Down to 39 crit vulnerabilities in docker image. Can't seem to get below that

Dockerfile

@@ -1,5 +1,8 @@
-FROM python:3.6.8
-MAINTAINER [email protected]
+#FROM python:3.6.8
+FROM python:3.9.13
+LABEL org.opencontainers.image.authors="ORIGINAL: [email protected]; THIS VERSION: [email protected]"
+LABEL org.opencontainers.image.documentation="https://github.com/markwilkinson/grlc/blob/master/README.md"
+RUN apt-get update && apt-get full-upgrade -y
 
 # Default values for env variables
 ARG GRLC_GITHUB_ACCESS_TOKEN=
@@ -22,13 +25,17 @@ ENV GRLC_INSTALL_DIR="${GRLC_HOME}/grlc" \
     GRLC_RUNTIME_DIR="${GRLC_CACHE_DIR}/runtime"
 
 RUN apt-get update \
- && DEBIAN_FRONTEND=noninteractive apt-get install -y nginx git-core logrotate python-pip locales gettext-base sudo build-essential apt-utils \
+ && DEBIAN_FRONTEND=noninteractive apt-get install -y nginx git-core logrotate python3-pip locales gettext-base sudo build-essential apt-utils \
  && update-locale LANG=C.UTF-8 LC_MESSAGES=POSIX \
  && locale-gen en_US.UTF-8 \
  && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales \
  && rm -rf /var/lib/apt/lists/*
 
-RUN curl -sL https://deb.nodesource.com/setup_10.x | sudo -E bash -
+RUN apt-get update && apt-get dist-upgrade -y
+
+
+RUN curl -sL https://deb.nodesource.com/setup_14.x | sudo -E bash -
+RUN chmod a+r /usr/share/keyrings/nodesource.gpg
 RUN apt-get update && apt-get install -y nodejs
 
 COPY ./ ${GRLC_INSTALL_DIR}
@@ -48,3 +55,4 @@ VOLUME ["${GRLC_DATA_DIR}", "${GRLC_LOG_DIR}"]
 WORKDIR ${GRLC_INSTALL_DIR}
 ENTRYPOINT ["/sbin/entrypoint.sh"]
 CMD ["app:start"]
+

README.md

@@ -1,9 +1,10 @@
 <p algin="center"><img src="https://raw.githubusercontent.com/CLARIAH/grlc/master/src/static/grlc_logo_01.png" width="250px"></p>
 
-[![PyPI version](https://badge.fury.io/py/grlc.svg)](https://badge.fury.io/py/grlc)
-[![DOI](https://zenodo.org/badge/46131212.svg)](https://zenodo.org/badge/latestdoi/46131212)
-[![Build Status](https://travis-ci.org/CLARIAH/grlc.svg?branch=master)](https://travis-ci.org/CLARIAH/grlc)
+# NOTE:  This is a highly crippled version of the original grlc server
 
+It is intended to be used in secure environments.  Specifically, the GitHub and YAML file integration has been disabled.  Only local queries will be available.
+
+## Original Documentation from https://raw.githubusercontent.com/CLARIAH/grlc/ is below
 
 grlc, the <b>g</b>it <b>r</b>epository <b>l</b>inked data API <b>c</b>onstructor, automatically builds Web APIs using shared SPARQL queries. http://grlc.io/
 

docker-assets/assets/build/install.sh

@@ -18,11 +18,14 @@ passwd -d ${GRLC_USER}
 
 cd ${GRLC_INSTALL_DIR}
 chown ${GRLC_USER}:${GRLC_USER} ${GRLC_HOME} -R
-
 pip install --upgrade pip
+pip install 'setuptools<58'
+pip install 'docutils'
 pip install .
 
-npm install git2prov
+#npm install git2prov
+#npm audit fix
+
 
 #move nginx logs to ${GITLAB_LOG_DIR}/nginx
 sed -i \
@@ -31,7 +34,7 @@ sed -i \
  /etc/nginx/nginx.conf
 
  # configure gitlab log rotation
- cat > /etc/logrotate.d/grlc << EOF
+ cat > /etc/logrotate.d/grlc << EOF1
  ${GRLC_LOG_DIR}/grlc/*.log {
    weekly
    missingok
@@ -41,10 +44,10 @@ sed -i \
    notifempty
    copytruncate
  }
- EOF
+EOF1
 
  # configure gitlab vhost log rotation
- cat > /etc/logrotate.d/grlc-nginx << EOF
+ cat > /etc/logrotate.d/grlc-nginx << EOF2
  ${GRLC_LOG_DIR}/nginx/*.log {
    weekly
    missingok
@@ -54,4 +57,4 @@ sed -i \
    notifempty
    copytruncate
  }
- EOF
+EOF2

requirements.txt

@@ -1,9 +1,10 @@
 docopt==0.6.2
-docutils==0.17.1
 Flask==1.0.2
-Flask-Cors==3.0.6
-gevent==1.4.0
-greenlet==0.4.15
+Flask-Cors==3.0.9
+urllib3==1.26.5
+itsdangerous==2.0.1
+gevent==21.12.0
+greenlet==1.1.0
 html5lib==1.0.1
 isodate==0.5.4
 keepalive==0.5
@@ -13,10 +14,9 @@ pyparsing==2.0.7
 PyYAML==5.4
 rdflib==5.0.0
 rdflib-jsonld==0.4.0
-requests==2.20.0
+requests
 six==1.12.0
 simplejson==3.16.0
-setuptools>=38.6.0
 SPARQLTransformer==2.1.1
 SPARQLWrapper==1.8.2
 werkzeug>=0.16.0

setup.py

@@ -55,5 +55,5 @@
     package_data = { 'grlc': grlc_data },
     include_package_data=True,
     data_files=[('citation/grlc', ['CITATION.cff'])],
-    python_requires='>=3.7, <=3.8',
+    python_requires='>=3.9, <=3.10',
 )

src/fileLoaders.py

@@ -71,13 +71,15 @@ def __init__(self, user, repo, subdir=None, sha=None, prov=None):
         self.subdir = (subdir + "/") if subdir else ""
         self.sha = sha if sha else NotSet
         self.prov = prov
-        gh = Github(static.ACCESS_TOKEN)
+        #gh = Github(static.ACCESS_TOKEN)
         try:
-            self.gh_repo = gh.get_repo(user + '/' + repo, lazy=False)
+            #self.gh_repo = gh.get_repo(user + '/' + repo, lazy=False)
+            raise Exception("GitHub Access is disabled for this grlc server")
         except BadCredentialsException:
             raise Exception('BadCredentials: have you set up github_access_token on config.ini ?')
         except Exception:
-            raise Exception('Repo not found: ' + user + '/' + repo)
+            raise Exception('GitHub Access has been disabled for this server' )
+#            raise Exception('Repo not found: ' + user + '/' + repo)
 
     def fetchFiles(self):
         """Returns a list of file items contained on the github repo."""
@@ -262,27 +264,32 @@ class URLLoader(BaseLoader):
     specification from a specification YAML file located on a remote server."""
 
     def __init__(self, spec_url):
-        """Create a new URLLoader.
-
-        Keyword arguments:
-        spec_url -- URL where the specification YAML file is located."""
-        headers = {'Accept' : 'text/yaml'}
-        resp = requests.get(spec_url, headers=headers)
-        if resp.status_code == 200:
-            self.spec = yaml.load(resp.text)
-            self.spec['url'] = spec_url
-            self.spec['files'] = {}
-            for queryUrl in self.spec['queries']:
-                queryNameExt = path.basename(queryUrl)
-                queryName = path.splitext(queryNameExt)[0] # Remove extention
-                item = {
-                    'name': queryName,
-                    'download_url': queryUrl
-                }
-                self.spec['files'][queryNameExt] = item
-            del self.spec['queries']
-        else:
-            raise Exception(resp.text)
+        try:
+            raise Exception("YAML file access is disabled for this grlc server")
+        except Exception:
+            raise Exception("YAML file access is disabled for this grlc server")
+
+        # """Create a new URLLoader.
+
+        # Keyword arguments:
+        # spec_url -- URL where the specification YAML file is located."""
+        # headers = {'Accept' : 'text/yaml'}
+        # resp = requests.get(spec_url, headers=headers)
+        # if resp.status_code == 200:
+        #     self.spec = yaml.load(resp.text)
+        #     self.spec['url'] = spec_url
+        #     self.spec['files'] = {}
+        #     for queryUrl in self.spec['queries']:
+        #         queryNameExt = path.basename(queryUrl)
+        #         queryName = path.splitext(queryNameExt)[0] # Remove extention
+        #         item = {
+        #             'name': queryName,
+        #             'download_url': queryUrl
+        #         }
+        #         self.spec['files'][queryNameExt] = item
+        #     del self.spec['queries']
+        # else:
+        #     raise Exception(resp.text)
 
     def fetchFiles(self):
         """Returns a list of file items contained on specification."""