Skip to content

Image vulnerablities fixes #6082

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
shree1988 wants to merge 5 commits into from
Closed

Image vulnerablities fixes #6082

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
68ebb83
cde_service_runtime image vulnerabilities
shree1988 Mar 16, 2026
6dcad73
cde_data Image vulnerabilities fixes
shree1988 Mar 16, 2026
8047a29
Image vulnerabilites fixes
shree1988 Mar 16, 2026
5e625ee
cde_data fixing command issues
shree1988 Mar 16, 2026
0951756
cde_runtime_services fixing command issue
shree1988 Mar 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 12 additions & 2 deletions build/cdc_data/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ ARG PIP_DISABLE_PIP_VERSION_CHECK=1
ARG PIP_NO_CACHE_DIR=1

# Create a virtual env, add it to path, and install all requirements.
RUN python -m venv /workspace/venv
RUN python -m venv /workspace/venv --without-pip
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

Using --without-pip creates the virtual environment without pip. As a result, the subsequent pip3 install commands on lines 53 and 57 will use the system's pip3, installing packages globally instead of within the virtual environment. This undermines the purpose of using a venv for dependency isolation.

The pip install --upgrade pip on line 82 happens after these package installations, which is too late.

To fix this, you should remove the --without-pip flag to ensure pip is part of the virtual environment from the start. If a pip upgrade is necessary, it should be done before other packages are installed.

RUN python -m venv /workspace/venv

ENV PATH="/workspace/venv/bin:$PATH"

# TODO: Install requirements for embeddings importer and data importer in separate virtual envs.
Expand Down Expand Up @@ -74,8 +74,18 @@ COPY build/cdc_data/run.sh .
# Make script executable.
RUN chmod +x run.sh

# Python packages upgrade to fix vulnerabilities
RUN apt-get update && apt-get -y upgrade && apt-get dist-upgrade \
&& pip3 install --upgrade \
setuptools \
"wheel==0.46.2" \
"urllib3==2.6.3" \
"pillow==12.1.1" \
"google-cloud-aiplatform==1.133.0" \
&& apt-get clean && rm -rf /var/lib/apt/lists/*

# Activate the virtual env.
ENV PATH="/workspace/venv/bin:$PATH"

# Set the default command to run the script.
CMD ["./run.sh"]
CMD ["./run.sh"]
7 changes: 6 additions & 1 deletion build/cdc_services_runtime/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,4 +28,9 @@ FROM --platform=linux/amd64 python:3.11.14-slim as runtime
COPY --from=envoy /usr/local/bin/envoy /usr/local/bin/envoy

# Install nginx.
RUN apt-get update && apt-get -y upgrade && apt update && apt install -y nginx
RUN apt-get update && apt-get -y upgrade && apt install -y nginx \
&& pip install --upgrade \
pip \
"wheel==0.46.2" \
setuptools \
&& apt-get clean && rm -rf /var/lib/apt/lists/*