Make Debian slim the base image for Dependency Scanning for Python
Problem to solve
Currently the Docker image used to perform Dependency Scanning on Python projects is based on Alpine Linux but this base Docker image is not manylinux2010 compatible, and many Python dependencies cannot be installed, which makes Dependency Scanning fail. Switching to Debian slim would make solve this, and make the scanner support more Python projects. See conclusion of preliminary study.
Intended users
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
- Sam (Security Analyst)
Further details
Dependency Scanning for Python is implemented in the gemnasium-python project. It is available as Docker image, and its base image is python:3.6-alpine
. Alpine Linux is not manylinux2010 compatible, and many Python wheels cannot be installed. Switching to Debian makes possible to install packages like Pillow
using manylinux1_x86_64
binary wheels. See #13694 (comment 222160347)
The official Debian image is much bigger than Linux Alpine. The slim variant of Debian is also bigger than Linux Alpine, but the difference is less than 100 MB.
The installation of Python packages is needed for Python projects having no supported dependency lock file. For instance, it is required when the Python project uses pip, and the pip requirements file is not a lock file.
Proposal
Change the base image of gemnasium-python to Debian Slim. The change would result in the 250 MB Docker image, compared to the 170 MB for the Alpine based image. See gitlab-org/security-products/analyzers/gemnasium-python!37 (comment 263938092)
This has already been implemented in gitlab-org/security-products/analyzers/gemnasium-python!37 (merged)
Permissions and Security
Same
Documentation
None
Testing
Add Pillow
dependency to Python test projects used for QA, to prove manylinux compatibility.
What does success look like, and how can we measure that?
GitLab Dependency Scanning can scan most Python projects (if versions of Python and pip are compatible), and doesn't break because it cannot install a broadly used Python package.
What is the type of buyer?
Links / references
See conclusion of preliminary study.
See https://pythonspeed.com/articles/base-image-python-docker-images/