OWASP · sydseter · Jan 20, 2026 · Jan 20, 2026 · Jan 20, 2026 · Jan 20, 2026
@@ -1,11 +1,20 @@
-FROM gcr.io/oss-fuzz-base/base-builder-python:v1@sha256:c0021e88f13312e7706c49e6348fe442b641ff46d032d9846131a60b68dea50d
-RUN apt-get update && apt-get install -y make autoconf automake libtool curl gcc libc-dev software-properties-common
-RUN add-apt-repository ppa:deadsnakes/ppa -y
+FROM gcr.io/oss-fuzz-base/base-builder-python:ubuntu-24-04@sha256:79f6e0ac4506a75757099bfea8cfd52d1bb0e2f92ca21c64755151b655ce23e1
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    autoconf \
+    automake \
+    curl \
+    gcc \
+    libc-dev \
+    libtool \
+    make \
+    libxml2-dev \
+    libxslt-dev \
+    python3-dev \
+    python3-venv \
+    && apt-get clean && rm -rf /var/lib/apt/lists/*
 # Atheris only supports python 3.11 https://github.com/google/atheris/blob/master/README.md#installation-instructions
-RUN apt upgrade -y && apt-get install -y python3.10 python3.10-dev python3.10-distutils libxml2-dev libxslt-dev
-RUN apt-get install -y python3-pip
-RUN curl -sS https://bootstrap.pypa.io/get-pip.py | python3.10
-RUN python3.10 -m pip install --upgrade wheel setuptools setuptools_scm PyInstaller==6.13.0
+RUN curl -sS https://bootstrap.pypa.io/get-pip.py | python3
+RUN python3 -m pip install --upgrade wheel setuptools setuptools_scm PyInstaller==6.18.0
 COPY . $SRC/cornucopia
 WORKDIR $SRC/cornucopia
 COPY .clusterfuzzlite/build.sh $SRC/
@@ -1,15 +1,15 @@
 #!/bin/bash -eu
 
 # build project
-python3.10 -m pip install -r requirements.txt
-python3.10 -m pip install -r install_cornucopia_deps.txt
+python3 -m pip install -r requirements.txt
+python3 -m pip install -r install_cornucopia_deps.txt
 
 # Build fuzzers into $OUT. These could be detected in other ways.
 for fuzzer in $(find "$SRC/cornucopia/tests/scripts" -name '*_fuzzer.py'); do
     fuzzer_basename=$(basename -s .py "$fuzzer")
     fuzzer_package=${fuzzer_basename}.pkg
 
-    python3.10 -m PyInstaller --distpath "$OUT" --onefile --exclude IPython --paths "$SRC"/cornucopia:"$SRC"/cornucopia/scripts:"$SRC"/cornucopia/tests/test-files --hidden-import scripts --collect-submodules scripts --name "$fuzzer_package" "$fuzzer"
+    python3 -m PyInstaller --distpath "$OUT" --onefile --exclude IPython --paths "$SRC"/cornucopia:"$SRC"/cornucopia/scripts:"$SRC"/cornucopia/tests/test-files --hidden-import scripts --collect-submodules scripts --name "$fuzzer_package" "$fuzzer"
 
     echo "#!/bin/sh
 # LLVMFuzzerTestOneInput for fuzzer detection.
@@ -18,4 +18,4 @@ this_dir=\$(dirname \"\$0\")
 ASAN_OPTIONS=\$ASAN_OPTIONS:symbolize=1:external_symbolizer_path=\$this_dir/llvm-symbolizer:detect_leaks=0 \
 \$this_dir/$fuzzer_package \$@" > "$OUT"/"$fuzzer_basename"
     chmod +x "$OUT/$fuzzer_basename"
-done
+done
@@ -1,4 +1,24 @@
+* text=auto
 output/*.docx filter=lfs diff=lfs merge=lfs -text
 output/*.idml filter=lfs diff=lfs merge=lfs -text
 resources/fonts/Atkinson-Hyperlegible-Font-Print-and-Web-2020-0514.zip filter=lfs diff=lfs merge=lfs -text
 resources/fonts/fivo_sans.zip filter=lfs diff=lfs merge=lfs -text
+*.py text eol=lf
+*.ts text eol=lf
+*.json text eol=lf
+*.yaml text eol=lf
+*.lock text eol=lf
+*.txt text eol=lf
+*.md text eol=lf
+*.sh text eol=lf
+*.ini text eol=lf
+*.json text eol=lf
+*.config text eol=lf
+*.eex text eol=lf
+*.ex text eol=lf
+*.exs text eol=lf
+*.css text eol=lf
+*.scss text eol=lf
+*.toml text eol=lf
+*.gitignore text eol=lf
+Dockerfile text eol=lf
@@ -1,10 +1,8 @@
 ---
     name: Build and Test the Cornucopia Website
     on:
-      pull_request:
-        paths:
-        - 'cornucopia.owasp.org/**'
-        - '.github/workflows/build-website.yml'
+      workflow_call:
+      workflow_dispatch:
     permissions:
       contents: read
     jobs:
@@ -45,4 +43,5 @@
             run: |
               pnpm install          # Install dependencies
               npm run build        # Build production version
-              pnpm audit --prod
+              pnpm audit --prod
+              pnpm run coverage
@@ -23,11 +23,12 @@
           - name: Get Python
             uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
             with:
-              python-version: '3.11'
+              python-version: '3.12'
               cache: 'pipenv' # caching pip dependencies
           - name: Install dependencies
             run: |
               pip install -r requirements.txt --require-hashes
+              pip install pipenv
               pipenv install --ignore-pipfile --dev
           # Run the tests
           - name: Run unit tests

@@ -24,11 +24,12 @@
           - name: Get Python
             uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
             with:
-              python-version: '3.11'
+              python-version: '3.12'
               cache: 'pipenv' # caching pip dependencies
           - name: Install dependencies
             run: |
               pip install -r requirements.txt --require-hashes
+              pip install pipenv
               pipenv install --ignore-pipfile --dev
           # Run the tests
           - name: Run unit tests

@@ -13,6 +13,15 @@ jobs:
   hardening:
     name: Harden runner
     uses: ./.github/workflows/hardening.yaml
-  call-run-tests:
+  call-run-converter-tests:
+    name: Build and run Converter Tests
     needs: hardening
-    uses: ./.github/workflows/run-tests.yaml
+    uses: ./.github/workflows/run-tests.yaml
+  call-run-website-tests:
+    name: Build and run Website Tests
+    needs: hardening
+    uses: ./.github/workflows/build-website.yaml
+  call-run-build-copi-tests:
+    name: Build and run COPI Tests
+    needs: hardening
+    uses: ./.github/workflows/copi-build.yaml
@@ -53,11 +53,12 @@ jobs:
       - name: Get Python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
-          python-version: '3.11'
+          python-version: '3.12'
           cache: 'pipenv' # caching pip dependencies
       - name: Install dependencies
         run: |
           pip install -r requirements.txt --require-hashes
+          pip install pipenv
           pipenv install -d
       - name: Generate new output files
         run: |

@@ -21,11 +21,12 @@ jobs:
       - name: Get Python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
-          python-version: '3.11'
+          python-version: '3.12'
           cache: 'pipenv' # caching pip dependencies
       - name: Install dependencies
         run: |
           pip install -r requirements.txt --require-hashes
+          pip install pipenv
           pipenv install --ignore-pipfile --dev
       # Run the tests
       - name: Run unit tests

@@ -1,4 +1,4 @@
-FROM python:alpine3.20@sha256:40a4559d3d6b2117b1fbe426f17d55b9100fa40609733a1d0c3f39e2151d4b33 AS pipenv
+FROM python:3.12.12-alpine3.22@sha256:d82291d418d5c47f267708393e40599ae836f2260b0519dd38670e9d281657f5 AS pipenv
 RUN apk add --no-cache shadow
 # UID of current user who runs the build
 ARG user_id
@@ -26,6 +26,7 @@ RUN apk add --no-cache \
     make
 COPY --chown=builder:union requirements.txt ./
 RUN pip install -r requirements.txt --require-hashes
+RUN pip install pipenv
 USER builder
 # Install Python dependencies so they are cached
 ARG workdir

@@ -26,7 +26,6 @@ charset-normalizer = "==3.4.4"
 python-docx = "==1.1.0"
 PyYAML = "==6.0.1"
 pyqrcode = "==1.2.1"
-types-PyYAML = "==6.0.12.12"
 docx2pdf = "==0.1.8"
 lxml = "==6.0.1"
 defusedxml = "==0.7.1"
@@ -35,6 +34,7 @@ pathvalidate = "==3.3.1"
 security = "==1.3.1"
 colorama = "*"
 mypy = "*"
+types-pyyaml = "==6.0.12.20250915"
 
 [requires]
-python_version = "3.11"
+python_version = "3.12"