Fix/docker python vulnerabilities (#6320)

ihaardik · web-flow · commit 0d224dc7cedb · 2025-06-16T19:01:05.000+05:30
* fix python vulnerabilities in Docker images

* upgrade pip and setuptools

* Removing unused source directory

* upgrading packages from root directory

* cleaning up default python3.11
diff --git a/Dockerfile-api b/Dockerfile-api
@@ -30,15 +30,15 @@ RUN apt-get update && \
 RUN apt-get update && \
 	apt-get upgrade -y && \
 	cd /usr/src && \
-	wget https://www.python.org/ftp/python/3.8.12/Python-3.8.12.tar.xz && \
-	tar -xf Python-3.8.12.tar.xz && \
+	wget https://www.python.org/ftp/python/3.8.20/Python-3.8.20.tar.xz && \
+	tar -xf Python-3.8.20.tar.xz && \
 	apt-get install -y build-essential sudo zlib1g-dev libssl3 libncurses5-dev libgdbm-dev libnss3-dev libssl-dev libsqlite3-dev libreadline-dev libffi-dev curl libbz2-dev && \
-	cd Python-3.8.12 && \
+	cd Python-3.8.20 && \
 	./configure --enable-optimizations --enable-shared && \
 	make && \
 	make altinstall && \
-	ldconfig /usr/src/Python-3.8.12 && \
-	ln -s /usr/local/bin/python3.8 /usr/bin/python3
+	ldconfig /usr/src/Python-3.8.20 && \
+	ln -sf /usr/local/bin/python3.8 /usr/bin/python3
 
 RUN curl -s -L -o /tmp/tini.deb "https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini_${TINI_VERSION}.deb" && \
 	dpkg -i /tmp/tini.deb && \
@@ -55,13 +55,16 @@ RUN curl -s -L -o /tmp/tini.deb "https://github.com/krallin/tini/releases/downlo
 	HOME=/tmp npm install argon2 --build-from-source --unsafe-perm=true --allow-root && \
 	./bin/docker/preinstall.sh && \
 	bash /opt/countly/bin/scripts/detect.init.sh && \
+        python3.8 -m pip install --upgrade pip setuptools && \
 	\
 	# cleanup & chown
 	npm remove -y --no-save mocha nyc should supertest && \
+        apt-get purge -y python3 python3-pip python3-distutils python3-setuptools && \
 	apt-get remove -y git gcc g++ make automake autoconf libtool pkg-config unzip sqlite3 wget && \
 	apt-get install -y libgbm-dev libgbm1 gconf-service libasound2 libatk1.0-0 libatk-bridge2.0-0 libc6 libcairo2 libcups2 libdbus-1-3 libexpat1 libfontconfig1 libgcc1 libgconf-2-4 libgdk-pixbuf2.0-0 libglib2.0-0 libgtk-3-0 libnspr4 libpango-1.0-0 libpangocairo-1.0-0 libstdc++6 libx11-6 libx11-xcb1 libxcb1 libxcomposite1 libxcursor1 libxdamage1 libxext6 libxfixes3 libxi6 libxrandr2 libxrender1 libxss1 libxtst6 ca-certificates fonts-liberation libappindicator1 libnss3 lsb-release xdg-utils && \
 	apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \
-	rm -rf test /tmp/* /tmp/.??* /var/tmp/* /var/tmp/.??* /var/log/* /root/.npm && \
+        apt-get autoremove -y && \
+	rm -rf test /tmp/* /tmp/.??* /var/tmp/* /var/tmp/.??* /var/log/* /root/.npm /usr/local/lib/python3.8/ensurepip/_bundled/*.whl /usr/src/Python* /var/lib/dpkg/info/python3* && \
 	\
 	# temporary to remove npm bug message
 	mkdir /.npm && chown -R 1001:0 /.npm && \
@@ -76,4 +79,4 @@ USER 1001:0
 
 ENTRYPOINT ["/usr/bin/tini", "-v", "--"]
 
-CMD ["/opt/countly/bin/docker/cmd.sh"]
+CMD ["/opt/countly/bin/docker/cmd.sh"]
diff --git a/Dockerfile-frontend b/Dockerfile-frontend
@@ -26,15 +26,15 @@ RUN apt-get update && \
 RUN apt-get update && \
 	apt-get upgrade -y && \
 	cd /usr/src && \
-	wget https://www.python.org/ftp/python/3.8.12/Python-3.8.12.tar.xz && \
-	tar -xf Python-3.8.12.tar.xz && \
+	wget https://www.python.org/ftp/python/3.8.20/Python-3.8.20.tar.xz && \
+	tar -xf Python-3.8.20.tar.xz && \
 	apt-get install -y build-essential sudo zlib1g-dev libssl3 libncurses5-dev libgdbm-dev libnss3-dev libssl-dev libsqlite3-dev libreadline-dev libffi-dev curl libbz2-dev && \
-	cd Python-3.8.12 && \
+	cd Python-3.8.20 && \
 	./configure --enable-optimizations --enable-shared && \
 	make && \
 	make altinstall && \
-	ldconfig /usr/src/Python-3.8.12 && \
-	ln -s /usr/local/bin/python3.8 /usr/bin/python3
+	ldconfig /usr/src/Python-3.8.20 && \
+	ln -sf /usr/local/bin/python3.8 /usr/bin/python3
 
 RUN curl -s -L -o /tmp/tini.deb "https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini_${TINI_VERSION}.deb" && \
 	dpkg -i /tmp/tini.deb && \
@@ -52,14 +52,17 @@ RUN curl -s -L -o /tmp/tini.deb "https://github.com/krallin/tini/releases/downlo
 	HOME=/tmp npm install argon2 --build-from-source --unsafe-perm=true --allow-root && \
 	./bin/docker/preinstall.sh && \
 	bash /opt/countly/bin/scripts/detect.init.sh && \
-	countly update sdk-web && \
+	python3.8 -m pip install --upgrade pip setuptools && \
+        countly update sdk-web && \
 	\
 	# cleanup & chown
 	npm remove -y --no-save mocha nyc should supertest puppeteer && \
-	apt-get remove -y git gcc g++ make automake autoconf libtool pkg-config unzip sqlite3 wget && \
+	apt-get purge -y python3 python3-pip python3-distutils python3-setuptools && \
+        apt-get remove -y git gcc g++ make automake autoconf libtool pkg-config unzip sqlite3 wget && \
 	apt-get autoremove -y && \
 	apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \
-	rm -rf test /tmp/* /tmp/.??* /var/tmp/* /var/tmp/.??* /var/log/* /root/.npm && \
+        apt-get autoremove -y && \
+        rm -rf test /tmp/* /tmp/.??* /var/tmp/* /var/tmp/.??* /var/log/* /root/.npm /usr/local/lib/python3.8/ensurepip/_bundled/*.whl /usr/src/Python* /var/lib/dpkg/info/python3* && \
 	\
 	# temporary to remove npm bug message
 	mkdir /.npm && chown -R 1001:0 /.npm && \
