fix(docker): force-reinstall wheel to eliminate CVE-2026-24049 + enha…

[rahuldass19]

Summary

1. 🔒 Docker Security Fix

Changed pip install --upgrade to pip install --force-reinstall for wheel>=0.46.2, ensuring the base image's old wheel==0.45.1 metadata is fully replaced — not just shadowed.

Before: Docker Scout shows 1 High (in wheel)
After: 0 fixable vulnerabilities

2. ⚡ CircleCI Enhancement

Enhanced .circleci/config.yml from basic pytest to a full CI pipeline:

Job	What it does	When
build-and-test	Pytest + JUnit results (Python 3.10/3.11/3.12 matrix)	Every push
security-scan	pip-audit dependency vulnerability scan	After tests pass
docker-build	Builds Docker image + verifies SDK loads	Main branch only

New features:

• ✅ pip dependency caching for faster builds
• ✅ JUnit XML test results → CircleCI Test Insights
• ✅ pip-audit security scanning with artifact storage
• ✅ Docker image build verification (main only)
• ✅ Docker layer caching for fast Docker builds

Summary by CodeRabbit

• Chores

  • CI now caches Python dependencies for faster builds.
  • Workflow renamed and reorganized for clearer job orchestration and branch controls.
  • Added automated security scanning to CI with exportable results.
  • Added Docker image build and runtime verification in CI.
  • Improved Docker build reliability by adjusting package install behavior.

• Tests

  • Test runs now produce JUnit XML output for easier diagnostics.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds dependency caching and JUnit test output to CircleCI, introduces security-scan (runs pip-audit) and docker-build jobs, restructures workflow (renames main → ci, wires dependencies, restricts docker-build to main), and changes Dockerfile pip install to use --force-reinstall.

Changes

Cohort / File(s)	Summary
CircleCI configuration .circleci/config.yml	Adds restore/save cache for Python dependencies keyed by pyproject.toml checksum + Python version; emits pytest JUnit XML to test-results/results.xml; adds security-scan job (Python 3.12, venv, installs deps, runs pip-audit with strict/description, ignores two CVEs, stores audit-results.txt); adds docker-build job (remote Docker, builds image, runs verification container); renames workflow main → ci; makes security-scan and docker-build depend on build-and-test; restricts docker-build to main branch.
Dockerfile Dockerfile	Replaces pip install --no-cache-dir --upgrade "pip>=25.0" "wheel>=0.46.2" with pip install --no-cache-dir --force-reinstall "pip>=25.0" "wheel>=0.46.2".

Sequence Diagram(s)

sequenceDiagram
    participant CI as CircleCI (ci)
    participant Build as job: build-and-test
    participant Scan as job: security-scan
    participant DockerJob as job: docker-build
    participant Docker as Docker daemon

    CI->>Build: run build-and-test (restore cache, run pytest -> junit xml)
    Build-->>CI: upload artifacts + test-results
    CI->>Scan: start security-scan (depends on build-and-test)
    Scan->>Scan: create venv, install deps, run pip-audit -> audit-results.txt
    Scan-->>CI: upload audit-results.txt
    CI->>DockerJob: start docker-build (depends on build-and-test) [only on main]
    DockerJob->>Docker: build image
    Docker-->>DockerJob: image built
    DockerJob->>Docker: run verification container (python -c check)
    Docker-->>DockerJob: verification result
    DockerJob-->>CI: publish success/failure + artifacts

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• fix(deps): upgrade httpx/httpcore/h11 to resolve request smuggling vulnerability #59: Modifies Dockerfile pip/wheel installation step — closely related to the Dockerfile change here.
• feat: OpenSSF Gold Badge Compliance & CircleCI Configuration #56: Previously changed/added the build-and-test CircleCI job that this PR extends with caching, JUnit output, and dependent jobs.
• fix(docker): upgrade to python 3.12-bookworm and harden container security #57: Related Docker/CI changes targeting Python 3.12 and container/security behaviors.

Poem

🐇 I hopped through caches, snug and neat,

I scanned the code and checked each seat.
I built an image, ran a test—so spry,
The pipeline hummed, the logs went by.
A carrot cheer for CI! 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly addresses the main changes in the PR: the Docker wheel force-reinstall fix for CVE-2026-24049 and CircleCI pipeline enhancements. It is concise and specific.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/wheel-cve-circleci

---

No actionable comments were generated in the recent review. 🎉

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In @.circleci/config.yml:
- Around line 45-48: The pipeline step running pip-audit currently appends "||
true" which masks failures; remove the "|| true" from the pip-audit command and
ensure the shell uses pipefail (e.g., enable set -o pipefail in the job or
runner) so that the exit code from "pip-audit --strict --desc 2>&1 | tee
audit-results.txt" can fail the workflow when vulnerabilities are found; update
the step that installs/runs pip-audit (the lines containing "pip install
pip-audit" and "pip-audit --strict --desc 2>&1 | tee audit-results.txt || true")
accordingly.
- Around line 65-67: The Verify Image step fails because the image's ENTRYPOINT
(/action_entrypoint.py) intercepts arguments so the intended python -c "..."
isn't executed; update the docker run invocation in the "Verify Image" step to
bypass the image ENTRYPOINT by adding --entrypoint python (so docker runs the
python binary directly) and keep the existing -c "import qwed_sdk; print(...)"
args; target the docker run line that references
qwedai/qwed-verification:ci-${CIRCLE_SHA1:0:7}.
- Around line 15-25: The cache path currently uses "~/.local/lib" which is too
broad and misses Python-versioned site-packages; update the restore_cache and
save_cache steps (the restore_cache, save_cache keys) to include the
Python-version-specific site-packages path and pip cache (e.g.,
"~/.local/lib/python<< parameters.python-version >>/site-packages" and
"~/.cache/pip") so caches are reused across Python versions when running the
"Install Dependencies" run step that executes "pip install
.[dev,server,symbolic]".

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.circleci/config.yml:
- Around line 53-56: Add documented justification for the two ignored CVEs in
the pip-audit step so future maintainers understand the risk acceptance: update
the .circleci/config.yml pip-audit invocation (the line running
/tmp/audit-env/bin/pip-audit) to reference a short comment or link to a new
audit exception document that explains why CVE-2025-8869 and CVE-2026-1703 are
acceptable to ignore in our deployment model (e.g., sdist/wheel sources are
validated, runtime environment constraints, or compensating controls), and
include the document path or ticket ID in the pipeline output
(audit-results.txt) for auditability.

🧹 Nitpick comments (1)

.circleci/config.yml (1)

15-26: Fallback cache key may restore incompatible packages across Python versions.

The fallback key pip-v1- will match caches from any Python version. If Python 3.10 cache is restored for a 3.12 job, the version-specific path (~/.local/lib/python3.10/...) won't exist at python3.12/..., making the cache ineffective. Include version in the fallback:

Suggested fix

       - restore_cache:
           keys:
             - pip-v1-{{ checksum "pyproject.toml" }}-<< parameters.python-version >>
-            - pip-v1-
+            - pip-v1-<< parameters.python-version >>-