Image vulnerablities fixes

[shree1988]

CDE-Data and CDE-Runtime-services vunerabilites fixes
CVE-2026-24049(Wheel), CVE-2026-23949(Jaraco-context), CVE-2026-21441, CVE-2025-66418, CVE-2025-66471, CVE-2026-25990(pillow), CVE-2026-2472 and CVE-2026-2472(google-cloud-aiplatform)

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the security posture of the CDE-Data and CDE-Runtime-services images by resolving identified vulnerabilities. It achieves this by systematically upgrading various Python and system-level dependencies within their respective Dockerfiles, ensuring that the deployed services utilize more secure and up-to-date components.

Highlights

• Vulnerability Remediation: Addressed multiple CVEs by upgrading vulnerable dependencies in the CDE-Data and CDE-Runtime-services Docker images, including issues related to Wheel, Jaraco-context, Pillow, and Google Cloud AI Platform.
• Dependency Upgrades: Upgraded key Python packages such as urllib3, pillow, google-cloud-aiplatform, pip, wheel, and setuptools to their latest secure versions across the affected Dockerfiles.
• Dockerfile Enhancements: Modified Dockerfiles to include comprehensive system package updates, Python package upgrades, and optimized virtual environment creation by initially excluding pip.

Changelog

• build/cdc_data/Dockerfile
  • Modified the virtual environment creation command to initially exclude pip.
  • Introduced a new RUN command to perform apt-get update and upgrade, followed by pip3 install --upgrade for urllib3, pillow, google-cloud-aiplatform, pip, wheel, and setuptools, concluding with apt-get clean.
• build/cdc_services_runtime/Dockerfile
  • Extended the existing RUN command for nginx installation to also include pip install --upgrade for pip, wheel, and setuptools, and apt-get clean.

Activity

• No specific activity (comments, reviews, progress updates) was provided for this pull request.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request aims to fix several image vulnerabilities by upgrading Python packages in two Dockerfiles. My review focuses on ensuring these changes are implemented correctly and follow Docker best practices.

I've identified a critical issue in build/cdc_data/Dockerfile where a change breaks the virtual environment's isolation, causing packages to be installed globally. I've also provided suggestions to improve the readability and efficiency of the package installation commands in both Dockerfiles by consolidating commands and removing redundancies.

[gemini-code-assist]

Using --without-pip creates the virtual environment without pip. As a result, the subsequent pip3 install commands on lines 53 and 57 will use the system's pip3, installing packages globally instead of within the virtual environment. This undermines the purpose of using a venv for dependency isolation.

The pip install --upgrade pip on line 82 happens after these package installations, which is too late.

To fix this, you should remove the --without-pip flag to ensure pip is part of the virtual environment from the start. If a pip upgrade is necessary, it should be done before other packages are installed.

RUN python -m venv /workspace/venv