diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 00000000..20c477ef --- /dev/null +++ b/.dockerignore @@ -0,0 +1,14 @@ +venv +build +dist +deployment +test-reports +**/tests +.semgrep +.idea +.github +.eggs +.pre-commit-config.yaml +*.egg-info/ +**/*.zip +**/*.7z \ No newline at end of file diff --git a/.github/actions/install-startleft/action.yml b/.github/actions/install-startleft/action.yml index 3c6bcb54..ac7d8ace 100644 --- a/.github/actions/install-startleft/action.yml +++ b/.github/actions/install-startleft/action.yml @@ -14,31 +14,19 @@ runs: with: python-version: ${{ inputs.python-version }} - - name: Update pip version to 23.0.1 - run: python -m pip install --use-pep517 --upgrade pip==23.0.1 + - name: Ensure pip is up-to-date + run: python -m ensurepip --upgrade shell: bash - - name: Set setuptools to v70 for compatibility with setuptools-scm - run: python -m pip install setuptools==70.3.0 + - name: Upgrade setuptools for compatibility with setuptools-scm + run: python -m pip install --upgrade setuptools shell: bash - name: Setup Graphviz uses: ts-graphviz/setup-graphviz@55fcdfa9328aed658432c22011bec2873cd8e69f # Securely point to hash commit for v1 - - name: Configure Graphviz in Windows - if: runner.os == 'Windows' - shell: bash - run: | - pip install --global-option=build_ext --global-option="-IC:\Program files\Graphviz\include" --global-option="-LC:\Program files\Graphviz\lib" pygraphviz==1.10 - echo "C:\Program Files\Graphviz\bin" >> $GITHUB_PATH - - name: Install dependencies - run: pip install . && pip install -e ".[setup,test]" + run: python -m pip install . && python -m pip install -e ".[setup,test]" shell: bash - # This step MUST be after the general installation of StartLeft - - name: Install libmagic in Windows - if: runner.os == 'Windows' - run: pip install python-magic-bin - shell: bash diff --git a/.github/workflows/qa.yml b/.github/workflows/qa.yml index bf44690a..019de386 100644 --- a/.github/workflows/qa.yml +++ b/.github/workflows/qa.yml @@ -20,8 +20,8 @@ jobs: name: StartLeft Tests strategy: matrix: - os: [ ubuntu-latest, windows-latest ] - python-version: [ "3.9", "3.10", "3.11" ] + os: [ ubuntu-latest ] + python-version: [ "3.10", "3.11", "3.12"] uses: ./.github/workflows/test.yml with: os: ${{ matrix.os }} diff --git a/deployment/Dockerfile.application b/deployment/Dockerfile.application index baf20945..f7a40c71 100644 --- a/deployment/Dockerfile.application +++ b/deployment/Dockerfile.application @@ -1,31 +1,25 @@ -FROM python:3.11-alpine AS startleft-base +FROM python:3.12-alpine3.21 AS startleft-base -WORKDIR /usr/src/app - -RUN apk update && \ - apk upgrade && \ - apk add --repository=https://dl-cdn.alpinelinux.org/alpine/v3.20/main --repository=https://dl-cdn.alpinelinux.org/alpine/v3.20/community \ - g++~=13.2 gcc~=13.2 gfortran~=13.2 libgcc~=13.2 libstdc++~=13.2 && \ - apk --no-cache add geos geos-dev git graphviz-dev lapack lapack-dev libmagic musl-dev py3-pybind11-dev re2 re2-dev +WORKDIR /app COPY . . -RUN pip install --upgrade pip && pip install . +RUN apk -U upgrade && \ + apk add --no-cache cblas geos git lapack libmagic py3-pygraphviz py3-re2 py3-shapely re2 && \ + cp -R /usr/lib/python3.12/site-packages /usr/local/lib/python3.12/ && \ + pip install --upgrade pip && pip install . -FROM python:3.11-alpine +FROM python:3.12-alpine3.21 -WORKDIR /app - -RUN apk update && \ - apk upgrade && \ - apk --no-cache add cblas geos graphviz-dev lapack libmagic re2 && \ +RUN apk -U upgrade && \ + apk add --no-cache libmagic py3-pygraphviz py3-re2 py3-shapely && \ adduser --disabled-password --no-create-home startleft && \ - rm -rf /usr/local/lib/python3.11/site-packages - -COPY --from=startleft-base /usr/local/lib/python3.11/site-packages /usr/local/lib/python3.11/site-packages + rm -Rf /usr/local/lib/python3.12/site-packages +COPY --from=startleft-base /usr/local/lib/python3.12/site-packages /usr/local/lib/python3.12/site-packages COPY --from=startleft-base /usr/local/bin/startleft /usr/local/bin/startleft +COPY --from=startleft-base /usr/local/bin/uvicorn /usr/local/bin/uvicorn USER startleft diff --git a/setup.py b/setup.py index 7b605bf6..58cff643 100644 --- a/setup.py +++ b/setup.py @@ -3,6 +3,7 @@ from startleft.startleft._version.local_scheme import guess_startleft_semver_suffix from startleft.startleft._version.version_scheme import guess_startleft_semver + setup( name='startleft', description='Parse Infrastructure as Code files to the Open Threat Model format and upload them to IriusRisk', @@ -13,7 +14,7 @@ keywords=['threat modeling', 'cyber security', 'appsec'], packages=find_packages(), include_package_data=True, - python_requires='>= 3.9, <= 3.12', + python_requires='>= 3.10, < 3.13', install_requires=[ 'pyyaml==6.0.1', 'jsonschema==4.19.0', @@ -25,19 +26,19 @@ "python-multipart==0.0.19", 'click==8.1.7', 'uvicorn==0.23.2', - 'shapely==2.0.1', 'vsdx==0.5.19', 'python-magic==0.4.27', 'setuptools==70.3.0', 'setuptools-scm==8.1.0', 'defusedxml==0.7.1', 'networkx==3.1', - 'dependency-injector==4.41.0', - 'google-re2==1.0', + 'dependency-injector==4.46.0', 'xmlschema==2.5.0', 'word2number==1.1', - # Do not upgrade pygraphviz unless security issues because it is heavily dependent on the underlying OS - 'pygraphviz==1.10', + # These dependencies are heavily dependent on the underlying OS + 'pygraphviz==1.13', + 'shapely==2.0.6', + 'google-re2', # Numpy is a transitive dependency of fastapi, requests and python-multipart # They require different v1 versions, while v2 versions lead to import errors 'numpy<2.0'