Repository environment configuration

[P4X-ng]

Add a reproducible environment setup for this legacy Python 2 project.

This PR introduces .cursor/environment.json, a Dockerfile, and scripts/bootstrap-agent-env.sh to provide a consistent and reproducible environment for cloud agents and manual use. It also pins Python 2.7.18 and adds the previously undeclared formasaurus dependency to requirements.txt.

  

[cursor]

Cursor Agent can help with this pull request. Just @cursor in comments and I'll start working on changes in this branch.
_{Learn more about Cursor Agents}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request establishes a robust and reproducible development and execution environment for a legacy Python 2 project. It leverages Docker for system-level dependencies, pyenv and virtualenv for Python version management, and a dedicated bootstrap script to ensure consistency across different environments, particularly for cloud agents. The changes address the challenges of maintaining a Python 2 codebase in modern development workflows by providing a clear, automated setup process and comprehensive documentation.

Highlights

• Reproducible Environment Setup: Introduced a standardized and reproducible environment setup for the legacy Python 2 project, ensuring consistent behavior across different execution contexts.
• Containerization and Automation: Added a Dockerfile for base system dependencies, a Cursor environment configuration file (.cursor/environment.json) for agent integration, and a bootstrap script (scripts/bootstrap-agent-env.sh) for automated environment setup.
• Python Version Pinning: Explicitly pinned the Python version to 2.7.18 using a .python-version file and managed its installation via pyenv within the bootstrap script.
• Dependency Management: Included the previously undeclared formasaurus dependency in requirements.txt and ensured compatible versions of pip, setuptools, virtualenv, and wheel are installed for Python 2.
• Comprehensive Documentation: Provided detailed documentation in docs/environment.md explaining the environment setup, its purpose, and instructions for manual bootstrapping.

Changelog

• .cursor/Dockerfile
  • Added a Dockerfile to define the base Debian Bullseye image and install essential system libraries and tools like firefox-esr and xvfb required for the project.
• .cursor/environment.json
  • Added a Cursor environment configuration file that specifies the Dockerfile for building and the bootstrap script for installation.
• .gitignore
  • Updated to ignore the newly created .venv/ virtual environment directory.
• .python-version
  • Added a file to explicitly declare the required Python version as 2.7.18.
• docs/environment.md
  • Added new documentation explaining the Python 2 environment setup, its components, and instructions for manual bootstrapping.
• requirements.txt
  • Modified to include formasaurus==0.2, which was a previously undeclared dependency.
• scripts/bootstrap-agent-env.sh
  • Added a shell script to automate the installation of pyenv, Python 2.7.18, creation of a virtual environment, and installation of Python dependencies.

Activity

• No specific activity (comments, reviews, approvals) has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[amazon-q-developer]

Summary

This PR establishes a reproducible Python 2.7 environment for the legacy automation project. The Docker and bootstrap infrastructure is well-structured, but there are critical security vulnerabilities that must be addressed before merging.

Critical Issues Found

Security Vulnerabilities (Must Fix):

• Multiple outdated dependencies with known CVEs (Pillow 3.0.0, requests 2.8.1)
• Git clone operation lacks integrity verification
• Missing error handling in bootstrap script could cause silent configuration failures

Recommendation

While the environment setup approach is sound, the security vulnerabilities in the dependencies pose significant risks. Even for legacy Python 2 projects, security-patched versions of these libraries exist that maintain Python 2 compatibility. The git clone operation and error handling issues should also be addressed to ensure reliable setup.

Please address the security vulnerabilities before merging this PR.

---

You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.

[amazon-q-developer]

🛑 Security Vulnerability: Git clone without SSL verification or commit hash pinning allows man-in-the-middle attacks¹. Add --single-branch flag and verify the repository integrity after cloning, or specify a trusted commit SHA to prevent supply chain attacks.

Suggested change

	git clone --depth 1 https://github.com/pyenv/pyenv.git "$PYENV_ROOT"
	git clone --depth 1 --single-branch "$PYENV_ROOT"

Footnotes

1. CWE-494: Download of Code Without Integrity Check - https://cwe.mitre.org/data/definitions/494.html ↩

[amazon-q-developer]

🛑 Logic Error: The script modifies $HOME/.bashrc without proper error handling. If the append operation fails (e.g., disk full, permission denied), the script silently succeeds but the environment won't be properly configured for future sessions, causing runtime failures.

Suggested change

	if [ -f "$HOME/.bashrc" ]; then
	bashrc_contents="$(<"$HOME/.bashrc")"
	case "$bashrc_contents" in
	*autoregister-agent-env*)
	;;
	*)
	printf '\n[ -f "%s" ] && . "%s"\n' "$PROFILE_FILE" "$PROFILE_FILE" >> "$HOME/.bashrc"
	;;
	esac
	fi
	if [ -f "$HOME/.bashrc" ]; then
	bashrc_contents="$(<"$HOME/.bashrc")"
	case "$bashrc_contents" in
	*autoregister-agent-env*)
	;;
	*)
	if ! printf '\n[ -f "%s" ] && . "%s"\n' "$PROFILE_FILE" "$PROFILE_FILE" >> "$HOME/.bashrc"; then
	echo "Warning: Failed to update .bashrc. You may need to manually source $PROFILE_FILE" >&2
	fi
	;;
	esac
	fi

[amazon-q-developer]

🛑 Security Vulnerability: Pillow 3.0.0 contains critical buffer overflow vulnerabilities¹. This version from 2015 has numerous security patches missing, posing risks when processing images from untrusted sources.

Footnotes

1. CWE-120: Buffer Overflow - https://cwe.mitre.org/data/definitions/120.html ↩

[amazon-q-developer]

🛑 Security Vulnerability: Requests 2.8.1 contains session fixation vulnerabilities¹ and missing SSL/TLS validation improvements from later versions. This creates security risks for any HTTP communication, especially with authentication.

Footnotes

1. CWE-384: Session Fixation - https://cwe.mitre.org/data/definitions/384.html ↩

[gemini-code-assist]

Code Review

This pull request does a great job of adding a reproducible environment for this legacy Python 2 project. The use of a Dockerfile for system dependencies and a bootstrap script for the Python environment is a solid approach. The documentation is also clear and helpful.

My main feedback is to improve the user experience for manual setup by avoiding automatic modification of user shell configuration files. I've left a specific suggestion on the bootstrap script to print instructions instead.

[gemini-code-assist]

Automatically modifying a user's shell configuration file like .bashrc can be intrusive and have unexpected side effects. It is better practice to print instructions for the user to follow. This gives them control over their own environment and is more transparent. The suggested change replaces the automatic modification with a message to the user.

Suggested change

	if [ -f "$HOME/.bashrc" ]; then
	bashrc_contents="$(<"$HOME/.bashrc")"
	case "$bashrc_contents" in
	*autoregister-agent-env*)
	;;
	*)
	printf '\n[ -f "%s" ] && . "%s"\n' "$PROFILE_FILE" "$PROFILE_FILE" >> "$HOME/.bashrc"
	;;
	esac
	fi
	echo "Bootstrap complete. To persist environment, add to your shell profile (e.g. ~/.bashrc):"
	echo "[ -f \"$PROFILE_FILE\" ] && . \"$PROFILE_FILE\""

[mergify]

🧪 CI Insights

Here's what we observed from your CI run for f66a430.

🟢 All jobs passed!

But CI Insights is watching 👀