Down to 39 crit vulnerabilities in docker image. Can't seem to get below that

Dockerfile

@@ -1,5 +1,8 @@
-FROM python:3.6.8
-MAINTAINER albert.merono@vu.nl
+#FROM python:3.6.8
+FROM python:3.9.13
+LABEL org.opencontainers.image.authors="ORIGINAL: albert.merono@vu.nl; THIS VERSION: mark.wilkinson@upm.es"
+LABEL org.opencontainers.image.documentation="https://github.com/markwilkinson/grlc/blob/master/README.md"
+RUN apt-get update && apt-get full-upgrade -y
 
 # Default values for env variables
 ARG GRLC_GITHUB_ACCESS_TOKEN=
@@ -22,13 +25,17 @@ ENV GRLC_INSTALL_DIR="${GRLC_HOME}/grlc" \
     GRLC_RUNTIME_DIR="${GRLC_CACHE_DIR}/runtime"
 
 RUN apt-get update \
- && DEBIAN_FRONTEND=noninteractive apt-get install -y nginx git-core logrotate python-pip locales gettext-base sudo build-essential apt-utils \
+ && DEBIAN_FRONTEND=noninteractive apt-get install -y nginx git-core logrotate python3-pip locales gettext-base sudo build-essential apt-utils \
  && update-locale LANG=C.UTF-8 LC_MESSAGES=POSIX \
  && locale-gen en_US.UTF-8 \
  && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales \
  && rm -rf /var/lib/apt/lists/*
 
-RUN curl -sL https://deb.nodesource.com/setup_10.x | sudo -E bash -
+RUN apt-get update && apt-get dist-upgrade -y
+
+
+RUN curl -sL https://deb.nodesource.com/setup_14.x | sudo -E bash -
+RUN chmod a+r /usr/share/keyrings/nodesource.gpg
 RUN apt-get update && apt-get install -y nodejs
 
 COPY ./ ${GRLC_INSTALL_DIR}
@@ -48,3 +55,4 @@ VOLUME ["${GRLC_DATA_DIR}", "${GRLC_LOG_DIR}"]
 WORKDIR ${GRLC_INSTALL_DIR}
 ENTRYPOINT ["/sbin/entrypoint.sh"]
 CMD ["app:start"]
+

README.md

@@ -1,9 +1,13 @@
+# Shallot
+## Kinda like grlc, but not as powerful ;-)
+
 <p algin="center"><img src="https://raw.githubusercontent.com/CLARIAH/grlc/master/src/static/grlc_logo_01.png" width="250px"></p>
 
-[![PyPI version](https://badge.fury.io/py/grlc.svg)](https://badge.fury.io/py/grlc)
-[![DOI](https://zenodo.org/badge/46131212.svg)](https://zenodo.org/badge/latestdoi/46131212)
-[![Build Status](https://travis-ci.org/CLARIAH/grlc.svg?branch=master)](https://travis-ci.org/CLARIAH/grlc)
+# NOTE:  This is a highly crippled version of the original grlc server
+
+It is intended to be used in secure environments.  Specifically, the GitHub and YAML file integration has been disabled.  Only local queries will be available.
 
+## Original Documentation from https://raw.githubusercontent.com/CLARIAH/grlc/ is below
 
 grlc, the <b>g</b>it <b>r</b>epository <b>l</b>inked data API <b>c</b>onstructor, automatically builds Web APIs using shared SPARQL queries. http://grlc.io/
 

docker-assets/assets/build/install.sh

@@ -18,11 +18,14 @@ passwd -d ${GRLC_USER}
 
 cd ${GRLC_INSTALL_DIR}
 chown ${GRLC_USER}:${GRLC_USER} ${GRLC_HOME} -R
-
 pip install --upgrade pip
+pip install 'setuptools<58'
+pip install 'docutils'
 pip install .
 
-npm install git2prov
+#npm install git2prov
+#npm audit fix
+
 
 #move nginx logs to ${GITLAB_LOG_DIR}/nginx
 sed -i \
@@ -31,7 +34,7 @@ sed -i \
  /etc/nginx/nginx.conf
 
  # configure gitlab log rotation
- cat > /etc/logrotate.d/grlc << EOF
+ cat > /etc/logrotate.d/grlc << EOF1
  ${GRLC_LOG_DIR}/grlc/*.log {
    weekly
    missingok
@@ -41,10 +44,10 @@ sed -i \
    notifempty
    copytruncate
  }
- EOF
+EOF1
 
  # configure gitlab vhost log rotation
- cat > /etc/logrotate.d/grlc-nginx << EOF
+ cat > /etc/logrotate.d/grlc-nginx << EOF2
  ${GRLC_LOG_DIR}/nginx/*.log {
    weekly
    missingok
@@ -54,4 +57,4 @@ sed -i \
    notifempty
    copytruncate
  }
- EOF
+EOF2

openapi.yaml

@@ -0,0 +1,106 @@
+openapi: "3.0.1"
+info:
+  title: SPARQL OpenAPI
+  version: "10"
+  description: |
+    This is a heavily trimmed copy of the RDF4J REST API that includes only the SPARQL endpoint GET and POST definitions
+
+    From this endpoint we serve the BGV Administrative Collection information (collecting group, date, etc.)
+
+externalDocs:
+  url: https://rdf4j.org/documentation/reference/rest-api/
+
+servers:
+  - url: https://bgv.cbgp.upm.es
+    description: SPARQL server for the BANCO DE GERMOPLASMA VEGETAL-UPM
+
+tags:
+  - name: SPARQL
+    description: SPARQL Query execution
+
+components:
+  requestBodies:
+    RdfData:
+      description: RDF data payload
+      content:
+        application/rdf+xml:
+          schema:
+            type: object
+            xml:
+              name: RDF
+              namespace: http://www.w3.org/1999/02/22-rdf-syntax-ns#
+        text/plain:
+          schema:
+            type: string
+        text/turtle:
+          schema:
+            type: string
+        text/rdf+n3:
+          schema:
+            type: string
+        text/x-nquads:
+          schema:
+            type: string
+        application/ld+json:
+          schema:
+            type: object
+            format: json
+        application/rdf+json:
+          schema:
+            type: object
+            format: json
+        application/trix:
+          schema:
+            type: object
+            xml:
+              name: TriX
+        application/x-trig:
+          schema:
+            type: string
+        application/x-binary-rdf:
+          schema:
+            type: string
+            format: binary
+  responses:
+    200SparqlResult:
+      description: SPARQL query result
+      content:
+        application/sparql-results+json:
+          examples:
+            SelectQueryResult:
+              $ref: "#/components/examples/SparqlJsonBindings"
+  examples:
+    SparqlJsonBindings:
+      value:
+        head:
+          vars: [ "s", "p", "o" ]
+          results:
+            bindings:
+              - s:
+                  type: "uri"
+                  value: "http://example.org/s1"
+              - p:
+                  type: "uri"
+                  value: "http://example.org/p1"
+              - o:
+                  type: "literal"
+                  value: "foo"
+paths:
+  /repositories/administrative:
+    get:
+      tags:
+        - SPARQL
+      summary: Execute SPARQL query
+      description: |
+        Execute a SPARQL query on the repository. The result format is based on the type of result (boolean, variable bindings, or RDF data) and the negotiated acceptable content-type. Note that RDF4J supports executing SPARQL queries with either a GET or a POST request. POST is supported for queries that are too large to be encoded as a query parameter.
+      parameters:
+        - name: query
+          in: query
+          description: The query to evaluate
+          required: true
+          schema:
+            type: string
+            example: SELECT DISTINCT ?type WHERE {?s a ?type}
+      responses:
+        '200':
+          $ref: "#/components/responses/200SparqlResult"