🛡️ Patching and Rebuilding the Document Processor APIIntroductionWelcome to the secure software supply chain automation notebook! As a Senior DevOps Engineer, our goal here is to take the vulnerable code base for the Document Processor API and fully remediate its critical dependencies before triggering a new, secure container build using Google Cloud Build.We have identified and patched high-severity vulnerabilities in h11, transformers, and setuptools. This notebook consolidates those fixes into an automated process.Step 1: Setup and Clone RepositoryWe first clone the original vulnerable project repository. The existing structure (like the app/ directory) is needed to complete the build process.# Clone the repository containing the original application code

!git clone [https://github.com/olwordeaux/document-processor.git](https://github.com/olwordeaux/document-processor.git)

# Change into the project directory
%cd document-processor
Step 2: Create Patched pyproject.tomlThe original pyproject.toml contained insecure dependency versions. We will replace it entirely with a new version that explicitly pins the patched versions for known vulnerabilities:h11 (^0.16.0): Fixes a Critical HTTP Request Smuggling vulnerability (CVE-2025-43859).transformers (^4.53.0): Fixes multiple High-Severity ReDoS (Regular Expression Denial of Service) issues.setuptools (^78.1.1): Fixes a High-Severity Path Traversal vulnerability (CVE-2025-47273).# Use a HEREDOC to create the patched pyproject.toml file
cat <<EOF > pyproject.toml
[tool.poetry]
name = "document-processor-api"
version = "0.1.0"
description = "FastAPI service for PDF content extraction."
authors = ["Senior Software Engineer <se@example.com>"]
readme = "README.md"
packages = [{include = "app"}]

[tool.poetry.dependencies]
# Required Python version
python = "^3.12"

# Core Application Dependencies
fastapi = "^0.111.0"
uvicorn = {extras = ["standard"], version = "^0.30.1"}

# CRITICAL-SEVERITY PATCH: h11 upgraded to minimum 0.16.0 to fix Request Smuggling (CVE-2025-43859).
h11 = "^0.16.0"

# HIGH-SEVERITY PATCH: transformers upgraded to minimum 4.53.0 to fix ReDoS issues.
transformers = "^4.53.0"

# HIGH-SEVERITY PATCH: setuptools upgraded to minimum 78.1.1 to fix Path Traversal (CVE-2025-47273).
setuptools = "^78.1.1"

# Note: In a real project, other document-processing dependencies (like PyPDF2, Tesseract)
# would also be listed here.

[build-system]
requires = ["poetry-core>=1.0.0"]
build-backend = "poetry.core.masonry.api"
EOF

echo "Successfully created patched pyproject.toml"
Step 3: Generate Secure Lock FileThe uv.lock file ensures that the build process will install the exact dependency versions resolved by uv, including all transitive dependencies. This guarantees a deterministic and secure build, preventing dependency confusion or unexpected version drift.# Install uv locally (if not already available)
!pip install uv

# Generate the uv.lock file based on the patched pyproject.toml
!uv lock
Step 4: Create the DockerfileThis Dockerfile is based on python:3.12-slim (a patched and maintained base image) and uses uv in deployment mode (--locked) to enforce installation strictly from the generated uv.lock file, thus ensuring only patched packages are installed.# Use a HEREDOC to create the Dockerfile
cat <<DOCKERFILE_EOF > Dockerfile
FROM python:3.12-slim

ARG PORT=8000
ENV ENV=production \
THREADS=4 \
PORT=\${PORT} \
PYTHONDONTWRITEBYTECODE=1 \
PYTHONUNBUFFERED=1

WORKDIR /src

# Create a system user for running the app securely
RUN addgroup --system app && adduser --system --group --no-create-home app

# Copy and install dependencies securely using uv
COPY --chown=app:app pyproject.toml uv.lock ./
RUN pip install uv && uv pip install --system --no-cache --locked -r uv.lock

# Copy the application code
COPY --chown=app:app app/ ./app

# Switch to the non-root user for execution
USER app:app

# Expose the port
EXPOSE \${PORT}

# Run the application using hypercorn (FastAPI compatible)
CMD ["hypercorn", "app.api:api", "--bind", "0.0.0.0:\${PORT}", "--workers", "1"]
DOCKERFILE_EOF

echo "Successfully created Dockerfile"
Step 5: Authenticate with Google CloudBefore we can trigger a build, we must authenticate this notebook session with your Google Cloud Project and set the necessary project context.🚨 Action Required: Replace YOUR_PROJECT_ID with your actual Google Cloud Project ID.# Log in to Google Cloud. A pop-up window will guide you through the authentication process.
!gcloud auth login

# Set the active Google Cloud project ID
# REPLACE 'YOUR_PROJECT_ID' with your actual Project ID
PROJECT_ID="YOUR_PROJECT_ID"
!gcloud config set project $PROJECT_ID
Step 6: Trigger the Secure BuildWe are now ready to submit the entire context (including the new pyproject.toml, uv.lock, and Dockerfile) to Google Cloud Build. This will create a secure container image tagged with the latest version in your project's Container Registry (gcr.io).# Define the image name
IMAGE_NAME="document-processor-secure"
TAG="gcr.io/$PROJECT_ID/$IMAGE_NAME:latest"

echo "Submitting build to GCB for image: $TAG"

# Trigger the build process
!gcloud builds submit --tag $TAG --timeout=10m

echo "Build submission complete. Check the Cloud Build dashboard for progress and logs."
Step 7: Next Steps (Post-Build)Once Google Cloud Build finishes (it may take a few minutes), your secure container image will be available in your project's Container Registry.To run and test the patched API, execute the following command in a secure environment with Docker installed:# Pull the newly built secure image
docker pull gcr.io/YOUR_PROJECT_ID/document-processor-secure:latest

# Run the secure container
docker run -d -p 8080:8000 gcr.io/YOUR_PROJECT_ID/document-processor-secure:latest
You can now verify the API's functionality and confirm, using vulnerability scanners, that the high-severity issues have been resolved by the patched dependencies.

README.md

@@ -1,10 +1,13 @@
 ---
-title: Securedoc Builder
-emoji: 👀
-colorFrom: red
-colorTo: purple
+title: SecureDoc Builder 🛡️
+colorFrom: gray
+colorTo: gray
+emoji: 🐳
 sdk: static
 pinned: false
+tags:
+  - deepsite-v3
 ---
 
-Check out the configuration reference at https://huggingface.co/docs/hub/spaces-config-reference
+# Welcome to your new DeepSite project!
+This project was created with [DeepSite](https://deepsite.hf.co).

index.html

@@ -1,19 +1,159 @@
-<!doctype html>
-<html>
-	<head>
-		<meta charset="utf-8" />
-		<meta name="viewport" content="width=device-width" />
-		<title>My static Space</title>
-		<link rel="stylesheet" href="style.css" />
-	</head>
-	<body>
-		<div class="card">
-			<h1>Welcome to your static Space!</h1>
-			<p>You can modify this app directly by editing <i>index.html</i> in the Files and versions tab.</p>
-			<p>
-				Also don't forget to check the
-				<a href="https://huggingface.co/docs/hub/spaces" target="_blank">Spaces documentation</a>.
-			</p>
-		</div>
-	</body>
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>SecureDoc Builder</title>
+    <script src="https://cdn.tailwindcss.com"></script>
+    <script src="https://unpkg.com/feather-icons"></script>
+    <script src="https://cdn.jsdelivr.net/npm/feather-icons/dist/feather.min.js"></script>
+    <style>
+        .gradient-bg {
+            background: linear-gradient(135deg, #1e3a8a 0%, #2563eb 50%, #3b82f6 100%);
+        }
+        .code-block {
+            font-family: 'Courier New', monospace;
+            background-color: #1e293b;
+            color: #f8fafc;
+            border-radius: 0.5rem;
+            padding: 1.5rem;
+            overflow-x: auto;
+        }
+        .step-card {
+            transition: all 0.3s ease;
+        }
+        .step-card:hover {
+            transform: translateY(-5px);
+            box-shadow: 0 20px 25px -5px rgba(0, 0, 0, 0.1), 0 10px 10px -5px rgba(0, 0, 0, 0.04);
+        }
+    </style>
+</head>
+<body class="bg-gray-50">
+    <!-- Hero Section -->
+    <div class="gradient-bg text-white">
+        <div class="container mx-auto px-6 py-24">
+            <div class="flex flex-col md:flex-row items-center">
+                <div class="md:w-1/2 mb-10 md:mb-0">
+                    <h1 class="text-4xl md:text-6xl font-bold mb-6">SecureDoc Builder 🛡️</h1>
+                    <p class="text-xl md:text-2xl mb-8">Automated security patching for your document processing API</p>
+                    <div class="flex space-x-4">
+                        <button class="bg-white text-blue-600 px-6 py-3 rounded-lg font-semibold hover:bg-gray-100 transition">Get Started</button>
+                        <button class="border border-white text-white px-6 py-3 rounded-lg font-semibold hover:bg-blue-700 transition">Learn More</button>
+                    </div>
+                </div>
+                <div class="md:w-1/2">
+                    <div class="code-block">
+                        <span class="text-green-400"># Clone the repository</span><br>
+                        <span class="text-white">!git clone https://github.com/olwordeaux/document-processor.git</span><br><br>
+                        <span class="text-green-400"># Generate secure lock file</span><br>
+                        <span class="text-white">!uv lock</span><br><br>
+                        <span class="text-green-400"># Build secure container</span><br>
+                        <span class="text-white">!gcloud builds submit --tag $TAG</span>
+                    </div>
+                </div>
+            </div>
+        </div>
+    </div>
+
+    <!-- Steps Section -->
+    <div class="container mx-auto px-6 py-20">
+        <h2 class="text-3xl font-bold text-center mb-16">Secure Build Process</h2>
+        <div class="grid md:grid-cols-3 gap-8">
+            <!-- Step 1 -->
+            <div class="step-card bg-white p-8 rounded-xl shadow-lg">
+                <div class="w-16 h-16 bg-blue-100 rounded-full flex items-center justify-center mb-6">
+                    <span class="text-blue-600 text-2xl font-bold">1</span>
+                </div>
+                <h3 class="text-xl font-bold mb-4">Vulnerability Analysis</h3>
+                <p class="text-gray-600 mb-4">Identify critical security issues in dependencies like h11, transformers, and setuptools.</p>
+                <div class="flex items-center text-blue-600">
+                    <i data-feather="alert-triangle" class="mr-2"></i>
+                    <span>3 Critical Patches</span>
+                </div>
+            </div>
+
+            <!-- Step 2 -->
+            <div class="step-card bg-white p-8 rounded-xl shadow-lg">
+                <div class="w-16 h-16 bg-blue-100 rounded-full flex items-center justify-center mb-6">
+                    <span class="text-blue-600 text-2xl font-bold">2</span>
+                </div>
+                <h3 class="text-xl font-bold mb-4">Dependency Patching</h3>
+                <p class="text-gray-600 mb-4">Automatically update pyproject.toml with secure versions and generate lock file.</p>
+                <div class="flex items-center text-blue-600">
+                    <i data-feather="lock" class="mr-2"></i>
+                    <span>Secure Versions</span>
+                </div>
+            </div>
+
+            <!-- Step 3 -->
+            <div class="step-card bg-white p-8 rounded-xl shadow-lg">
+                <div class="w-16 h-16 bg-blue-100 rounded-full flex items-center justify-center mb-6">
+                    <span class="text-blue-600 text-2xl font-bold">3</span>
+                </div>
+                <h3 class="text-xl font-bold mb-4">Secure Container Build</h3>
+                <p class="text-gray-600 mb-4">Build and deploy a hardened container image with Google Cloud Build.</p>
+                <div class="flex items-center text-blue-600">
+                    <i data-feather="package" class="mr-2"></i>
+                    <span>Production Ready</span>
+                </div>
+            </div>
+        </div>
+    </div>
+
+    <!-- Code Example Section -->
+    <div class="bg-gray-100 py-20">
+        <div class="container mx-auto px-6">
+            <h2 class="text-3xl font-bold text-center mb-12">Secure Configuration</h2>
+            <div class="max-w-4xl mx-auto">
+                <div class="code-block mb-8">
+                    <span class="text-green-400"># Patched pyproject.toml</span><br>
+                    <span class="text-purple-400">[tool.poetry.dependencies]</span><br>
+                    <span class="text-white">python = "^3.12"</span><br>
+                    <span class="text-white">fastapi = "^0.111.0"</span><br>
+                    <span class="text-yellow-400"># CRITICAL-SEVERITY PATCH</span><br>
+                    <span class="text-white">h11 = "^0.16.0"</span><br>
+                    <span class="text-yellow-400"># HIGH-SEVERITY PATCH</span><br>
+                    <span class="text-white">transformers = "^4.53.0"</span><br>
+                    <span class="text-white">setuptools = "^78.1.1"</span><br>
+                </div>
+                <p class="text-gray-600 text-center max-w-2xl mx-auto">
+                    Our automated process ensures all dependencies are pinned to secure versions, preventing known vulnerabilities from reaching production.
+                </p>
+            </div>
+        </div>
+    </div>
+
+    <!-- CTA Section -->
+    <div class="gradient-bg text-white py-20">
+        <div class="container mx-auto px-6 text-center">
+            <h2 class="text-3xl md:text-4xl font-bold mb-6">Ready to Secure Your API?</h2>
+            <p class="text-xl mb-8 max-w-2xl mx-auto">Automate your security patches and build process with SecureDoc Builder today.</p>
+            <button class="bg-white text-blue-600 px-8 py-4 rounded-lg font-semibold text-lg hover:bg-gray-100 transition">Start Free Trial</button>
+        </div>
+    </div>
+
+    <!-- Footer -->
+    <footer class="bg-gray-900 text-white py-12">
+        <div class="container mx-auto px-6">
+            <div class="flex flex-col md:flex-row justify-between items-center">
+                <div class="mb-6 md:mb-0">
+                    <h3 class="text-2xl font-bold">SecureDoc Builder 🛡️</h3>
+                    <p class="text-gray-400 mt-2">Automated security for your document processing</p>
+                </div>
+                <div class="flex space-x-6">
+                    <a href="#" class="hover:text-blue-400 transition"><i data-feather="github"></i></a>
+                    <a href="#" class="hover:text-blue-400 transition"><i data-feather="twitter"></i></a>
+                    <a href="#" class="hover:text-blue-400 transition"><i data-feather="linkedin"></i></a>
+                </div>
+            </div>
+            <div class="border-t border-gray-800 mt-8 pt-8 text-center text-gray-400">
+                <p>© 2023 SecureDoc Builder. All rights reserved.</p>
+            </div>
+        </div>
+    </footer>
+
+    <script>
+        feather.replace();
+    </script>
+</body>
 </html>