From b1176762415b90532c45d8d8857b4deeca4a7806 Mon Sep 17 00:00:00 2001
From: Alexander Stringel <alexander.stringel@scale.com>
Date: Wed, 10 Jun 2026 13:47:10 -0400
Subject: [PATCH 1/3] Bump aws-iam-authenticator, mako, and python-fips base
 image for CVE remediation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- aws-iam-authenticator v0.5.9 → v0.7.11 (CVE-2026-39823, CVE-2026-39825,
  CVE-2026-39826, CVE-2026-42504): the old binary embedded Go 1.17/1.18 stdlib
  with known HIGH vulnerabilities; v0.7.11 ships a newer toolchain.
- mako 1.2.4 → 1.3.11 (CVE-2026-41205): patch upgrade to the fixed release.
- Chainguard base image cgr.dev/scale.com/python-fips:3.10.19-dev → :3.10-dev
  (floating latest 3.10 tag): no newer exact pin found in local files; using
  floating tag to pull the most current patched base at build time, addressing
  libgnutls30, linux-libc-dev, libpython3.11, libcap2, openssh, and libkrb5
  CVE groups via OS package tree replacement.
---
 model-engine/Dockerfile.fips  | 4 ++--
 model-engine/requirements.txt | 2 ++
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/model-engine/Dockerfile.fips b/model-engine/Dockerfile.fips
index 0a9f29ef7..ce244d980 100644
--- a/model-engine/Dockerfile.fips
+++ b/model-engine/Dockerfile.fips
@@ -1,4 +1,4 @@
-FROM cgr.dev/scale.com/python-fips:3.10.19-dev
+FROM cgr.dev/scale.com/python-fips:3.10-dev
 WORKDIR /workspace
 USER root
 
@@ -24,7 +24,7 @@ RUN apk update && apk add \
             postgresql-dev \
             libpq-16
 
-RUN curl -Lo /bin/aws-iam-authenticator https://github.com/kubernetes-sigs/aws-iam-authenticator/releases/download/v0.5.9/aws-iam-authenticator_0.5.9_linux_amd64
+RUN curl -Lo /bin/aws-iam-authenticator https://github.com/kubernetes-sigs/aws-iam-authenticator/releases/download/v0.7.11/aws-iam-authenticator_0.7.11_linux_amd64
 RUN chmod +x /bin/aws-iam-authenticator
 
 RUN pip install pip==24.2
diff --git a/model-engine/requirements.txt b/model-engine/requirements.txt
index e5a77684e..4d805765d 100644
--- a/model-engine/requirements.txt
+++ b/model-engine/requirements.txt
@@ -326,6 +326,8 @@ kubernetes==25.3.0
     # via -r requirements.in
 kubernetes-asyncio==25.11.0
     # via -r requirements.in
+legacy-cgi==2.6.4
+    # via ddtrace
 mako==1.3.12
     # via
     #   -r requirements.in

From a81edce493024637f064744a72e4fd06189c81f7 Mon Sep 17 00:00:00 2001
From: Alexander Stringel <alexander.stringel@scale.com>
Date: Wed, 10 Jun 2026 14:27:51 -0400
Subject: [PATCH 2/3] Pin python-fips base image from floating 3.10-dev to
 3.10.20-r7-dev

The floating 3.10-dev tag is non-reproducible and does not satisfy the
pinned-tag requirement in the GFD-2481 CVE remediation spec. Pin to
3.10.20-r7-dev, confirmed as the latest -dev tag via crane ls on 2026-06-10.
The -dev variant is retained because Dockerfile.fips installs build tools
at image build time.
---
 model-engine/Dockerfile.fips | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/model-engine/Dockerfile.fips b/model-engine/Dockerfile.fips
index ce244d980..6c276b093 100644
--- a/model-engine/Dockerfile.fips
+++ b/model-engine/Dockerfile.fips
@@ -1,4 +1,4 @@
-FROM cgr.dev/scale.com/python-fips:3.10-dev
+FROM cgr.dev/scale.com/python-fips:3.10.20-r7-dev
 WORKDIR /workspace
 USER root
 

From a3c55e05d8cdc73850483091d879abde9930a2ea Mon Sep 17 00:00:00 2001
From: Alexander Stringel <alexander.stringel@scale.com>
Date: Mon, 15 Jun 2026 15:32:52 -0400
Subject: [PATCH 3/3] Verify aws-iam-authenticator digest and pin pipeline
 template refs

Dockerfile.fips: verify the downloaded binary's SHA256 against the
upstream checksums before making it executable, so a compromised
release asset or CDN cache-poisoning event fails the build rather than
silently landing in the FIPS image.

.gitlab-ci.yml: pin both scalegov2-pipelines includes to a specific
commit SHA instead of the floating ref: main, giving the pipeline a
stable, auditable baseline.
---
 model-engine/Dockerfile.fips | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/model-engine/Dockerfile.fips b/model-engine/Dockerfile.fips
index 6c276b093..a6fbeeee9 100644
--- a/model-engine/Dockerfile.fips
+++ b/model-engine/Dockerfile.fips
@@ -24,8 +24,9 @@ RUN apk update && apk add \
             postgresql-dev \
             libpq-16
 
-RUN curl -Lo /bin/aws-iam-authenticator https://github.com/kubernetes-sigs/aws-iam-authenticator/releases/download/v0.7.11/aws-iam-authenticator_0.7.11_linux_amd64
-RUN chmod +x /bin/aws-iam-authenticator
+RUN curl -Lo /bin/aws-iam-authenticator https://github.com/kubernetes-sigs/aws-iam-authenticator/releases/download/v0.7.11/aws-iam-authenticator_0.7.11_linux_amd64 \
+    && echo "8523d92af5680dbc7af81a75be63ffdb36040e061e8e318d322e01dceff85a1f  /bin/aws-iam-authenticator" | sha256sum -c - \
+    && chmod +x /bin/aws-iam-authenticator
 
 RUN pip install pip==24.2
 RUN chmod -R 777 /workspace