From 0a8dab74da0b4b91c1540aba6c6bc461863ed2db Mon Sep 17 00:00:00 2001 From: Weves Date: Tue, 5 Sep 2023 15:25:53 -0700 Subject: [PATCH 1/3] Delete tornado test key --- backend/Dockerfile | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/backend/Dockerfile b/backend/Dockerfile index 9f3f84a48e3..161154f1347 100644 --- a/backend/Dockerfile +++ b/backend/Dockerfile @@ -35,6 +35,11 @@ RUN apt-get remove -y linux-libc-dev \ && apt-get autoremove -y \ && rm -rf /var/lib/apt/lists/* +# Remove tornado test key to placate vulnerability scanners +# More details can be found here: +# https://github.com/tornadoweb/tornado/issues/3107 +RUN rm /usr/local/lib/python3.11/site-packages/tornado/test/test.key + WORKDIR /app COPY ./danswer /app/danswer COPY ./alembic /app/alembic From 7aa7e92a84da01144a1a12ce8a5b5f51ec2307e1 Mon Sep 17 00:00:00 2001 From: Weves Date: Tue, 5 Sep 2023 15:52:35 -0700 Subject: [PATCH 2/3] Remove nodejs from backend image once copying over to playwright dir --- backend/Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/backend/Dockerfile b/backend/Dockerfile index 161154f1347..ff69bfb2b29 100644 --- a/backend/Dockerfile +++ b/backend/Dockerfile @@ -29,6 +29,8 @@ RUN apt-get update RUN apt-get install nodejs -y # replace nodejs packaged with playwright (18.17.0) with the one installed above RUN cp /usr/bin/node /usr/local/lib/python3.11/site-packages/playwright/driver/node +# remove nodejs (except for the binary we moved into playwright) +RUN apt-get remove -y nodejs # Cleanup for CVEs and size reduction RUN apt-get remove -y linux-libc-dev \ From b0f4be273e5f6a4dc09fb34e0519a337948621fe Mon Sep 17 00:00:00 2001 From: Weves Date: Tue, 5 Sep 2023 18:32:41 -0700 Subject: [PATCH 3/3] Update semver version --- web/Dockerfile | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/web/Dockerfile b/web/Dockerfile index 6b440b3d6af..8132e46a436 100644 --- a/web/Dockerfile +++ b/web/Dockerfile @@ -39,6 +39,11 @@ RUN npm run build FROM base AS runner WORKDIR /app +# Remove global node modules, since they are not needed by the actual app +# (all dependencies are copied over into the `/app` dir itself). These +# global modules may be outdated and trigger security scans. +RUN rm -rf /usr/local/lib/node_modules + # Not needed, set by compose # ENV NODE_ENV production