Security upgrades for pcstac and pctiler (#214)

* Upgrade STAC libraries

* Updates for tiler

deployment/bin/deploy

@@ -60,9 +60,6 @@ fi
 
 require_env "IMAGE_TAG"
 require_env "GIT_COMMIT"
-require_env "ARM_CLIENT_ID"
-require_env "ARM_TENANT_ID"
-require_env "ARM_USE_OIDC"
 
 # Directory for rendered values and templates
 CONF_DIR='/opt/conf'

docker-compose.yml

@@ -101,7 +101,7 @@ services:
 
   azurite:
     container_name: pcapis-azurite
-    image: mcr.microsoft.com/azure-storage/azurite:3.29.0
+    image: mcr.microsoft.com/azure-storage/azurite:3.30.0
     hostname: azurite
     command: "azurite --silent --blobHost 0.0.0.0 --queueHost 0.0.0.0 --tableHost
       0.0.0.0 -l /workspace"

pccommon/requirements.txt

@@ -13,12 +13,14 @@ azure-core==1.30.1
     #   azure-data-tables
     #   azure-identity
     #   azure-storage-blob
-    #   msrest
-azure-data-tables==12.4.0
-    # via pccommon (pccommon/setup.py)
-azure-identity==1.7.1
+    #   opencensus-ext-azure
+azure-data-tables==12.5.0
     # via pccommon (pccommon/setup.py)
-azure-storage-blob==12.19.1
+azure-identity==1.16.0
+    # via
+    #   opencensus-ext-azure
+    #   pccommon (pccommon/setup.py)
+azure-storage-blob==12.20.0
     # via pccommon (pccommon/setup.py)
 beautifulsoup4==4.12.3
     # via html-sanitizer
@@ -27,9 +29,7 @@ cachetools==5.3.3
     #   google-auth
     #   pccommon (pccommon/setup.py)
 certifi==2024.2.2
-    # via
-    #   msrest
-    #   requests
+    # via requests
 cffi==1.16.0
     # via cryptography
 charset-normalizer==3.3.2
@@ -40,8 +40,6 @@ cryptography==42.0.5
     #   azure-storage-blob
     #   msal
     #   pyjwt
-deprecated==1.2.14
-    # via redis
 exceptiongroup==1.2.0
     # via anyio
 fastapi==0.90.1
@@ -52,47 +50,46 @@ google-auth==2.29.0
     # via google-api-core
 googleapis-common-protos==1.63.0
     # via google-api-core
-html-sanitizer==2.4.0
+html-sanitizer==2.4.4
     # via pccommon (pccommon/setup.py)
 idna==3.7
     # via
     #   anyio
     #   pccommon (pccommon/setup.py)
     #   requests
+    #   yarl
 isodate==0.6.1
     # via
+    #   azure-data-tables
     #   azure-storage-blob
-    #   msrest
-lxml[html-clean]==5.2.1
+lxml==5.2.1
     # via
     #   html-sanitizer
     #   lxml-html-clean
 lxml-html-clean==0.1.0
-    # via pccommon (pccommon/setup.py)
+    # via
+    #   html-sanitizer
+    #   pccommon (pccommon/setup.py)
 msal==1.28.0
     # via
     #   azure-identity
     #   msal-extensions
 msal-extensions==0.3.1
     # via azure-identity
-msrest==0.7.1
-    # via azure-data-tables
-oauthlib==3.2.2
-    # via requests-oauthlib
+multidict==6.0.5
+    # via yarl
 opencensus==0.11.4
     # via
     #   opencensus-ext-azure
     #   opencensus-ext-logging
 opencensus-context==0.1.3
     # via opencensus
-opencensus-ext-azure==1.0.8
+opencensus-ext-azure==1.1.13
     # via pccommon (pccommon/setup.py)
-opencensus-ext-logging==0.1.0
+opencensus-ext-logging==0.1.1
     # via pccommon (pccommon/setup.py)
-orjson==3.9.15
+orjson==3.10.4
     # via pccommon (pccommon/setup.py)
-packaging==24.0
-    # via redis
 portalocker==2.8.2
     # via msal-extensions
 proto-plus==1.23.0
@@ -120,24 +117,19 @@ pyhumps==3.5.3
     # via pccommon (pccommon/setup.py)
 pyjwt[crypto]==2.8.0
     # via msal
-redis==4.2.0rc1
+redis==4.6.0
     # via pccommon (pccommon/setup.py)
 requests==2.31.0
     # via
     #   azure-core
     #   google-api-core
     #   msal
-    #   msrest
     #   opencensus-ext-azure
-    #   requests-oauthlib
-requests-oauthlib==2.0.0
-    # via msrest
 rsa==4.9
     # via google-auth
 six==1.16.0
     # via
     #   azure-core
-    #   azure-identity
     #   isodate
     #   opencensus
 sniffio==1.3.1
@@ -154,13 +146,13 @@ typing-extensions==4.10.0
     # via
     #   anyio
     #   azure-core
+    #   azure-data-tables
     #   azure-storage-blob
     #   pydantic
-    #   redis
     #   starlette
 urllib3==2.2.1
     # via
     #   pccommon (pccommon/setup.py)
     #   requests
-wrapt==1.16.0
-    # via deprecated
+yarl==1.9.4
+    # via azure-data-tables

pccommon/setup.py

@@ -6,26 +6,26 @@
 inst_reqs = [
     "fastapi==0.90.1",
     "starlette>=0.22.0,<0.23.0",
-    "opencensus-ext-azure==1.0.8",
-    "opencensus-ext-logging==0.1.0",
-    "orjson>=3.9.15",
-    "azure-identity==1.7.1",
-    "azure-data-tables==12.4.0",
-    "azure-storage-blob>=12.19.1",
-    "pydantic>=1.9, <2.0.0",
+    "opencensus-ext-azure==1.1.13",
+    "opencensus-ext-logging==0.1.1",
+    "orjson>=3.10.4",
+    "azure-identity==1.16.0",
+    "azure-data-tables==12.5.0",
+    "azure-storage-blob>=12.20.0",
+    "pydantic>=1.10, <2.0.0",
     "cachetools~=5.3",
     "types-cachetools==4.2.9",
     "pyhumps==3.5.3",
-    "redis==4.2.0-rc1",
+    "redis==4.6.0",
     "idna>=3.7.0",
-    "html-sanitizer==2.4",
+    "html-sanitizer==2.4.4",
     # Soon available as lxml[html_clean]
     "lxml_html_clean==0.1.0",
     "urllib3>=1.26.18",
 ]
 
 extra_reqs = {
-    "test": ["pytest", "pytest-asyncio", "types-redis"],
+    "test": ["pytest", "pytest-asyncio", "types-redis", "types-requests"],
     "dev": ["pytest", "pytest-asyncio", "types-redis"],
 }
 

pcstac/Dockerfile

@@ -1,7 +1,7 @@
-FROM python:3.9-slim
+FROM mcr.microsoft.com/cbl-mariner/base/python:3.9
 
-RUN apt-get update && \
-    apt-get install -y build-essential git
+RUN tdnf install -y ca-certificates build-essential \
+    && tdnf clean all
 
 ENV CURL_CA_BUNDLE /etc/ssl/certs/ca-certificates.crt
 

pcstac/requirements-server.txt

@@ -56,7 +56,7 @@ iso8601==1.1.0
     # via stac-fastapi-types
 lark==0.12.0
     # via pygeofilter
-orjson==3.9.15
+orjson==3.10.4
     # via
     #   pcstac (pcstac/setup.py)
     #   pypgstac
@@ -87,7 +87,7 @@ pypgstac[psycopg]==0.7.10
     # via
     #   pcstac (pcstac/setup.py)
     #   stac-fastapi-pgstac
-pystac==1.9.0
+pystac==1.10.1
     # via
     #   pcstac (pcstac/setup.py)
     #   stac-fastapi-types

pcstac/setup.py

@@ -9,10 +9,10 @@
     "stac-fastapi.extensions==2.4.8",
     "stac-fastapi.pgstac==2.4.9",
     "stac-fastapi.types==2.4.8",
-    "orjson>=3.9.15",
+    "orjson==3.10.4",
     # Required due to some imports related to pypgstac CLI usage in startup script
     "pypgstac[psycopg]~=0.7",
-    "pystac>=1.9",
+    "pystac==1.10.1",
 ]
 
 extra_reqs = {

pctiler/Dockerfile

@@ -1,4 +1,7 @@
-FROM python:3.9-slim
+FROM mcr.microsoft.com/cbl-mariner/base/python:3.9
+
+RUN tdnf install -y ca-certificates build-essential \
+    && tdnf clean all
 
 WORKDIR /opt/src
 
@@ -7,14 +10,14 @@ COPY pctiler /opt/src/pctiler
 
 # Install the local modules in the new environment
 RUN --mount=type=cache,target=/root/.cache \
-    /bin/sh -c "python -m pip install -U 'setuptools>=65.5.1'"
+    /bin/sh -c "python3 -m pip install -U 'setuptools>=65.5.1'"
 # The order of these pip installs is important :(
 RUN --mount=type=cache,target=/root/.cache \
-    /bin/sh -c "python -m pip install -r ./pccommon/requirements.txt"
+    /bin/sh -c "python3 -m pip install -r ./pccommon/requirements.txt"
 RUN --mount=type=cache,target=/root/.cache \
-    /bin/sh -c "python -m pip install -r ./pctiler/requirements-server.txt"
+    /bin/sh -c "python3 -m pip install -r ./pctiler/requirements-server.txt"
 RUN --mount=type=cache,target=/root/.cache \
-    /bin/sh -c "python -m pip install --no-deps -e ./pccommon -e ./pctiler[server]"
+    /bin/sh -c "python3 -m pip install --no-deps -e ./pccommon -e ./pctiler[server]"
 
 # GDAL config
 ENV GDAL_CACHEMAX 200

pctiler/Dockerfile.dev

@@ -1,6 +1,6 @@
 FROM pc-apis-tiler
 
-RUN curl -sL https://aka.ms/InstallAzureCLIDeb | bash
+RUN tdnf install azure-cli -y
 
 COPY requirements-dev.txt requirements-dev.txt
 

pctiler/requirements-dev.txt

@@ -18,11 +18,11 @@ attrs==23.2.0
     #   morecantile
     #   rasterio
     #   rio-tiler
-boto3==1.34.71
+boto3==1.34.123
     # via
     #   pctiler (pctiler/setup.py)
     #   rio-tiler
-botocore==1.34.71
+botocore==1.34.123
     # via
     #   boto3
     #   pctiler (pctiler/setup.py)
@@ -62,6 +62,8 @@ cogeo-mosaic==5.0.0
     # via titiler-mosaic
 color-operations==0.1.3
     # via rio-tiler
+contourpy==1.2.1
+    # via matplotlib
 cycler==0.12.1
     # via matplotlib
 exceptiongroup==1.2.0
@@ -70,6 +72,8 @@ fastapi==0.91.0
     # via
     #   titiler-core
     #   titiler-pgstac
+fonttools==4.53.0
+    # via matplotlib
 geojson-pydantic==0.4.2
     # via
     #   pctiler (pctiler/setup.py)
@@ -90,7 +94,11 @@ idna==3.7
     #   httpx
     #   pctiler (pctiler/setup.py)
     #   requests
-jinja2==3.0.3
+importlib-metadata==7.1.0
+    # via rasterio
+importlib-resources==6.4.0
+    # via matplotlib
+jinja2==3.1.4
     # via
     #   pctiler (pctiler/setup.py)
     #   titiler-core
@@ -102,7 +110,7 @@ kiwisolver==1.4.5
     # via matplotlib
 markupsafe==2.1.5
     # via jinja2
-matplotlib==3.4.3
+matplotlib==3.9.0
     # via pctiler (pctiler/setup.py)
 mercantile==1.2.1
     # via supermercado
@@ -115,6 +123,7 @@ numexpr==2.9.0
 numpy==1.26.4
     # via
     #   color-operations
+    #   contourpy
     #   matplotlib
     #   numexpr
     #   rasterio
@@ -123,8 +132,10 @@ numpy==1.26.4
     #   snuggs
     #   supermercado
     #   titiler-core
-orjson==3.9.15
+orjson==3.10.4
     # via pctiler (pctiler/setup.py)
+packaging==24.1
+    # via matplotlib
 pillow==10.3.0
     # via
     #   matplotlib
@@ -154,7 +165,7 @@ pyparsing==3.1.2
     #   snuggs
 pyproj==3.6.1
     # via morecantile
-pystac==1.7.1
+pystac==1.10.1
     # via
     #   pctiler (pctiler/setup.py)
     #   planetary-computer
@@ -172,7 +183,7 @@ python-dotenv==1.0.1
     # via pydantic
 pytz==2024.1
     # via planetary-computer
-rasterio==1.3.9
+rasterio==1.3.10
     # via
     #   cogeo-mosaic
     #   pctiler (pctiler/setup.py)
@@ -235,6 +246,10 @@ urllib3==1.26.18
     # via
     #   botocore
     #   requests
+zipp==3.19.2
+    # via
+    #   importlib-metadata
+    #   importlib-resources
 
 # The following packages are considered to be unsafe in a requirements file:
 # setuptools