From 4f0f5a1b0cc38be4f47e8771b4750124f809afc8 Mon Sep 17 00:00:00 2001
From: Jacob Woffenden <jacob.woffenden@digital.justice.gov.uk>
Date: Tue, 22 Oct 2024 18:03:20 +0100
Subject: [PATCH] =?UTF-8?q?=F0=9F=A7=91=E2=80=8D=F0=9F=94=AC=20?=
 =?UTF-8?q?=F0=9F=90=8D=20Add=20SciPy=20packages=20to=20base=203.12=20envi?=
 =?UTF-8?q?ronment=20(#35)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Jacob Woffenden <jacob.woffenden@justice.gov.uk>
---
 .github/workflows/scan.yml                    | 25 +++++++++++++++
 .trivyignore                                  |  3 ++
 Dockerfile                                    | 12 +++++--
 .../analytical-platform/requirements-base.txt |  1 +
 ...ements.txt => requirements-jupyterlab.txt} |  0
 .../requirements-scipy.txt                    | 31 +++++++++++++++++++
 6 files changed, 70 insertions(+), 2 deletions(-)
 create mode 100644 src/opt/analytical-platform/requirements-base.txt
 rename src/opt/analytical-platform/{requirements.txt => requirements-jupyterlab.txt} (100%)
 create mode 100644 src/opt/analytical-platform/requirements-scipy.txt

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 57b03b1..e413a55 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -19,6 +19,30 @@ jobs:
         id: checkout
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
 
+      - name: Free Disk Space
+        id: free_disk_space
+        shell: bash
+        run: |
+          df -h /
+          echo "Pruning cached tools"
+          # https://github.com/actions/runner-images/issues/2840#issuecomment-2272410832
+          sudo rm -rf \
+            /opt/hostedtoolcache \
+            /opt/google/chrome \
+            /opt/microsoft/msedge \
+            /opt/microsoft/powershell \
+            /opt/pipx \
+            /usr/lib/mono \
+            /usr/local/julia* \
+            /usr/local/lib/android \
+            /usr/local/lib/node_modules \
+            /usr/local/share/chromium \
+            /usr/local/share/powershell \
+            /usr/share/dotnet \
+            /usr/share/swift
+          echo "Disk space after cleanup..."
+          df -h /
+
       - name: Build
         id: build
         shell: bash
@@ -34,6 +58,7 @@ jobs:
         env:
           TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
           TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
+          TRIVY_TIMEOUT: 15m
         with:
           image-ref: ghcr.io/${{ github.repository }}:${{ github.sha }}
           severity: HIGH,CRITICAL
diff --git a/.trivyignore b/.trivyignore
index 34b9208..80f6a42 100644
--- a/.trivyignore
+++ b/.trivyignore
@@ -5,6 +5,9 @@ CVE-2024-43882
 ## setuptools
 CVE-2024-6345 # TODO: @jacobwoffenden - Figure out where this comes from and patch it
 
+## imagecodecs
+GHSA-94vc-p8w7-5p49
+
 # .NET
 ## We are running the latest dotnet-sdk from Ubuntu
 CVE-2024-0057
diff --git a/Dockerfile b/Dockerfile
index de7091a..bbd17e5 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -12,9 +12,17 @@ SHELL ["/bin/bash", "-e", "-u", "-o", "pipefail", "-c"]
 COPY --chown="${CONTAINER_USER}:${CONTAINER_GROUP}" --chmod=0644 src${ANALYTICAL_PLATFORM_DIRECTORY}/first-run-notice.txt ${ANALYTICAL_PLATFORM_DIRECTORY}/first-run-notice.txt
 
 # JupyterLab
-COPY --chown="${CONTAINER_USER}:${CONTAINER_GROUP}" --chmod=0644 src${ANALYTICAL_PLATFORM_DIRECTORY}/requirements.txt ${ANALYTICAL_PLATFORM_DIRECTORY}/requirements.txt
+COPY --chown="${CONTAINER_USER}:${CONTAINER_GROUP}" --chmod=0644 src${ANALYTICAL_PLATFORM_DIRECTORY}/requirements-jupyterlab.txt ${ANALYTICAL_PLATFORM_DIRECTORY}/requirements-jupyterlab.txt
 RUN <<EOF
-pip install --no-cache-dir --requirement ${ANALYTICAL_PLATFORM_DIRECTORY}/requirements.txt
+pip install --no-cache-dir --requirement ${ANALYTICAL_PLATFORM_DIRECTORY}/requirements-jupyterlab.txt
+EOF
+
+# Base + SciPy
+# Base is used by users when installing with different versions of Python
+COPY --chown="${CONTAINER_USER}:${CONTAINER_GROUP}" --chmod=0644 src${ANALYTICAL_PLATFORM_DIRECTORY}/requirements-base.txt ${ANALYTICAL_PLATFORM_DIRECTORY}/requirements-base.txt
+COPY --chown="${CONTAINER_USER}:${CONTAINER_GROUP}" --chmod=0644 src${ANALYTICAL_PLATFORM_DIRECTORY}/requirements-scipy.txt ${ANALYTICAL_PLATFORM_DIRECTORY}/requirements-scipy.txt
+RUN <<EOF
+conda install --yes --file ${ANALYTICAL_PLATFORM_DIRECTORY}/requirements-scipy.txt
 EOF
 
 USER ${CONTAINER_USER}
diff --git a/src/opt/analytical-platform/requirements-base.txt b/src/opt/analytical-platform/requirements-base.txt
new file mode 100644
index 0000000..d919f6f
--- /dev/null
+++ b/src/opt/analytical-platform/requirements-base.txt
@@ -0,0 +1 @@
+ipykernel
diff --git a/src/opt/analytical-platform/requirements.txt b/src/opt/analytical-platform/requirements-jupyterlab.txt
similarity index 100%
rename from src/opt/analytical-platform/requirements.txt
rename to src/opt/analytical-platform/requirements-jupyterlab.txt
diff --git a/src/opt/analytical-platform/requirements-scipy.txt b/src/opt/analytical-platform/requirements-scipy.txt
new file mode 100644
index 0000000..028cdb1
--- /dev/null
+++ b/src/opt/analytical-platform/requirements-scipy.txt
@@ -0,0 +1,31 @@
+# Taken from https://github.com/jupyter/docker-stacks/blob/main/images/scipy-notebook/Dockerfile#L29
+
+altair
+beautifulsoup4
+bokeh
+bottleneck
+cloudpickle
+conda-forge::blas=*=openblas
+cython
+dask
+dill
+h5py
+ipympl
+ipywidgets
+matplotlib-base
+numba
+numexpr
+openpyxl
+pandas
+patsy
+protobuf
+pytables
+scikit-image
+scikit-learn
+scipy
+seaborn
+sqlalchemy
+statsmodels
+sympy
+widgetsnbextension
+xlrd