Skip to content

fix(docker): force-reinstall wheel to eliminate CVE-2026-24049 + enha… #61

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Rahul Dass (rahuldass19) merged 4 commits into from
Feb 12, 2026
Merged

fix(docker): force-reinstall wheel to eliminate CVE-2026-24049 + enha… #61

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
91e580b
fix(docker): force-reinstall wheel to eliminate CVE-2026-24049 + enha…
rahuldass19 Feb 12, 2026
e92d9d8
fix(ci): apply CodeRabbit fixes — version-specific cache, strict pip-…
rahuldass19 Feb 12, 2026
4950bf6
fix(ci): scope pip-audit to project deps only, ignore build tool CVEs…
rahuldass19 Feb 12, 2026
1479663
docs(ci): add justification comments for ignored CVEs per CodeRabbit …
rahuldass19 Feb 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 53 additions & 3 deletions .circleci/config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,23 +12,73 @@ jobs:
- image: cimg/python:<< parameters.python-version >>
steps:
- checkout
- restore_cache:
keys:
- pip-{{ checksum "pyproject.toml" }}-<< parameters.python-version >>
- pip-
- run:
name: Install Dependencies
command: pip install .[dev,server,symbolic]
- save_cache:
key: pip-{{ checksum "pyproject.toml" }}-<< parameters.python-version >>
paths:
- ~/.local/lib
- run:
name: Run Tests
command: |
# Run pytest with coverage as configured in pyproject.toml
pytest
mkdir -p test-results
pytest --junitxml=test-results/results.xml
- store_test_results:
path: test-results
- store_artifacts:
path: htmlcov

security-scan:
docker:
- image: cimg/python:3.12
steps:
- checkout
- run:
name: Install Dependencies
command: pip install .[dev,server,symbolic]
- run:
name: Run pip-audit
command: |
pip install pip-audit
pip-audit --strict --desc 2>&1 | tee audit-results.txt || true
- store_artifacts:
path: audit-results.txt

docker-build:
docker:
- image: cimg/base:current
steps:
- checkout
- setup_remote_docker:
version: docker24
docker_layer_caching: true
- run:
name: Build Docker Image
command: |
docker build -t qwedai/qwed-verification:ci-${CIRCLE_SHA1:0:7} .
- run:
name: Verify Image
command: |
docker run --rm qwedai/qwed-verification:ci-${CIRCLE_SHA1:0:7} python -c "import qwed_sdk; print('QWED SDK loaded successfully')"

workflows:
main:
ci:
jobs:
- build-and-test:
matrix:
parameters:
python-version: ["3.10", "3.11", "3.12"]
- security-scan:
requires:
- build-and-test
- docker-build:
requires:
- build-and-test
filters:
branches:
only: main
2 changes: 1 addition & 1 deletion Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ COPY requirements.txt /app/requirements.txt
# Vulnerability Fix: Upgrade pip and wheel to patch base image CVEs
# CVE-2026-24049 (Critical): wheel<=0.46.1 -> 0.46.2
# CVE-2025-8869 (Medium): pip==24.0 -> latest
RUN pip install --no-cache-dir --upgrade "pip>=25.0" "wheel>=0.46.2"
RUN pip install --no-cache-dir --force-reinstall "pip>=25.0" "wheel>=0.46.2"

# Install dependencies with hash verification
# Vulnerability Fix: Pin versions with hashes to prevent supply chain attacks
Expand Down
Loading