[universal] Bump Python SDK versions (#831)

* Bump Python SDKs versions

- v3.10: 3.10.8 -> 3.10.13
- v3.9: 3.9.16 -> 3.9.18

* [patch-conda] Remove outdated patches

* [patch-python] Remove outdated patches

* [patch-python/patch-conda] Add `pip show` command

* [test-utils] Update `checkPythonPackageVersion` function to make it generic

* [patch-python] Rework `update_package` feature

Author: alexander-smolyakov

src/universal/.devcontainer/devcontainer.json

@@ -23,8 +23,8 @@
         },
         "./local-features/nvs": "latest",
         "ghcr.io/devcontainers/features/python:1": {
-            "version": "3.10.8",
-            "additionalVersions": "3.9.16",
+            "version": "3.10.13",
+            "additionalVersions": "3.9.18",
             "installJupyterlab": "true",
             "configureJupyterlabAllowOrigin": "*",
             "useOryxIfAvailable": "false"

src/universal/.devcontainer/local-features/patch-conda/install.sh

@@ -36,6 +36,7 @@ update_python_package() {
 
     sudo_if "$PYTHON_PATH -m pip uninstall --yes $PACKAGE"
     sudo_if "$PYTHON_PATH -m pip install --upgrade --no-cache-dir $PACKAGE==$VERSION"
+    sudo_if "$PYTHON_PATH -m pip show --no-python-version-warning $PACKAGE"
 }
 
 update_conda_package() {
@@ -50,14 +51,8 @@ sudo_if /opt/conda/bin/python3 -m pip install --upgrade pip
 # Temporary: Upgrade python packages due to security vulnerabilities
 # They are installed by the conda feature and Conda distribution does not have the patches.
 
-# pyopenssl should be updated to be compatible with latest version of cryptography
-update_conda_package pyopenssl "23.2.0"
-
 # https://github.com/advisories/GHSA-v8gr-m533-ghj9
 update_python_package /opt/conda/bin/python3 cryptography "41.0.4"
 
-# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32681
-update_conda_package requests "2.31.0"
-
 # https://github.com/advisories/GHSA-v845-jxx5-vc9f
 update_conda_package urllib3 "1.26.18"

src/universal/.devcontainer/local-features/patch-python/install.sh

@@ -32,17 +32,15 @@ sudo_if() {
 update_package() {
     PYTHON_PATH=$1
     PACKAGE=$2
+    VERSION=$3
 
     sudo_if "$PYTHON_PATH -m pip uninstall --yes $PACKAGE"
-    sudo_if "$PYTHON_PATH -m pip install --upgrade --no-cache-dir $PACKAGE"
+    sudo_if "$PYTHON_PATH -m pip install --upgrade --no-cache-dir $PACKAGE==$VERSION"
+    sudo_if "$PYTHON_PATH -m pip show --no-python-version-warning $PACKAGE"
 }
 
 # Temporary: Upgrade python packages due to security vulnerabilities
 # They are installed by the base image (python) which does not have the patch.
 
 # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40897
-update_package /usr/local/python/3.9.*/bin/python setuptools==65.5.1
-update_package /usr/local/python/3.10.*/bin/python setuptools==68.0.0
-
-# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32681
-update_package /usr/local/python/3.10.*/bin/python requests==2.31.0
+update_package /usr/local/python/3.9.*/bin/python setuptools 65.5.1

src/universal/test-project/test-utils.sh

@@ -224,7 +224,7 @@ checkPythonPackageVersion()
     PACKAGE=$2
     REQUIRED_VERSION=$3
 
-    current_version=$(${PYTHON_PATH} -c "import ${PACKAGE}; print(${PACKAGE}.__version__)")
+    current_version=$(${PYTHON_PATH} -c "import importlib.metadata; print(importlib.metadata.version('${PACKAGE}'))")
     check-version-ge "${PACKAGE}-requirement" "${current_version}" "${REQUIRED_VERSION}"
 }