feat(notebookviewer): upgrade dependencies to resolve ECR scan findings #72
Conversation
There was a problem hiding this comment.
Once you run the notebookviewer, you can test the following URLs:
Example of Pass
- http://localhost/meditor/notebookviewer/?notebookUrl=https://github.com/nasa/gesdisc-cloud-tutorials/blob/main/GES_DISC_Cloud_Notebooks/Bite-Sized_Notebooks/4_Accessing_S3_Buckets.ipynb
- http://localhost/meditor/notebookviewer/?notebookUrl=https://raw.githubusercontent.com/nasa/gesdisc-tutorials/main/notebooks/How_to_Read_IMERG_Data_Using_Python.ipynb
- http://localhost/meditor/notebookviewer/?notebookUrl=https://raw.githubusercontent.com/nasa/gesdisc-tutorials/main/notebooks/How_to_Generate_Earthdata_Prerequisite_Files.ipynb
- http://localhost/meditor/notebookviewer/?notebookUrl=https://raw.githubusercontent.com/nasa/gesdisc-tutorials/main/notebooks/How_to_Access_GES_DISC_Data_Using_Python.ipynb
- http://localhost/meditor/notebookviewer/?notebookUrl=https://raw.githubusercontent.com/nasa/gesdisc-tutorials/main/cloud-tutorials/notebooks/How_to_Perform_Cross-DAAC_S3_Bucket_Access_Using_Python.ipynb
Example of Fail
| @@ -1,15 +1,16 @@ | |||
| ARG REGISTRY | |||
| FROM ${REGISTRY}python:3.9.1 | |||
| FROM ${REGISTRY}python:3.13.1-alpine | |||
There was a problem hiding this comment.
The Alpine versions of docker had no security vulnerabilities on DockerHub scans, so I chose it. Sometimes Alpine Linux doesn't work with the app's dependencies, but in this case the app is so simple it works well.
packages/notebook-viewer/app.py
Outdated
| @@ -6,9 +6,12 @@ | |||
| from lib.html_exporter import html_exporter | |||
|
|
|||
| # only notebooks from these domains are allowed | |||
| DOMAIN_WHITELIST_REGEX = "^https://([a-zA-Z0-9]+\.)*(nasa\.gov|github\.com|githubusercontent\.com)\/?.*" | |||
| DOMAIN_WHITELIST_REGEX = ( | |||
There was a problem hiding this comment.
I added r to tell Pyright that this string literal should use regex escaping.
| @@ -17,39 +20,43 @@ def getNotebookAsHtml(): | |||
|
|
|||
| def convertNotebookToHtml(): | |||
| # ensure the user passed in a notebook url | |||
| if request.args.get('notebookUrl') == None: | |||
| if request.args.get("notebookUrl") is None: | |||
There was a problem hiding this comment.
None should be compared with is, according to Ruff. All other changes are just the Ruff / Black formatter.
| Jinja2==3.1.4 | ||
| nbconvert==7.16.4 | ||
| nbformat==5.10.4 | ||
| gunicorn==23.0.0 |
There was a problem hiding this comment.
Adds Gunicorn for use as a production server. Upgrades dependencies for vulnerability mitigation.
|
Python ECR Results: Notebook Viewer ECR Results: |
|
|
||
| WORKDIR /usr/src/app | ||
|
|
||
| COPY . . | ||
|
|
||
| RUN pip install -r requirements.txt | ||
|
|
||
| CMD python -m flask run --host=0.0.0.0 --port 8080 | ||
| CMD ["gunicorn", "-b", "0.0.0.0:8080", "app:app"] |
There was a problem hiding this comment.
What's the reasoning behind running gunicorn for this?
There was a problem hiding this comment.
Flask is a development server, so in their server logs they output something like "this is a development server; don't run it in production". In their docs, they recommend a number of WSGI servers to choose from. gunicorn is one that I've used before, so I picked it based on familiarity.
benforshey
deleted the
feature/MEDITOR-928-address-vulnerabilities-in-notebookviewer
branch
No description provided.