Use --require-hashes for python requirements
Ensure that dependencies that are loaded are matching expectations and
have not been forged.
Affects:
- gerrit docker image
- git-ssh docker image
Bug: Issue 16444
Change-Id: Iac0aa6db62c65a13225214461d11df517e958f1c
diff --git a/gerrit/Dockerfile b/gerrit/Dockerfile
index e5aac9d..a303aeb 100644
--- a/gerrit/Dockerfile
+++ b/gerrit/Dockerfile
@@ -17,7 +17,7 @@
RUN chown gerrit:gerrit /tmp/setup_gerrit.py
RUN chmod +x /tmp/setup_gerrit.py \
- && pip3 install -r /tmp/requirements.txt
+ && pip3 install --require-hashes --upgrade -r /tmp/requirements.txt
COPY plugins /var/gerrit/plugins
COPY lib /var/gerrit/lib
@@ -38,8 +38,6 @@
RUN bash -c '[ "$GERRIT_WAR_URL" == "" ] || curl $GERRIT_WAR_URL > /var/gerrit/bin/gerrit.war'
-# Install AWS cli
-RUN pip3 install awscli --upgrade --user
ENV PATH ${PATH}:/var/gerrit/.local/bin
WORKDIR /var/gerrit
diff --git a/gerrit/requirements.txt b/gerrit/requirements.txt
index 58ee30e..7a4854a 100644
--- a/gerrit/requirements.txt
+++ b/gerrit/requirements.txt
@@ -1,2 +1,15 @@
-boto3
-jinja2==2.11.1
+MarkupSafe==2.0.1 --hash=sha256:0446679737af14f45767963a1a9ef7620189912317d095f2d9ffa183a4d25d2b
+PyYAML==5.4.1 --hash=sha256:4e0583d24c881e14342eaf4ec5fbc97f934b999a6828693a99157fde912540cc
+awscli==1.24.10 --hash=sha256:392ad8d1791baa5f8cb829ce83cc4b5dc93a3de68ddc0380711601cb44e9c0a3
+boto3==1.23.10 --hash=sha256:40d08614f17a69075e175c02c5d5aab69a6153fd50e40fa7057b913ac7bf40e7
+botocore==1.26.10 --hash=sha256:8a4a984bf901ccefe40037da11ba2abd1ddbcb3b490a492b7f218509c99fc12f
+colorama==0.4.4 --hash=sha256:9f47eda37229f68eee03b24b9748937c7dc3868f906e8ba69fbcbdd3bc5dc3e2
+docutils==0.16 --hash=sha256:0c5b78adfbf7762415433f5515cd5c9e762339e23369dbe8000d84a4bf4ab3af
+jinja2==2.11.1 --hash=sha256:b0eaf100007721b5c16c1fc1eecb87409464edc10469ddc9a22a27a99123be49
+jmespath==0.10.0 --hash=sha256:cdf6525904cc597730141d61b36f2e4b8ecc257c420fa2f4549bac2c2d0cb72f
+pyasn1==0.4.8 --hash=sha256:39c7e2ec30515947ff4e87fb6f456dfc6e84857d34be479c9d4a4ba4bf46aa5d
+python-dateutil==2.8.2 --hash=sha256:961d03dc3453ebbc59dbdea9e4e11c5651520a876d0f4db161e8674aae935da9
+rsa==4.7.2 --hash=sha256:78f9a9bf4e7be0c5ded4583326e7461e3a3c5aae24073648b4bdfa797d78c9d2
+s3transfer==0.5.2 --hash=sha256:7a6f4c4d1fdb9a2b640244008e142cbc2cd3ae34b386584ef044dd0f27101971
+six==1.16.0 --hash=sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254
+urllib3==1.26.12 --hash=sha256:b930dd878d5a8afb066a637fbb35144fe7901e3b209d1cd4f524bd0e9deee997
\ No newline at end of file
diff --git a/primary-replica/git-ssh/Dockerfile b/primary-replica/git-ssh/Dockerfile
index 37061e8..32fe471 100644
--- a/primary-replica/git-ssh/Dockerfile
+++ b/primary-replica/git-ssh/Dockerfile
@@ -13,7 +13,6 @@
echo "**** install pip ****" && \
python3 -m ensurepip && \
rm -r /usr/lib/python*/ensurepip && \
- pip3 install --no-cache --upgrade pip setuptools wheel && \
if [ ! -e /usr/bin/pip ]; then ln -s pip3 /usr/bin/pip ; fi
RUN adduser --h /home/gerrit -D gerrit && \
@@ -26,7 +25,7 @@
RUN chown gerrit:gerrit /tmp/setup_ssh.py
RUN chmod +x /tmp/setup_ssh.py \
- && pip3 install -r /tmp/requirements.txt
+ && pip3 install --require-hashes --upgrade -r /tmp/requirements.txt
COPY ./entrypoint.sh /bin
diff --git a/primary-replica/git-ssh/requirements.txt b/primary-replica/git-ssh/requirements.txt
index 5223aff..d0878fb 100644
--- a/primary-replica/git-ssh/requirements.txt
+++ b/primary-replica/git-ssh/requirements.txt
@@ -1 +1,10 @@
-boto3==1.12.34
+boto3==1.23.10 --hash=sha256:40d08614f17a69075e175c02c5d5aab69a6153fd50e40fa7057b913ac7bf40e7
+botocore==1.26.10 --hash=sha256:8a4a984bf901ccefe40037da11ba2abd1ddbcb3b490a492b7f218509c99fc12f
+jmespath==0.10.0 --hash=sha256:cdf6525904cc597730141d61b36f2e4b8ecc257c420fa2f4549bac2c2d0cb72f
+pip==22.3.1 --hash=sha256:908c78e6bc29b676ede1c4d57981d490cb892eb45cd8c214ab6298125119e077
+python-dateutil==2.8.2 --hash=sha256:961d03dc3453ebbc59dbdea9e4e11c5651520a876d0f4db161e8674aae935da9
+s3transfer==0.5.2 --hash=sha256:7a6f4c4d1fdb9a2b640244008e142cbc2cd3ae34b386584ef044dd0f27101971
+setuptools==65.5.1 --hash=sha256:d0b9a8433464d5800cbe05094acf5c6d52a91bfac9b52bcfc4d41382be5d5d31
+six==1.16.0 --hash=sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254
+urllib3==1.26.12 --hash=sha256:b930dd878d5a8afb066a637fbb35144fe7901e3b209d1cd4f524bd0e9deee997
+wheel==0.38.4 --hash=sha256:b60533f3f5d530e971d6737ca6d58681ee434818fab630c83a734bb10c083ce8
\ No newline at end of file