Update ensurepip to avoid vulnerabilities in wheels (#35856)

* Update Dockerfile

* Use python version

* Readd arg which gets stripped after FROM

* Use semicolons

Author: damccorm

sdks/python/container/Dockerfile

@@ -30,6 +30,7 @@ ENV CLOUDSDK_CORE_DISABLE_PROMPTS yes
 ENV PATH $PATH:/usr/local/gcloud/google-cloud-sdk/bin
 
 # Use one RUN command to reduce the number of layers.
+ARG py_version
 RUN  \
     # Install native bindings required for dependencies.
     apt-get update && \
@@ -80,7 +81,15 @@ RUN  \
     pip freeze --all && \
 
     # Remove pip cache.
-    rm -rf /root/.cache/pip
+    rm -rf /root/.cache/pip && \
+
+    # Update ensurepip to use most recent versions of setuptools and pip. This avoids some vulnerabilities which won't be fixed on older versions of python.
+    pip install upgrade_ensurepip; \
+    python3 -m upgrade_ensurepip; \
+    find /usr/local/lib/python${py_version}/ensurepip/_bundled/setuptools-* -type f ! -name $(basename $(ls -v /usr/local/lib/python${py_version}/ensurepip/_bundled/setuptools-*-py3-none-any.whl | tail -n 1)) -delete; \
+    find /usr/local/lib/python${py_version}/ensurepip/_bundled/pip-* -type f ! -name $(basename $(ls -v /usr/local/lib/python${py_version}/ensurepip/_bundled/pip-*-py3-none-any.whl | tail -n 1)) -delete; \
+    pip uninstall upgrade_ensurepip -y; \
+    python3 -m ensurepip;
 
 ENTRYPOINT ["/opt/apache/beam/boot"]