From bd0e5b3bd3e918cbc11b6271990382d3091cf0f3 Mon Sep 17 00:00:00 2001 From: Ajay Mudgal Date: Wed, 18 Mar 2026 15:10:25 +0000 Subject: [PATCH 1/4] Adding security fixes for OS only in docker images --- build/docker/lambda/Dockerfile | 4 ++++ build/docker/tester/Dockerfile | 8 ++++++++ 2 files changed, 12 insertions(+) diff --git a/build/docker/lambda/Dockerfile b/build/docker/lambda/Dockerfile index e500a83a6..15b3e67f0 100644 --- a/build/docker/lambda/Dockerfile +++ b/build/docker/lambda/Dockerfile @@ -1,4 +1,8 @@ FROM public.ecr.aws/lambda/python:3.14-arm64 +# Apply OS security updates only +RUN dnf upgrade -y --security \ + && dnf clean all \ + && rm -rf /var/cache/dnf # Update Pip RUN python -m pip install --upgrade pip # Copy Python requirements diff --git a/build/docker/tester/Dockerfile b/build/docker/tester/Dockerfile index 115c692fd..c8cedbfb2 100644 --- a/build/docker/tester/Dockerfile +++ b/build/docker/tester/Dockerfile @@ -1,4 +1,12 @@ FROM python:3.14 +# Apply OS security updates only +RUN apt-get update \ + && apt-get install -y --no-install-recommends unattended-upgrades \ + && unattended-upgrade -d \ + && apt-get remove -y unattended-upgrades \ + && apt-get autoremove -y \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* # Update Pip RUN python -m pip install --upgrade pip # Copy Python requirements From c2b66fc6312eae1dc4c7667033a2d5c9c3d1152c Mon Sep 17 00:00:00 2001 From: Ajay Mudgal Date: Wed, 18 Mar 2026 15:59:36 +0000 Subject: [PATCH 2/4] Adding upgrades for all packages of OS --- build/docker/lambda/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/build/docker/lambda/Dockerfile b/build/docker/lambda/Dockerfile index 15b3e67f0..2cb5e0e21 100644 --- a/build/docker/lambda/Dockerfile +++ b/build/docker/lambda/Dockerfile @@ -1,6 +1,6 @@ FROM public.ecr.aws/lambda/python:3.14-arm64 -# Apply OS security updates only -RUN dnf upgrade -y --security \ +# Apply OS updates +RUN dnf upgrade -y \ && dnf clean all \ && rm -rf /var/cache/dnf # Update Pip From 220594a33a726a7448e818b56a6912dfb692fe61 Mon Sep 17 00:00:00 2001 From: Ajay Mudgal Date: Wed, 18 Mar 2026 16:30:59 +0000 Subject: [PATCH 3/4] Fixing an issue with task env codebuild job --- .../task-env-deploy-and-test-buildspec.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/infrastructure/stacks/development-and-deployment-tools/batch-buildspecs/task-env-deploy-and-test-buildspec.yml b/infrastructure/stacks/development-and-deployment-tools/batch-buildspecs/task-env-deploy-and-test-buildspec.yml index e703bcd9c..8662f4291 100644 --- a/infrastructure/stacks/development-and-deployment-tools/batch-buildspecs/task-env-deploy-and-test-buildspec.yml +++ b/infrastructure/stacks/development-and-deployment-tools/batch-buildspecs/task-env-deploy-and-test-buildspec.yml @@ -149,7 +149,7 @@ batch: PARALLEL_TEST_COUNT: 20 buildspec: infrastructure/stacks/development-and-deployment-tools/batch-buildspecs/task-env-deploy-and-test-batch-jobs/integration-test.yml depend-on: - - deploy + - deploy_cloudwatch_queries - identifier: integration_test_validation env: @@ -163,7 +163,7 @@ batch: PARALLEL_TEST_COUNT: 40 buildspec: infrastructure/stacks/development-and-deployment-tools/batch-buildspecs/task-env-deploy-and-test-batch-jobs/integration-test.yml depend-on: - - deploy + - deploy_cloudwatch_queries - identifier: integration_test_opening_times env: @@ -177,7 +177,7 @@ batch: PARALLEL_TEST_COUNT: 40 buildspec: infrastructure/stacks/development-and-deployment-tools/batch-buildspecs/task-env-deploy-and-test-batch-jobs/integration-test.yml depend-on: - - deploy + - deploy_cloudwatch_queries - identifier: integration_test_general env: @@ -191,4 +191,4 @@ batch: PARALLEL_TEST_COUNT: 40 buildspec: infrastructure/stacks/development-and-deployment-tools/batch-buildspecs/task-env-deploy-and-test-batch-jobs/integration-test.yml depend-on: - - deploy + - deploy_cloudwatch_queries From d49c64a39ffa87aecceafff06f1d9be8fd9d3325 Mon Sep 17 00:00:00 2001 From: Ajay Mudgal Date: Wed, 18 Mar 2026 17:28:22 +0000 Subject: [PATCH 4/4] Fixing sonarcloud issue in dockerfile --- build/docker/lambda/Dockerfile | 7 +++---- build/docker/tester/Dockerfile | 7 +++---- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/build/docker/lambda/Dockerfile b/build/docker/lambda/Dockerfile index 2cb5e0e21..b9b21af13 100644 --- a/build/docker/lambda/Dockerfile +++ b/build/docker/lambda/Dockerfile @@ -1,10 +1,9 @@ FROM public.ecr.aws/lambda/python:3.14-arm64 -# Apply OS updates +# Apply OS updates and update Pip RUN dnf upgrade -y \ && dnf clean all \ - && rm -rf /var/cache/dnf -# Update Pip -RUN python -m pip install --upgrade pip + && rm -rf /var/cache/dnf \ + && python -m pip install --upgrade pip # Copy Python requirements COPY assets/requirements.txt / # Install Python requirements diff --git a/build/docker/tester/Dockerfile b/build/docker/tester/Dockerfile index c8cedbfb2..aa18e783b 100644 --- a/build/docker/tester/Dockerfile +++ b/build/docker/tester/Dockerfile @@ -1,14 +1,13 @@ FROM python:3.14 -# Apply OS security updates only +# Apply OS security updates only and update Pip RUN apt-get update \ && apt-get install -y --no-install-recommends unattended-upgrades \ && unattended-upgrade -d \ && apt-get remove -y unattended-upgrades \ && apt-get autoremove -y \ && apt-get clean \ - && rm -rf /var/lib/apt/lists/* -# Update Pip -RUN python -m pip install --upgrade pip + && rm -rf /var/lib/apt/lists/* \ + && python -m pip install --upgrade pip # Copy Python requirements COPY assets/requirements.txt / # Install Python requirements