fix(docker): Bump versions (python 3.11, debian bookworm)

[kiblik]

Same as #10280 but for Debian

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Configured Codepaths Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings
AppSec Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The provided code changes involve updates to several Dockerfiles used for the application's integration tests and deployment environments. The key changes include:

1. Base Image Updates: The base Docker images have been updated from python:3.11.9-slim-bullseye to python:3.11.9-slim-bookworm, indicating a move from Debian Bullseye to the newer Debian Bookworm distribution. This is a common practice to ensure the environment is up-to-date and has the latest security patches.

2. Dependency Management: The Dockerfiles install various system dependencies, such as libraries for Google Chrome, MySQL, PostgreSQL, and other tools. Reviewing the dependencies and ensuring they are up-to-date is crucial for maintaining the application's security posture.

3. Security-Conscious Practices: The Dockerfiles demonstrate several security-conscious practices, including setting up a dedicated user with limited privileges, managing environment variables, and properly setting file permissions. These measures help reduce the potential impact of any vulnerabilities in the application or its dependencies.

4. Testing Integration: The Dockerfiles include a separate stage for running unit tests, which is a recommended practice for ensuring the application's functionality and security.

Overall, the changes in these Dockerfiles appear to be routine updates and improvements to the application's deployment and testing environments, with a focus on maintaining security best practices and keeping the underlying dependencies up-to-date.

Files Changed:

1. Dockerfile.integration-tests-debian:

   • Updated the base image from python:3.11.9-slim-bullseye to python:3.11.9-slim-bookworm.
   • Installed additional dependencies, such as libxi6, libgconf-2-4, and libxss1, likely related to the integration tests.

2. Dockerfile.nginx-debian:

   • Updated the base image from python:3.11.9-slim-bullseye to python:3.11.9-slim-bookworm.
   • Installed various dependencies, including gcc, build-essential, dnsutils, and others.
   • Generated Python package wheels and installed Node.js and Yarn.
   • Configured the Nginx web server and included an entrypoint script.

3. Dockerfile.django-debian:

   • Updated the base image from python:3.11.9-slim-bullseye to python:3.11.9-slim-bookworm.
   • Updated the versions of some dependencies, such as libtiff5 to libtiff6.
   • Set up a dedicated user with limited privileges to run the application.
   • Managed environment variables and set appropriate file permissions.
   • Included a separate stage for running unit tests.

Powered by DryRun Security

[mtesauro]

Approved

@kiblik I didn't notice the change to bookworm until conflicts, but isn't bullseye the more stable/tested of bookworm? I would rather we stick with bullseye unless there was something we really needed in bookworm that is not in bullseye. I think #10280 covers the version upgrade right?

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[kiblik]

@kiblik I didn't notice the change to bookworm until conflicts, but isn't bullseye the more stable/tested of bookworm? I would rather we stick with bullseye unless there was something we really needed in bookworm that is not in bullseye. I think #10280 covers the version upgrade right?

@Maffooch

Debian 12 (bookworm) — current stable release
Debian 11 (bullseye) — current oldstable release
Source: https://www.debian.org/releases/

Debian 12.5 was released on February 10th, 2024. Debian 12.0 was initially released on June 10th, 2023.
Source: https://www.debian.org/releases/bookworm/

Debian 11 has been superseded by Debian 12 (bookworm).
Source: https://www.debian.org/releases/bullseye/

#10280 upgraded all pythons to latest 3.11 (which is 3.11.9 right now) and alpines to 3.20.
In my opinion, if we upgraded alpine to the latest we might debian as well.