[python] - Rework - Security updates for GHSA-58pv-8j8x-9vj2: jaraco.context and GHSA-8rrh-rw8j-w5fx: wheel

src/python/.devcontainer/Dockerfile

@@ -9,10 +9,9 @@ RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
 # Temporary: Upgrade python packages due to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40897 and https://github.com/advisories/GHSA-2mqj-m65w-jghx
 # They are installed by the base image (python) which does not have the patch.
 RUN python3 -m pip install --upgrade \
-    setuptools==78.1.1 \
     gitpython==3.1.50 \
-    jaraco.context==6.1.0 \
-    wheel==0.46.2
+    setuptools==82.0.1 \
+    wheel==0.46.3
 
 # Fixing vulnerability issue by upgrading svn to 1.14.5. Ref https://subversion.apache.org/security/CVE-2024-46901-advisory.txt
 COPY ./scripts/install-subversion.sh /tmp/install-subversion.sh

src/python/manifest.json

@@ -1,5 +1,5 @@
 {
-	"version": "3.1.3",
+	"version": "3.1.4",
 	"variants": [
 		"3.14-trixie",
 		"3.13-trixie",

src/python/test-project/test-utils.sh

@@ -44,6 +44,36 @@ check-version-ge() {
     fi
 }
 
+# Fails if any copy of a package below the required version is bundled anywhere on
+# the filesystem. These can be vendored inside setuptools/_vendor or other virtual
+# envs (e.g. pipenv), which a top-level importlib.metadata version lookup misses.
+checkNoVulnerablePackage() {
+    LABEL=$1
+    PACKAGE_PREFIX=$2
+    REQUIRED_VERSION=$3
+    echo -e "\n🧪 Testing $LABEL: no '$PACKAGE_PREFIX' < '$REQUIRED_VERSION' on the filesystem"
+    local found_vulnerable=0
+    while IFS= read -r dist_info; do
+        local name version greater
+        name="$(basename "${dist_info}")"
+        version="${name#${PACKAGE_PREFIX}-}"
+        version="${version%.dist-info}"
+        greater="$( (echo "${version}"; echo "${REQUIRED_VERSION}") | sort -V | tail -1 )"
+        if [ "${version}" != "${greater}" ]; then
+            echoStderr "Found vulnerable ${PACKAGE_PREFIX} ${version} at: ${dist_info}"
+            found_vulnerable=1
+        fi
+    done < <(find / -type d -name "${PACKAGE_PREFIX}-*.dist-info" 2>/dev/null)
+    if [ ${found_vulnerable} -eq 0 ]; then
+        echo "✅  Passed!"
+        return 0
+    else
+        echoStderr "❌ $LABEL check failed."
+        FAILED+=("$LABEL")
+        return 1
+    fi
+}
+
 checkMultiple() {
     PASSED=0
     LABEL="$1"

src/python/test-project/test.sh

@@ -51,13 +51,15 @@ https://github.com/advisories/GHSA-v87r-6q3f-2j67
 gitpython_version=$(python -c "import git; print(git.__version__)")
 check-version-ge "gitpython-requirement" "${gitpython_version}" "3.1.50"
 
-# GHSA-58pv-8j8x-9vj2: jaraco.context
-jaraco_context_version=$(python -c "from importlib.metadata import version; print(version('jaraco.context'))")
-check-version-ge "jaraco-context-requirement" "${jaraco_context_version}" "6.1.0"
-
 # GHSA-8rrh-rw8j-w5fx: wheel
 wheel_version=$(python -c "from importlib.metadata import version; print(version('wheel'))")
 check-version-ge "wheel-requirement" "${wheel_version}" "0.46.2"
 
+# Ensure no vulnerable copies are bundled anywhere on the filesystem. These can be
+# vendored inside setuptools/_vendor or other virtual envs (e.g. pipenv), which the
+# importlib.metadata top-level lookup above does not catch.
+checkNoVulnerablePackage "no-vulnerable-jaraco-context" "jaraco_context" "6.1.0"
+checkNoVulnerablePackage "no-vulnerable-wheel" "wheel" "0.46.2"
+
 # Report result
 reportResults