[universal] Update setuptools package for Python v3.9 due to CVE-2022-40897 (devcontainers#519)

alexander-smolyakov · web-flow · commit 995c65097c31 · 2023-04-06T10:02:13.000-07:00
* [universal] Update setuptools due to CVE-2022-40897 - Bump Python 3.9 minor version - Updated Dockerfile to install updated versions of `setuptools` package - Added test to verify `setuptools` minimum version * Revert "[universal] Update setuptools due to CVE-2022-40897" This reverts commit 011db92. * Rework: [universal] Update setuptools due to CVE-2022-40897 - Bump Python version 3.9.7 -> 3.9.16 - Update `setup-user` local feature to install updated `setuptools` package for Python v3.9.16 - Add tests to verify the `setuptools` minimum version for Python distributions * Address review comments - Replace Python minor version with an asterisk in the path to make the path to Python distribution universal - Update tests to provide more context regarding version checks
diff --git a/src/universal/.devcontainer/devcontainer.json b/src/universal/.devcontainer/devcontainer.json
@@ -24,7 +24,7 @@
         "./local-features/nvs": "latest",
         "ghcr.io/devcontainers/features/python:1": {
             "version": "3.10.4",
-            "additionalVersions": "3.9.7",
+            "additionalVersions": "3.9.16",
             "installJupyterlab": "true",
             "configureJupyterlabAllowOrigin": "*"
         },
diff --git a/src/universal/.devcontainer/local-features/setup-user/install.sh b/src/universal/.devcontainer/local-features/setup-user/install.sh
@@ -45,6 +45,8 @@ sudo_if() {
 # They are installed by the base image (python) which does not have the patch.
 sudo_if /usr/local/python/current/bin/python -m pip uninstall --yes setuptools
 sudo_if /usr/local/python/current/bin/python -m pip install --user --upgrade --no-cache-dir setuptools
+sudo_if /usr/local/python/3.9.*/bin/python -m pip uninstall --yes setuptools
+sudo_if /usr/local/python/3.9.*/bin/python -m pip install --user --upgrade --no-cache-dir setuptools
 
 # Enables the oryx tool to generate manifest-dir which is needed for running the postcreate tool
 DEBIAN_FLAVOR="focal-scm"
diff --git a/src/universal/test-project/test.sh b/src/universal/test-project/test.sh
@@ -189,5 +189,11 @@ check-version-ge "wheel-requirement" "${wheel_version}" "0.38.1"
 
 ls -la /home/codespace
 
+setuptools_version_py_current=$(python -c "import setuptools; print(setuptools.__version__)")
+check-version-ge "setuptools-requirement-python_current" "${setuptools_version_py_current}" "65.5.1"
+
+setuptools_version_py_39=$(/usr/local/python/3.9.*/bin/python -c "import setuptools; print(setuptools.__version__)")
+check-version-ge "setuptools-requirement-python_39" "${setuptools_version_py_39}" "65.5.1"
+
 # Report result
 reportResults
