From 392b95a4d89e36ee15dcf3c1e36430d55954c343 Mon Sep 17 00:00:00 2001
From: Brad Solomon <81818815+brsolomon-deloitte@users.noreply.github.com>
Date: Thu, 16 Feb 2023 11:25:54 -0500
Subject: [PATCH 1/3] Install python packages through pip, not system manager

This changes installation of wheel, setuptools, and pip
to be conducted through pip rather than using the OS package
manager python3-xxx versions. The package manager versions
are outdated and subject to unpatched security vulnerabilities.
---
 modules/Dockerfile |  7 +++++--
 server/Dockerfile  | 21 +++++++++++++--------
 2 files changed, 18 insertions(+), 10 deletions(-)

diff --git a/modules/Dockerfile b/modules/Dockerfile
index 9683708..d2777b1 100644
--- a/modules/Dockerfile
+++ b/modules/Dockerfile
@@ -6,13 +6,16 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
                 cmake \
                 git \
                 python3-dev \
-                python3-pip \
-                python3-wheel \
                 build-essential \
                 pkg-config \
                 libpoppler-cpp-dev \
                 libfuzzy-dev \
                 libssl-dev \
+            && curl -fsSL -O https://bootstrap.pypa.io/get-pip.py \
+            && python3 get-pip.py --no-cache-dir \
+            && rm -f get-pip.py \
+            && python3 -m pip install --no-cache-dir --no-python-version-warning --disable-pip-version-check --no-color \
+                wheel \
             && apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
 
 # Build MISP Modules
diff --git a/server/Dockerfile b/server/Dockerfile
index 9e8d56a..28bf595 100644
--- a/server/Dockerfile
+++ b/server/Dockerfile
@@ -17,11 +17,10 @@ FROM debian:bullseye-slim as php-build
         librdkafka-dev \
         git \
         && apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
-        
+
         RUN pecl channel-update pecl.php.net
         RUN cp "/usr/lib/$(gcc -dumpmachine)"/libfuzzy.* /usr/lib; pecl install ssdeep && pecl install rdkafka
         RUN git clone --recursive --depth=1 https://github.com/kjdev/php-ext-brotli.git && cd php-ext-brotli && phpize && ./configure && make && make install
-        
 
 FROM debian:bullseye-slim as python-build
     RUN apt-get update; apt-get install -y --no-install-recommends \
@@ -29,12 +28,15 @@ FROM debian:bullseye-slim as python-build
         git \
         python3 \
         python3-dev \
-        python3-pip \
-        python3-setuptools \
-        python3-wheel \
         libfuzzy-dev \
         libffi-dev \
         ca-certificates \
+        && curl -fsSL -O https://bootstrap.pypa.io/get-pip.py \
+        && python3 get-pip.py --no-cache-dir \
+        && rm -f get-pip.py \
+        && python3 -m pip install --no-cache-dir --no-python-version-warning --disable-pip-version-check --no-color \
+            wheel \
+            setuptools \
         && apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
 
     RUN mkdir /wheels
@@ -103,8 +105,6 @@ ARG PHP_VER
         rsync \
         # Python Requirements
         python3 \
-        python3-setuptools \
-        python3-pip \
         # PHP Requirements
         php \
         php-apcu \
@@ -122,6 +122,11 @@ ARG PHP_VER
         libbrotli1 \
         # Unsure we need these
         zip unzip \
+        && curl -fsSL -O https://bootstrap.pypa.io/get-pip.py \
+        && python3 get-pip.py --no-cache-dir \
+        && rm -f get-pip.py \
+        && python3 -m pip install --no-cache-dir --no-python-version-warning --disable-pip-version-check --no-color \
+            wheel \
         && apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
 
 # MISP code
@@ -142,7 +147,7 @@ ARG PHP_VER
 
     COPY --from=composer-build /tmp/Vendor /var/www/MISP/app/Vendor
     COPY --from=composer-build /tmp/Plugin /var/www/MISP/app/Plugin
-    
+
     RUN for dir in /etc/php/*; do echo "extension=rdkafka.so" > "$dir/mods-available/rdkafka.ini"; done; phpenmod rdkafka
     RUN for dir in /etc/php/*; do echo "extension=brotli.so" > "$dir/mods-available/brotli.ini"; done; phpenmod brotli
 

From e71e75ea303a2e969600af1635fc1e8a9db0d41e Mon Sep 17 00:00:00 2001
From: Brad Solomon <81818815+brsolomon-deloitte@users.noreply.github.com>
Date: Thu, 16 Feb 2023 11:29:05 -0500
Subject: [PATCH 2/3] a few small touchups

---
 modules/Dockerfile | 2 +-
 server/Dockerfile  | 5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/modules/Dockerfile b/modules/Dockerfile
index d2777b1..21541fa 100644
--- a/modules/Dockerfile
+++ b/modules/Dockerfile
@@ -14,7 +14,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
             && curl -fsSL -O https://bootstrap.pypa.io/get-pip.py \
             && python3 get-pip.py --no-cache-dir \
             && rm -f get-pip.py \
-            && python3 -m pip install --no-cache-dir --no-python-version-warning --disable-pip-version-check --no-color \
+            && python3 -m pip install --no-cache-dir --no-python-version-warning --disable-pip-version-check --no-color --upgrade \
                 wheel \
             && apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
 
diff --git a/server/Dockerfile b/server/Dockerfile
index 28bf595..467acb1 100644
--- a/server/Dockerfile
+++ b/server/Dockerfile
@@ -34,7 +34,7 @@ FROM debian:bullseye-slim as python-build
         && curl -fsSL -O https://bootstrap.pypa.io/get-pip.py \
         && python3 get-pip.py --no-cache-dir \
         && rm -f get-pip.py \
-        && python3 -m pip install --no-cache-dir --no-python-version-warning --disable-pip-version-check --no-color \
+        && python3 -m pip install --no-cache-dir --no-python-version-warning --disable-pip-version-check --no-color --upgrade \
             wheel \
             setuptools \
         && apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
@@ -125,8 +125,9 @@ ARG PHP_VER
         && curl -fsSL -O https://bootstrap.pypa.io/get-pip.py \
         && python3 get-pip.py --no-cache-dir \
         && rm -f get-pip.py \
-        && python3 -m pip install --no-cache-dir --no-python-version-warning --disable-pip-version-check --no-color \
+        && python3 -m pip install --no-cache-dir --no-python-version-warning --disable-pip-version-check --no-color --upgrade \
             wheel \
+            setuptools \
         && apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
 
 # MISP code

From 2e002ab36313f32599ef8812f7996fe1d0fa0c9e Mon Sep 17 00:00:00 2001
From: Brad Solomon <81818815+brsolomon-deloitte@users.noreply.github.com>
Date: Thu, 16 Feb 2023 12:20:14 -0500
Subject: [PATCH 3/3] use python image for build; remove use of get-pip.py

---
 modules/Dockerfile |  4 +---
 server/Dockerfile  | 13 ++++---------
 2 files changed, 5 insertions(+), 12 deletions(-)

diff --git a/modules/Dockerfile b/modules/Dockerfile
index 21541fa..5a5fe9d 100644
--- a/modules/Dockerfile
+++ b/modules/Dockerfile
@@ -11,10 +11,8 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
                 libpoppler-cpp-dev \
                 libfuzzy-dev \
                 libssl-dev \
-            && curl -fsSL -O https://bootstrap.pypa.io/get-pip.py \
-            && python3 get-pip.py --no-cache-dir \
-            && rm -f get-pip.py \
             && python3 -m pip install --no-cache-dir --no-python-version-warning --disable-pip-version-check --no-color --upgrade \
+                pip \
                 wheel \
             && apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
 
diff --git a/server/Dockerfile b/server/Dockerfile
index 467acb1..60647cc 100644
--- a/server/Dockerfile
+++ b/server/Dockerfile
@@ -22,19 +22,15 @@ FROM debian:bullseye-slim as php-build
         RUN cp "/usr/lib/$(gcc -dumpmachine)"/libfuzzy.* /usr/lib; pecl install ssdeep && pecl install rdkafka
         RUN git clone --recursive --depth=1 https://github.com/kjdev/php-ext-brotli.git && cd php-ext-brotli && phpize && ./configure && make && make install
 
-FROM debian:bullseye-slim as python-build
+FROM python:3.9-slim-bullseye as python-build
     RUN apt-get update; apt-get install -y --no-install-recommends \
         gcc \
         git \
-        python3 \
-        python3-dev \
         libfuzzy-dev \
         libffi-dev \
         ca-certificates \
-        && curl -fsSL -O https://bootstrap.pypa.io/get-pip.py \
-        && python3 get-pip.py --no-cache-dir \
-        && rm -f get-pip.py \
         && python3 -m pip install --no-cache-dir --no-python-version-warning --disable-pip-version-check --no-color --upgrade \
+            pip \
             wheel \
             setuptools \
         && apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*
@@ -105,6 +101,7 @@ ARG PHP_VER
         rsync \
         # Python Requirements
         python3 \
+        python3-pip \
         # PHP Requirements
         php \
         php-apcu \
@@ -122,10 +119,8 @@ ARG PHP_VER
         libbrotli1 \
         # Unsure we need these
         zip unzip \
-        && curl -fsSL -O https://bootstrap.pypa.io/get-pip.py \
-        && python3 get-pip.py --no-cache-dir \
-        && rm -f get-pip.py \
         && python3 -m pip install --no-cache-dir --no-python-version-warning --disable-pip-version-check --no-color --upgrade \
+            pip \
             wheel \
             setuptools \
         && apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/*