Fix CVEs: CVE-2024-45491,CVE-2024-45490,CVE-2024-45492,GHSA-h4gh-qq45…

…-vh27 Update cryptography package Update the libexpat1 package when building our image
robusta-dev · Sep 25, 2024 · 0abd85d · 0abd85d
1 parent 07acc5b
commit 0abd85d
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 37 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -62,12 +62,15 @@ ENV PYTHONPATH=$PYTHONPATH:.:/app/src
 WORKDIR /app
 
 # Install necessary packages for the runtime environment
+# We're installing here libexpat1, to upgrade the package to include a fix to 3 high CVEs. CVE-2024-45491,CVE-2024-45490,CVE-2024-45492
 RUN apt-get update \
     && dpkg --add-architecture arm64 \
     && pip3 install --no-cache-dir --upgrade pip \
     && apt-get install -y --no-install-recommends git ssh curl libcairo2 \
+    && apt-get install -y --no-install-recommends libexpat1 \
     && rm -rf /var/lib/apt/lists/*
 
+
 # Patching CVE-2024-32002
 RUN git config --global core.symlinks false
 

diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -57,7 +57,7 @@ humanize = "^3.13.1"
 # we're freezing a specific version here because the latest version doesn't have prebuilt wheels on pypi
 # and therefore requires gcc to install which we'd like to avoid
 # this is similar to the issue at https://github.com/dulwich/dulwich/issues/839
-cryptography = "^42.0.5"
+cryptography = "^43.0.1"
 fpdf2 = "^2.7.1"
 attrs = "^23.1.0"
 prometrix = "0.1.16"