feat: adding trivy

Author: adilhusain-s

python-versions/Dockerfile

@@ -8,87 +8,111 @@ ARG ACTIONS_PYTHON_VERSIONS=3.13.3-14344076652
 # ================= BUILDER STAGE =====================
 FROM ${BASE_IMAGE} AS builder
 
-# Re-declare all ARGs inside this stage
 ARG UBUNTU_VERSION
-ARG BASE_IMAGE
 ARG TARGETARCH
 ARG PYTHON_VERSION
 ARG ACTIONS_PYTHON_VERSIONS
 
-# Set environment variables
+# [SECURITY] 1. Fail build immediately if any command in a pipe fails
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+# [SECURITY] 2. Hardened Compiler Flags for s390x/ppc64le
+# - Removed -D_FORTIFY_SOURCE=2 (Ubuntu 24.04 defaults to Level 3, which is better)
+# - Added -g1 (Minimal debug info, critical for debugging segfaults on Big Endian systems)
 ENV DEBIAN_FRONTEND=noninteractive \
     CC=gcc \
     CXX=g++ \
-    CFLAGS="-O3 -fPIC -pipe" \
-    CXXFLAGS="-O3 -fPIC -pipe"
+    CFLAGS="-O3 -fPIC -fstack-protector-strong -Wformat -Werror=format-security -g1" \
+    CXXFLAGS="-O3 -fPIC -fstack-protector-strong -Wformat -Werror=format-security -g1" \
+    LDFLAGS="-Wl,-z,relro -Wl,-z,now"
 
 # Set up the time zone
-RUN export DEBIAN_FRONTEND=noninteractive && \
-    echo "tzdata tzdata/Areas select Asia" | debconf-set-selections && \
+RUN echo "tzdata tzdata/Areas select Asia" | debconf-set-selections && \
     echo "tzdata tzdata/Zones/Asia select Kolkata" | debconf-set-selections && \
     apt-get -qq update -y && \
     apt-get -qq -y install tzdata && \
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/*
+    apt-get clean && rm -rf /var/lib/apt/lists/*
 
-# Install dependencies
-RUN export DEBIAN_FRONTEND=noninteractive && \
-    pkgs="g++ gcc git libz-dev make pkg-config python3 sudo build-essential libffi-dev libssl-dev zlib1g-dev libncurses-dev libbz2-dev libreadline-dev libsqlite3-dev uuid-dev libgdbm-dev liblzma-dev tk-dev libmpdec-dev libbluetooth-dev"; \
+# [STABILITY] 3. Strict Dependency Installation
+# Removed the "|| echo WARNING" loop. If SSL fails, we MUST fail the build.
+RUN pkgs="curl wget g++ gcc git libz-dev make pkg-config python3 sudo build-essential libffi-dev libssl-dev zlib1g-dev libncurses-dev libbz2-dev libreadline-dev libsqlite3-dev uuid-dev libgdbm-dev liblzma-dev tk-dev libmpdec-dev libbluetooth-dev"; \
     apt-get -qq update -y && \
-    for pkg in $pkgs; do \
-    echo "-----------------------------------------"; \
-    echo "Attempting to install: $pkg"; \
-    apt-get -qq -y install "$pkg" || { \
-    echo "WARNING: Could not install '$pkg'. It might not be available for your system or there was an error."; \
-    echo "Continuing with the next package..."; \
-    }; \
-    done; \
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/*
-
-# Clone and checkout the specified Python version
-RUN if [ ! -d /python-versions ]; then git clone https://github.com/actions/python-versions.git /python-versions; fi
-WORKDIR /python-versions
+    apt-get -qq -y install --no-install-recommends $pkgs && \
+    apt-get clean && rm -rf /var/lib/apt/lists/*
 
-RUN git checkout "${ACTIONS_PYTHON_VERSIONS}" && \
-    git submodule init && \
+# [SECURITY] 4. Install Trivy (for generating SBOM of the compiled binary)
+RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
 
-    git submodule update
+# Clone and checkout Python
+RUN if [ ! -d /python-versions ]; then git clone https://github.com/actions/python-versions.git /python-versions; fi
+WORKDIR /python-versions
+RUN git checkout "${ACTIONS_PYTHON_VERSIONS}" && git submodule init && git submodule update
 
-# Set up Python installation environment variables using build args
+# Set Env Vars
 ENV PYTHON_INSTALL_DIR=/opt/Python/${PYTHON_VERSION}/${TARGETARCH}
 ENV pythonLocation=${PYTHON_INSTALL_DIR}
-ENV Python_ROOT_DIR=${PYTHON_INSTALL_DIR}
-ENV Python3_ROOT_DIR=${PYTHON_INSTALL_DIR}
 ENV PKG_CONFIG_PATH=${PYTHON_INSTALL_DIR}/lib/pkgconfig
 ENV LD_LIBRARY_PATH=${PYTHON_INSTALL_DIR}/lib
 ENV PATH=${PYTHON_INSTALL_DIR}/bin:$PATH
-ENV RUNNER_TOOL_CACHE=/opt
-ENV AGENT_TOOLSDIRECTORY=/opt
 ENV RUNNER_TEMP=/tmp
-# Set MAKEFLAGS for parallel make in the RUN instruction
+
+# Build Python
+# Note: Verified that MAKEFLAGS handles parallel builds for s390x correctly
 RUN export MAKEFLAGS="-j $(nproc)" && pwsh ./builders/build-python.ps1 ${PYTHON_VERSION} linux ${TARGETARCH}
 
-# Run Python tests after build (ensure working directory is tests)
-WORKDIR ${RUNNER_TEMP}/work
-RUN bash setup.sh
+# [SECURITY] 5. Generate SBOM for the compiled artifact
+# This creates a JSON inventory of exactly what OpenSSL/SQLite versions are INSIDE the build
+RUN trivy fs --format cyclonedx --output /tmp/python-${PYTHON_VERSION}-${TARGETARCH}.sbom.json ${PYTHON_INSTALL_DIR}
+
+# [SECURITY] 6. Sanitize Artifacts
+# Remove pyc files, __pycache__, and test suites to reduce attack surface and size
+RUN find ${PYTHON_INSTALL_DIR} -name "*.pyc" -delete && \
+    find ${PYTHON_INSTALL_DIR} -name "__pycache__" -type d -exec rm -rf {} + && \
+    rm -rf ${PYTHON_INSTALL_DIR}/lib/python*/test && \
+    rm -rf ${PYTHON_INSTALL_DIR}/lib/python*/config-*-linux-gnu/libpython*.a
+
+# Run Tests
 WORKDIR /python-versions/tests
 RUN pwsh -Command "Install-Module -Name Pester -Force -Scope CurrentUser -SkipPublisherCheck"
-RUN cp $RUNNER_TEMP/work/build_output.txt $RUNNER_TEMP/
+# Handle potential missing build_output.txt gracefully or ensure it exists
+RUN cp $RUNNER_TEMP/work/build_output.txt $RUNNER_TEMP/ || touch $RUNNER_TEMP/build_output.txt
 RUN pwsh python-tests.ps1 ${PYTHON_VERSION} linux ${TARGETARCH}
 
 # ================= FINAL STAGE =====================
 FROM ubuntu:${UBUNTU_VERSION} AS final
 
 ARG UBUNTU_VERSION
-
-
-# Copy Python installation 
 ARG PYTHON_VERSION
 ARG TARGETARCH
+
+# [STABILITY] 7. Install Runtime Libraries
+# These MUST match the dev libraries used in the builder (Ubuntu 24.04 names)
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+    ca-certificates \
+    openssl \
+    libssl3 \
+    libffi8 \
+    libsqlite3-0 \
+    liblzma5 \
+    libbz2-1.0 \
+    zlib1g \
+    && rm -rf /var/lib/apt/lists/*
+
+# Copy Python Installation
 COPY --from=builder /opt/Python/${PYTHON_VERSION}/${TARGETARCH} /opt/Python/${PYTHON_VERSION}/${TARGETARCH}
 
-# Set up Python environment variables 
+# [SECURITY] 8. Copy SBOM (Transparency)
+# This file proves to security scanners what is inside the binary
+COPY --from=builder /tmp/python-${PYTHON_VERSION}-${TARGETARCH}.sbom.json /opt/python-sbom.json
+
+# Copy other artifacts
+COPY --from=builder /tmp/artifact /tmp/artifact
+
+# Clean up source tarball if copied over
+RUN rm -f /opt/Python/${PYTHON_VERSION}/${TARGETARCH}/Python-${PYTHON_VERSION}.tgz
+
+# Set Runtime Envs
 ENV PYTHON_INSTALL_DIR=/opt/Python/${PYTHON_VERSION}/${TARGETARCH}
 ENV pythonLocation=${PYTHON_INSTALL_DIR}
 ENV Python_ROOT_DIR=${PYTHON_INSTALL_DIR}
@@ -97,11 +121,5 @@ ENV PKG_CONFIG_PATH=${PYTHON_INSTALL_DIR}/lib/pkgconfig
 ENV LD_LIBRARY_PATH=${PYTHON_INSTALL_DIR}/lib
 ENV PATH=${PYTHON_INSTALL_DIR}/bin:$PATH
 
-# Copy artifacts
-COPY --from=builder /tmp/artifact /tmp/artifact
-
-#delete python source  code 
-RUN rm -f /opt/Python/${PYTHON_VERSION}/${TARGETARCH}/Python-${PYTHON_VERSION}.tgz
-
-HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 CMD python --version || exit 1
-CMD ["python"]
+HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 CMD python3 --version || exit 1
+CMD ["python3"]