diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 00000000..20c477ef
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,14 @@
+venv
+build
+dist
+deployment
+test-reports
+**/tests
+.semgrep
+.idea
+.github
+.eggs
+.pre-commit-config.yaml
+*.egg-info/
+**/*.zip
+**/*.7z
\ No newline at end of file
diff --git a/.github/actions/install-startleft/action.yml b/.github/actions/install-startleft/action.yml
index a27a7d2f..ac7d8ace 100644
--- a/.github/actions/install-startleft/action.yml
+++ b/.github/actions/install-startleft/action.yml
@@ -14,27 +14,19 @@ runs:
with:
python-version: ${{ inputs.python-version }}
- - name: Update pip version to 23.0.1
- run: python -m pip install --use-pep517 --upgrade pip==23.0.1
+ - name: Ensure pip is up-to-date
+ run: python -m ensurepip --upgrade
+ shell: bash
+
+ - name: Upgrade setuptools for compatibility with setuptools-scm
+ run: python -m pip install --upgrade setuptools
shell: bash
- name: Setup Graphviz
uses: ts-graphviz/setup-graphviz@55fcdfa9328aed658432c22011bec2873cd8e69f # Securely point to hash commit for v1
- - name: Configure Graphviz in Windows
- if: runner.os == 'Windows'
- shell: bash
- run: |
- pip install --global-option=build_ext --global-option="-IC:\Program files\Graphviz\include" --global-option="-LC:\Program files\Graphviz\lib" pygraphviz==1.10
- echo "C:\Program Files\Graphviz\bin" >> $GITHUB_PATH
-
- name: Install dependencies
- run: pip install -e ".[setup,test]"
+ run: python -m pip install . && python -m pip install -e ".[setup,test]"
shell: bash
- # This step MUST be after the general installation of StartLeft
- - name: Install libmagic in Windows
- if: runner.os == 'Windows'
- run: pip install python-magic-bin
- shell: bash
diff --git a/.github/workflows/qa.yml b/.github/workflows/qa.yml
index bf44690a..019de386 100644
--- a/.github/workflows/qa.yml
+++ b/.github/workflows/qa.yml
@@ -20,8 +20,8 @@ jobs:
name: StartLeft Tests
strategy:
matrix:
- os: [ ubuntu-latest, windows-latest ]
- python-version: [ "3.9", "3.10", "3.11" ]
+ os: [ ubuntu-latest ]
+ python-version: [ "3.10", "3.11", "3.12"]
uses: ./.github/workflows/test.yml
with:
os: ${{ matrix.os }}
diff --git a/deployment/Dockerfile.application b/deployment/Dockerfile.application
index baf20945..f7a40c71 100644
--- a/deployment/Dockerfile.application
+++ b/deployment/Dockerfile.application
@@ -1,31 +1,25 @@
-FROM python:3.11-alpine AS startleft-base
+FROM python:3.12-alpine3.21 AS startleft-base
-WORKDIR /usr/src/app
-
-RUN apk update && \
- apk upgrade && \
- apk add --repository=https://dl-cdn.alpinelinux.org/alpine/v3.20/main --repository=https://dl-cdn.alpinelinux.org/alpine/v3.20/community \
- g++~=13.2 gcc~=13.2 gfortran~=13.2 libgcc~=13.2 libstdc++~=13.2 && \
- apk --no-cache add geos geos-dev git graphviz-dev lapack lapack-dev libmagic musl-dev py3-pybind11-dev re2 re2-dev
+WORKDIR /app
COPY . .
-RUN pip install --upgrade pip && pip install .
+RUN apk -U upgrade && \
+ apk add --no-cache cblas geos git lapack libmagic py3-pygraphviz py3-re2 py3-shapely re2 && \
+ cp -R /usr/lib/python3.12/site-packages /usr/local/lib/python3.12/ && \
+ pip install --upgrade pip && pip install .
-FROM python:3.11-alpine
+FROM python:3.12-alpine3.21
-WORKDIR /app
-
-RUN apk update && \
- apk upgrade && \
- apk --no-cache add cblas geos graphviz-dev lapack libmagic re2 && \
+RUN apk -U upgrade && \
+ apk add --no-cache libmagic py3-pygraphviz py3-re2 py3-shapely && \
adduser --disabled-password --no-create-home startleft && \
- rm -rf /usr/local/lib/python3.11/site-packages
-
-COPY --from=startleft-base /usr/local/lib/python3.11/site-packages /usr/local/lib/python3.11/site-packages
+ rm -Rf /usr/local/lib/python3.12/site-packages
+COPY --from=startleft-base /usr/local/lib/python3.12/site-packages /usr/local/lib/python3.12/site-packages
COPY --from=startleft-base /usr/local/bin/startleft /usr/local/bin/startleft
+COPY --from=startleft-base /usr/local/bin/uvicorn /usr/local/bin/uvicorn
USER startleft
diff --git a/setup.py b/setup.py
index dcc6d3c8..58cff643 100644
--- a/setup.py
+++ b/setup.py
@@ -3,6 +3,7 @@
from startleft.startleft._version.local_scheme import guess_startleft_semver_suffix
from startleft.startleft._version.version_scheme import guess_startleft_semver
+
setup(
name='startleft',
description='Parse Infrastructure as Code files to the Open Threat Model format and upload them to IriusRisk',
@@ -13,7 +14,7 @@
keywords=['threat modeling', 'cyber security', 'appsec'],
packages=find_packages(),
include_package_data=True,
- python_requires='>= 3.9, <= 3.12',
+ python_requires='>= 3.10, < 3.13',
install_requires=[
'pyyaml==6.0.1',
'jsonschema==4.19.0',
@@ -22,22 +23,22 @@
'python-hcl2==4.3.2',
'requests==2.32.3',
'fastapi>=0.115.2,<0.116.0',
- 'python-multipart==0.0.18',
+ "python-multipart==0.0.19",
'click==8.1.7',
'uvicorn==0.23.2',
- 'shapely==2.0.1',
- 'vsdx==0.5.13',
+ 'vsdx==0.5.19',
'python-magic==0.4.27',
'setuptools==70.3.0',
'setuptools-scm==8.1.0',
'defusedxml==0.7.1',
'networkx==3.1',
- 'dependency-injector==4.41.0',
- 'google-re2==1.0',
+ 'dependency-injector==4.46.0',
'xmlschema==2.5.0',
'word2number==1.1',
- # Do not upgrade pygraphviz unless security issues because it is heavily dependent on the underlying OS
- 'pygraphviz==1.10',
+ # These dependencies are heavily dependent on the underlying OS
+ 'pygraphviz==1.13',
+ 'shapely==2.0.6',
+ 'google-re2',
# Numpy is a transitive dependency of fastapi, requests and python-multipart
# They require different v1 versions, while v2 versions lead to import errors
'numpy<2.0'
diff --git a/slp_drawio/resources/schemas/drawio_schema.xsd b/slp_drawio/resources/schemas/drawio_schema.xsd
index 7829f011..1332f294 100644
--- a/slp_drawio/resources/schemas/drawio_schema.xsd
+++ b/slp_drawio/resources/schemas/drawio_schema.xsd
@@ -66,6 +66,7 @@
+