3 +28,6 @@ pytest-mock = "^3.14.0"
 [build-system]
 requires = ["poetry-core>=1.0.0"]
 build-backend = "poetry.core.masonry.api"
+
+[tool.poetry-dynamic-versioning]
+enable = true