Skip to content

fix: patch OS-level CVEs in Docker image#8

Merged
ryanmcmillan merged 2 commits intomainfrom
fix/docker-apt-upgrade
Mar 21, 2026
Merged

fix: patch OS-level CVEs in Docker image#8
ryanmcmillan merged 2 commits intomainfrom
fix/docker-apt-upgrade

Conversation

@ryanmcmillan
Copy link
Member

@ryanmcmillan ryanmcmillan commented Mar 21, 2026

Summary

Adds apt-get update && apt-get upgrade -y to the Dockerfile to patch fixable OS-level vulnerabilities in the Debian 12 base image.

What this fixes

Snyk found 73 OS-level CVEs in python:3.13.3-slim (Debian 12 Bookworm). 25 have upstream fixes available:

  • 2 Critical: sqlite3 (CVE-2025-6965)
  • 6 High: gnutls (double free, heap overflow), perl (cert validation), pam (directory traversal), openssl (CVE-2025-69421), gnupg (OOB write)
  • 7 Medium: gnutls (null ptr, algorithmic complexity), pam, others

The remaining 48 low-severity findings have no Debian fix available yet.

Why this is safe

apt-get upgrade only installs patched versions of already-installed packages. No new packages added. Build stays reproducible with the pinned python:3.13.3-slim base.

@ryanmcmillan
fix: add apt-get upgrade to patch OS-level CVEs
98d1256 
Patches fixable Snyk findings (critical/high/medium) from
Debian 12 base image packages (sqlite3, gnutls, openssl,
perl, pam, gnupg).
@greptile-apps
Copy link

greptile-apps bot commented Mar 21, 2026

Greptile Summary

This PR adds a single apt-get update && apt-get upgrade -y step to the Dockerfile to patch 25 of the 73 OS-level CVEs that Snyk identified in the python:3.13.3-slim (Debian 12 Bookworm) base image, including 2 critical sqlite3 CVEs and 6 high-severity issues in gnutls, openssl, pam, and others.

Key changes:

  • A new RUN layer is inserted immediately after the FROM statement to apply all available Debian security patches.
  • Package lists are cleaned up in the same layer (rm -rf /var/lib/apt/lists/*), keeping the image size minimal.

Considerations:

  • DEBIAN_FRONTEND=noninteractive is not set. Some packages upgraded by this step may trigger debconf interactive configuration prompts that -y alone does not suppress, which can cause builds to hang in CI.
  • While the FROM base image is pinned, apt-get upgrade resolves package versions from the live Debian repos at build time. The image content will drift across builds over time — the PR description's claim of full reproducibility is slightly overstated, though this is an accepted trade-off for security patching.

Confidence Score: 4/5

  • Safe to merge — the change is minimal, targeted, and correctly structured; one minor best-practice gap to address.
  • The change is a single well-formed RUN instruction that follows Docker best practices (cleanup in the same layer). It addresses real, documented CVEs with no new packages added. The only actionable issue is the missing DEBIAN_FRONTEND=noninteractive, which is a low-risk but non-trivial omission in CI environments where debconf prompts could cause the build to hang.
  • No files require special attention beyond the Dockerfile comment noted above.

Important Files Changed

Filename Overview
Dockerfile Adds an apt-get update/upgrade layer to patch 25 OS-level CVEs in the Debian 12 base image; correctly cleans package lists in the same layer. Minor: DEBIAN_FRONTEND=noninteractive is missing, which can cause debconf prompts to hang CI builds.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["FROM python:3.13.3-slim\n(Debian 12 Bookworm base)"] --> B

    subgraph NEW ["🆕 New layer (this PR)"]
        B["RUN apt-get update &&\napt-get upgrade -y &&\nrm -rf /var/lib/apt/lists/*\n\n→ Patches 25 CVEs (2 Critical, 6 High, 7 Medium)"]
    end

    B --> C["WORKDIR /app"]
    C --> D["COPY backend/requirements.txt\nRUN pip install -r requirements.txt"]
    D --> E["COPY backend /app/backend\nCOPY README.md / LICENSE"]
    E --> F["ENV DELEGA_HOST / PORT / AUTH / DB_PATH"]
    F --> G["VOLUME /app/data\nEXPOSE 18890\nHEALTHCHECK"]
    G --> H["CMD: run migrations → start main.py"]

    style NEW fill:#d4edda,stroke:#28a745,color:#000
Loading

Last reviewed commit: "fix: add apt-get upg..."

greptile-apps[bot]
greptile-apps bot reviewed Mar 21, 2026
View reviewed changes
Dockerfile Outdated
FROM python:3.13.3-slim

# Patch OS-level vulnerabilities in base image
RUN apt-get update && apt-get upgrade -y && rm -rf /var/lib/apt/lists/*
Copy link

@greptile-apps greptile-apps bot Mar 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Set DEBIAN_FRONTEND=noninteractive for non-interactive apt runs

Without DEBIAN_FRONTEND=noninteractive, certain packages (e.g. tzdata, libreadline) can trigger debconf configuration prompts during apt-get upgrade. The -y flag only handles yes/no confirmations — it does not suppress interactive debconf dialogs. This can cause the build to hang or produce unexpected behavior in CI environments.

Suggested change
RUN apt-get update && apt-get upgrade -y && rm -rf /var/lib/apt/lists/*
RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt-get upgrade -y && rm -rf /var/lib/apt/lists/*

@ryanmcmillan
fix: add DEBIAN_FRONTEND=noninteractive to apt-get upgrade
76a37e8 
Per Greptile review — prevents debconf prompts from hanging
the build in CI.
@ryanmcmillan ryanmcmillan merged commit 974e195 into main Mar 21, 2026
5 checks passed
@ryanmcmillan ryanmcmillan deleted the fix/docker-apt-upgrade branch March 21, 2026 03:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ryanmcmillan