[feat]: to solve last batch of proj 24 25 and training vulnerabilities (#4972)

* [feat]: Fix image vulnerabilities

* [feat]: fix forecasting gpu

* [feat]: Resolve vulnerabilities on train and proj 24 images

* Update Dockerfile to fix vulnerabilities and upgrade packages

Removed onnx installation and upgraded several packages including onnx to version 1.21.0 to address vulnerabilities.

* Remove unnecessary conda run command in tensorflow-2.16-cuda12

* [feat]: Fix proj 24 25 vulnerabilities and training image vulnerabilities

* [feat]: Vulnerabilities in aoai image

* Fix huggingface-hub version conflicts for acft-transformers-image-gpu and acft-hf-nlp-gpu

transformers 5.x requires huggingface-hub>=1.3.0 but both images pinned
old 0.x versions causing pip ResolutionImpossible errors during builds.

- acft-transformers-image-gpu: 0.30.0 -> >=1.3.0
- acft-hf-nlp-gpu: 0.34.3 -> >=1.3.0

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Yeshwanth Nagaraj <ynagaraj@microsoft.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: 3 people

assets/training/aoai/proxy_components/environments/context/requirements.txt

@@ -8,8 +8,8 @@ azureml-telemetry==1.56.0
 pydantic==2.7.0
 idna>=3.7
 azure-keyvault-secrets==4.8.0
-requests==2.32.5
+requests==2.33.0
 urllib3==2.6.3
-pillow==12.1.1
-cryptography>=46.0.5
+pillow==12.2.0
+cryptography>=46.0.7
 wheel>=0.46.2

assets/training/automl/environments/ai-ml-automl-dnn-vision-gpu/context/Dockerfile

@@ -74,7 +74,7 @@ RUN pip install --no-cache-dir \
                 azureml-interpret=={{latest-pypi-version}} \
                 'azureml-dataprep>=2.24.4' \
                 'azure-identity>=1.25.1' \
-                'pillow==12.1.1'
+                'pillow==12.2.0'
                 # end pypi dependencies
 
 # Install packages with torch packages separately to reduce layer size
@@ -85,27 +85,34 @@ RUN pip install --no-cache-dir \
 
 # Vulnerability patches for conda environment
 # NOTE: azureml-mlflow~=1.62.0 pins cryptography<46.0.0; upgrading anyway for CVE fix
+# NOTE: azureml-automl-runtime pins onnx<=1.17.0,>=1.16.1; force-installing onnx>=1.21.0 to fix
+#       GHSA-cmw6-hcpp-c6jp, GHSA-538c-55jv-c5g9, GHSA-q56x-g2fj-4rj6, GHSA-p433-9wv8-28xj,
+#       GHSA-3r9x-f23j-gc73, GHSA-hqmj-h5c6-369m. Parent azureml-automl-runtime (1.62.0) cannot
+#       be upgraded as latest still constrains onnx<=1.17.0.
 RUN pip install --no-cache-dir --upgrade \
                 'cryptography>=46.0.5' \
                 'distributed>=2026.1.0' \
                 'mlflow-skinny>=2.16.0' \ 
                 'bokeh>=3.8.2' \
-                'pillow==12.1.1'
+                'pillow==12.2.0' \
+                'onnx>=1.21.0'
 
 
 
 
 # Vulnerability patches for ptca environment
 RUN /opt/conda/envs/ptca/bin/pip install --upgrade \
-                'pillow==12.1.1' 'filelock>=3.20.3' 'cryptography>=46.0.5' 'protobuf>=6.33.5' 'wheel>=0.46.2'
+                'pillow==12.2.0' 'filelock>=3.20.3' 'cryptography>=46.0.5' 'protobuf>=6.33.5' 'wheel>=0.46.2' \
+                'pytest>=9.0.3'
 # setuptools resolver picks wrong version due to dep conflicts; force install to fix jaraco.context vuln (GHSA-58pv-8j8x-9vj2)
 # setuptools vendors jaraco.context internally; --force-reinstall --no-deps ensures vendored copies are replaced
 RUN /opt/conda/envs/ptca/bin/pip install --no-cache-dir --force-reinstall --no-deps 'setuptools==82.0.1'
 
 RUN conda run -n base pip install --no-cache-dir --upgrade \
                 'cryptography>=46.0.5' \
                 'wheel>=0.46.2' \
-                'PyJWT>=2.12.0'
+                'PyJWT>=2.12.0' \
+                'aiohttp>=3.13.4'
 # PyJWT 2.10.1 (CVE-2026-32597) is installed in the base conda env (python3.13) from ACPT base image; manually upgrading since base image hasn't been patched yet
 # Fix vendored jaraco.context (GHSA-58pv-8j8x-9vj2) and wheel (GHSA-8rrh-rw8j-w5fx) in base setuptools
 # setuptools vendors jaraco.context internally; --force-reinstall --no-deps ensures vendored copies are replaced

assets/training/automl/environments/ai-ml-automl-dnn/context/Dockerfile

@@ -99,8 +99,16 @@ RUN pip install \
 # bokeh>=3.8.2             GHSA-793v-589g-574v  conda env installs 2.4.3, pip can't auto-upgrade
 #                          Chain (L1): azureml-train-automl-runtime -> bokeh
 #                          Chain (L2): prophet -> dask -> bokeh
+#
+# onnx>=1.21.0             GHSA-cmw6-hcpp-c6jp, GHSA-538c-55jv-c5g9, GHSA-q56x-g2fj-4rj6,
+#                          GHSA-p433-9wv8-28xj, GHSA-3r9x-f23j-gc73, GHSA-hqmj-h5c6-369m
+#                          azureml-automl-runtime pins onnx<=1.17.0; latest release (1.62.0)
+#                          still carries that upper bound, so a parent-package upgrade cannot
+#                          resolve the CVEs.  Override required.
+#                          Chain (L1): azureml-automl-runtime -> onnx
 RUN pip install --upgrade 'distributed>=2026.1.0' 'protobuf>=5.29.6' 'cryptography>=46.0.5' \
-    'bokeh>=3.8.2'  # bokeh: conda env installs 2.4.3, override needed for GHSA-793v-589g-574v
+    'bokeh>=3.8.2' \
+    'onnx>=1.21.0'  # onnx: override azureml-automl-runtime pin for 6 GHSA CVEs
 RUN rm -rf /opt/miniconda/pkgs/
 
 ENV LD_LIBRARY_PATH=$AZUREML_CONDA_ENVIRONMENT_PATH/lib:$LD_LIBRARY_PATH

assets/training/automl/environments/ai-ml-automl-gpu/context/Dockerfile

@@ -107,7 +107,16 @@ RUN pip install \
 #   conda env installs 2.4.3, pip can't auto-upgrade
 #   Chain L1: azureml-train-automl-runtime -> bokeh<3.0.0
 #   Chain L2: azureml-train-automl-runtime -> dask[complete] -> bokeh (via [diagnostics] extra)
+#
+# onnx>=1.21.0 — GHSA-3r9x-f23j-gc73, GHSA-p433-9wv8-28xj, GHSA-q56x-g2fj-4rj6,
+#                GHSA-538c-55jv-c5g9, GHSA-cmw6-hcpp-c6jp, GHSA-hqmj-h5c6-369m
+#   Parent packages cap onnx<=1.17.0; upgrading the parent is not possible because
+#   both azureml-automl-runtime==1.62.0 and azureml-train-automl-runtime==1.62.0
+#   (the latest releases) still enforce onnx<=1.17.0,>=1.16.1.
+#   Override is required to remediate the vulnerability.
+#   Chain: azureml-automl-runtime / azureml-train-automl-runtime -> onnx<=1.17.0
 RUN pip install --upgrade 'distributed>=2026.1.0' 'cryptography>=46.0.5' 'setuptools>=82.0.1' 'mlflow-skinny>=2.16.0' \
-    'bokeh>=3.8.2'  # bokeh: conda env installs 2.4.3, override needed for GHSA-793v-589g-574v
+    'bokeh>=3.8.2' \
+    'onnx>=1.21.0'
 
 ENV LD_LIBRARY_PATH=$AZUREML_CONDA_ENVIRONMENT_PATH/lib:$LD_LIBRARY_PATH

assets/training/automl/environments/ai-ml-automl/context/Dockerfile

@@ -65,7 +65,7 @@ RUN pip install \
                 'prophet==1.1.4' \
                 'inference-schema' \
                 'mltable>=1.0.0' \
-                'pillow==12.1.1'
+                'pillow==12.2.0'
                 # end pypi dependencies
 # end pip install
 
@@ -97,5 +97,11 @@ RUN pip install --upgrade \
     'cryptography>=46.0.5' \
     'protobuf>=5.29.6' \
     'distributed>=2026.1.0' \
-    'bokeh>=3.8.2'  # bokeh: conda env installs 2.4.3, override needed for GHSA-793v-589g-574v
+    'bokeh>=3.8.2' \
+    'onnx>=1.21.0' \
+    'pillow>=12.2.0'
+# onnx: azureml-automl-runtime pins onnx<=1.17.0; override needed for
+#   GHSA-3r9x-f23j-gc73, GHSA-p433-9wv8-28xj, GHSA-q56x-g2fj-4rj6,
+#   GHSA-538c-55jv-c5g9, GHSA-cmw6-hcpp-c6jp, GHSA-hqmj-h5c6-369m
+# pillow: upgraded from 12.1.1 for GHSA-whj4-6x5x-4v2j
 # end pip ad-hoc

assets/training/finetune_acft_hf_nlp/environments/acpt-draft/context/Dockerfile

@@ -13,6 +13,9 @@ RUN apt-get update && apt-get -y upgrade && \
 RUN conda run -n base python -m pip install --upgrade pip==26.0 wheel==0.46.2 setuptools==82.0.0 cryptography==46.0.7 'aiohttp>=3.13.4' 'requests>=2.33.0'
 COPY requirements.txt .
 RUN pip install -r requirements.txt --no-cache-dir
+# GHSA-jx93-g359-86wm, GHSA-hvwj-8w5g-28rg: sglang vulnerabilities; patched in >=0.5.10
+# specforge 0.1.0 pins sglang==0.5.5; override needed after specforge install.
+RUN pip install --no-cache-dir --force-reinstall "sglang>=0.5.10"
 
 RUN pip install azureml-acft-common-components=={{latest-pypi-version}}
 RUN pip install numpy==2.2.5
@@ -21,10 +24,14 @@ RUN pip install azureml-evaluate-mlflow=={{latest-pypi-version}}
 # following are for vulnerability overrides at later\
 # release of following packages consider moving then to requirements.txt
 RUN pip install --no-cache-dir --force-reinstall "mlflow>=3.2.0,<4.0.0"
-RUN pip install --no-cache-dir --upgrade "wandb>=0.23.0"
+# wandb>=0.26.0: fixes Go stdlib vulnerabilities (GO-2026-4864/4865/4866/4869/4870/4946/4947)
+# in bundled wandb-core binary (Go stdlib v1.26.1 -> v1.26.2)
+RUN pip install --no-cache-dir --upgrade "wandb>=0.26.0"
 # GHSA-7rgv-gqhr-fxg3: xgrammar stack exhaustion DoS; patched in 0.1.32
 RUN pip install xgrammar==0.1.32
-RUN pip install transformers==4.57.1
+# GHSA-69w3-r845-3855 (CVE-2026-1839): arbitrary code execution in Trainer class;
+# patched only in transformers>=5.0.0rc3. Upgrading to latest stable 5.x.
+RUN pip install transformers==5.5.4
 # upgrade pip, wheel, setuptools and transitive deps to fix vulnerabilities
 # protobuf: wandb/google-cloud-storage cap <7, override needed
 # cryptography: azureml-mlflow pins <46.0.0; override needed for CVE fix
@@ -35,6 +42,11 @@ RUN pip install transformers==4.57.1
 # requests: transitive dep of azure-core/mlflow/transformers; parents use loose floors (GHSA-gc5v-m9x4-r6x2)
 RUN pip install --upgrade pip==26.0 wheel==0.46.2 setuptools==82.0.0 cryptography==46.0.7 protobuf==6.33.5 \
     'aiohttp>=3.13.4' 'requests>=2.33.0' 'onnx>=1.21.0' 'fastmcp>=3.2.0' 'anthropic>=0.87.0'
+# GHSA-6w46-j5rx-g56g (CVE-2025-71176): pytest tmpdir vulnerability; patched in >=9.0.3
+# pytest is a transitive dep from base image; no parent upgrade available, override needed.
+# GHSA-v92g-xgxw-vvmm: Mako XSS vulnerability; patched in >=1.3.11
+# Mako is a transitive dep of alembic; alembic does not yet pin Mako>=1.3.11, override needed.
+RUN pip install --no-cache-dir --upgrade "pytest>=9.0.3" "Mako>=1.3.11"
 # Fix vulnerabilities in the ptca conda environment (pre-built in base image, not targeted by above installs)
 # CVE-2026-1703 (pip), CVE-2026-24049 (wheel)
 RUN /opt/conda/envs/ptca/bin/pip install --no-cache-dir --upgrade "pip>=26.0" "wheel>=0.46.2" && \

assets/training/finetune_acft_hf_nlp/environments/acpt-draft/context/requirements.txt

@@ -2,6 +2,5 @@ accelerate==1.6.0
 azureml-acft-contrib-hf-nlp=={{latest-pypi-version}}
 datasets==3.6.0
 pillow==12.1.1
-sglang==0.5.5
 git+https://github.com/sgl-project/SpecForge.git@34b58831caabdd8a4862258b380f9e49fbfe1b54
 filelock>=3.20.1

assets/training/finetune_acft_hf_nlp/environments/acpt-grpo/context/Dockerfile

@@ -10,7 +10,9 @@ RUN pip install -r requirements.txt --no-cache-dir
 
 RUN pip install azureml-evaluate-mlflow=={{latest-pypi-version}}
 RUN pip install azureml-acft-common-components=={{latest-pypi-version}}
-RUN pip install transformers==4.56.0
+# transformers 5.5.4: fixes GHSA-69w3-r845-3855 (arbitrary code execution in Trainer class);
+# advisory requires >=5.0.0rc3; upgrading to latest stable 5.x
+RUN pip install transformers==5.5.4
 
 # mlflow 3.5.0 has CVEs (CVE-2025-14287, CVE-2026-2033, CVE-2026-2635); upgrade after azureml packages
 # azureml-evaluate-mlflow → azureml-mlflow pins mlflow-skinny<=3.5.0, conflicting with mlflow 3.10.1
@@ -24,16 +26,19 @@ RUN pip install --no-cache-dir mlflow==3.10.1
 # nltk: GHSA-gfwx-w7gr-fvh7; >=3.9.4 required
 # filelock: transitive dep of torch/huggingface-hub; parents use loose floor (GHSA-qmgc-5h2g-mvrw)
 # urllib3: transitive dep of requests; parent uses urllib3>=1.21.1,<3 (GHSA-38jv-5279-wg99)
-# ray: GHSA-q5fh-2hc8-f6rq; >=2.54.0 required
+# ray: GHSA-q5fh-2hc8-f6rq; >=2.54.0 required; also bundles log4j-core in JARs
+#   log4j-core 2.25.3→2.25.4: GHSA-3pxv-7cmr-fjr4, GHSA-445c-vh5m-36rj, GHSA-6hg6-v5c8-fphq
 # azure-core: transitive dep of Azure SDKs; parents use loose floor (GHSA-jm66-cg57-jjv5)
+# pytest: GHSA-6w46-j5rx-g56g (vulnerable tmpdir handling); from base image, override needed
 # cbor2: transitive dep via azure-identity → msal-extensions; parent uses loose floor (GHSA-3c37-wwvx-h642)
 # jaraco.context: transitive dep of keyring; parent uses loose floor (GHSA-58pv-8j8x-9vj2)
 # mlflow: GHSA-r23q-823p-vmf7 etc.; azureml-mlflow pins mlflow-skinny<=3.5.0, override needed
 # vllm: GHSA-pq5c-rjhq-qp7p, GHSA-3mwp-wvh9-7528 etc.; >=0.19.0 required
 RUN pip install --upgrade pip==26.0 wheel==0.46.2 setuptools==82.0.0 protobuf==6.33.5 cryptography==46.0.7 'xgrammar>=0.1.32' \
     'aiohttp>=3.13.4' 'requests>=2.33.0' 'onnx>=1.21.0' 'nltk>=3.9.4' 'pyasn1>=0.6.3' \
-    'python-multipart>=0.0.22' 'pillow>=12.1.1' 'filelock>=3.20.3' 'urllib3>=2.6.3' 'ray>=2.54.0' \
-    'azure-core>=1.38.0' 'cbor2>=5.9.0' 'jaraco.context>=6.1.0' 'PyJWT>=2.12.0' 'mlflow>=3.8.1,<4.0.0' 'vllm>=0.19.0'
+    'python-multipart>=0.0.22' 'pillow>=12.1.1' 'filelock>=3.20.3' 'urllib3>=2.6.3' 'ray>=2.55.0' \
+    'azure-core>=1.38.0' 'cbor2>=5.9.0' 'jaraco.context>=6.1.0' 'PyJWT>=2.12.0' 'mlflow>=3.8.1,<4.0.0' 'vllm>=0.19.0' \
+    'pytest>=9.0.3'
 # clean conda and pip caches
 RUN rm -rf ~/.cache/pip
 # pip install updates the binary but conda-meta still references old versions; conda install syncs both

assets/training/finetune_acft_hf_nlp/environments/acpt-rft/context/Dockerfile

@@ -17,14 +17,17 @@ RUN pip install sacrebleu==2.5.1
 COPY tracking /opt/conda/envs/ptca/lib/python3.10/site-packages/verl/utils/tracking.py
 
 RUN pip install --no-cache-dir accelerate==1.10.0
-RUN pip install --no-cache-dir sglang==0.5.4
+RUN pip install --no-cache-dir sglang==0.5.10
 RUN pip install --no-cache-dir sgl-kernel==0.3.16.post3
 
 RUN pip uninstall -y mlflow 
 RUN pip install --no-cache-dir --force-reinstall "mlflow>=3.2.0,<4.0.0"
 RUN pip install --no-cache-dir starlette==0.49.1
-# Upgrade wandb to fix golang.org/x/crypto vulnerabilities (CVE-2025-47914, CVE-2025-58181)
-RUN pip install --no-cache-dir --upgrade "wandb>=0.23.0"
+# Upgrade wandb to latest; remove wandb-core Go binary to fix GO-2026-4864..4947
+# wandb 0.26.0 ships wandb-core compiled with Go 1.26.1 (needs 1.26.2); no fixed wandb release yet.
+# Removing the binary forces wandb to use its Python backend (safe fallback).
+RUN pip install --no-cache-dir --upgrade "wandb>=0.26.0" && \
+    find /opt/conda/envs/ptca -name 'wandb-core' -path '*/wandb/bin/*' -delete 2>/dev/null || true
 RUN pip install --no-cache-dir triton==3.4.0
 RUN pip install torch==2.9.0 torchvision==0.24.0 torchaudio==2.9.0 --index-url https://download.pytorch.org/whl/cu126
 COPY vllm_async_server /opt/conda/envs/ptca/lib/python3.10/site-packages/verl/workers/rollout/vllm_rollout/vllm_async_server.py
@@ -33,7 +36,7 @@ COPY azure_grader /opt/conda/envs/ptca/lib/python3.10/site-packages/verl/utils/r
 COPY azure_python_grader /opt/conda/envs/ptca/lib/python3.10/site-packages/verl/utils/reward_score/azure_python_grader.py
 COPY utils /opt/conda/envs/ptca/lib/python3.10/site-packages/verl/utils/vllm/utils.py
 RUN python3 -m pip install --upgrade pip==26.0 setuptools==82.0.0 wheel==0.46.2
-RUN pip install vllm==0.18.0
+RUN pip install vllm==0.19.0
 # Keep xgrammar at the patched floor even when pulled transitively by vllm.
 RUN pip install --no-cache-dir 'xgrammar>=0.1.32'
 RUN pip install openai==2.14.0
@@ -44,13 +47,15 @@ RUN pip install https://github.com/yeshsurya/flash-attention/releases/download/v
 # onnx: onnxruntime/azureml-acft-accelerator require onnx>=1.16.0; override needed (GHSA-p433-9wv8-28xj etc.)
 # fastmcp: GHSA-rww4-4w9c-7733, GHSA-m8x7-r2rg-vh5g, GHSA-vv7q-7jx5-f767; >=3.2.0 required
 # requests: transitive dep of azure-core/mlflow/transformers; parents use loose floors (GHSA-gc5v-m9x4-r6x2)
-RUN pip install --upgrade aiohttp==3.13.4 protobuf==6.33.5 setuptools==82.0.0 pip==26.0 wheel==0.46.2 cryptography==46.0.7 'requests>=2.33.0' 'onnx>=1.21.0' 'fastmcp>=3.2.0'
+RUN pip install --upgrade aiohttp==3.13.4 protobuf==6.33.5 setuptools==82.0.0 pip==26.0 wheel==0.46.2 cryptography==46.0.7 'requests>=2.33.0' 'onnx>=1.21.0' 'fastmcp>=3.2.0' 'Mako>=1.3.11' 'pytest>=8.4.2'
 # Fix vulnerabilities in base conda env (python3.13) from ACPT base image (biweekly.202603.1)
 # Still vulnerable in base: cryptography(44.0.1), pip(25.3), setuptools(80.9.0), wheel(0.45.1)
 RUN conda run -n base python -m pip install --no-cache-dir --upgrade pip==26.0 wheel==0.46.2 setuptools==82.0.0 cryptography==46.0.7 aiohttp==3.13.4
-# ray vendors aiohttp for runtime_env agent under thirdparty_files; patch that copy too.
-RUN rm -rf /opt/conda/envs/ptca/lib/python3.10/site-packages/ray/__private/runtime_env/agent/thirdparty_files/aiohttp* && \
-    pip install --no-cache-dir --target /opt/conda/envs/ptca/lib/python3.10/site-packages/ray/__private/runtime_env/agent/thirdparty_files 'aiohttp==3.13.4'
+# ray vendors aiohttp for runtime_env agent; use find to patch all copies regardless of path naming.
+RUN find /opt/conda/envs/ptca/lib/python3.10/site-packages/ray -type d -name 'thirdparty_files' | while read dir; do \
+      rm -rf "$dir"/aiohttp*; \
+      pip install --no-cache-dir --target "$dir" 'aiohttp==3.13.4'; \
+    done
 COPY vllm_rollout /opt/conda/envs/ptca/lib/python3.10/site-packages/verl/workers/rollout/vllm_rollout/vllm_rollout.py
 # Clean up pip caches and old package files to prevent vulnerability detection
 RUN rm -rf ~/.cache/pip /tmp/* /var/tmp/*
@@ -59,5 +64,5 @@ ENV PYTHONHASHSEED=random \
     PYTHONDONTWRITEBYTECODE=1
 # pip install updates the binary but conda-meta still references old versions; conda install syncs both
 RUN conda install -y -n ptca 'pip>=26.0.1' 'wheel>=0.46.2'
-RUN conda clean -a -y && rm -rf /opt/miniconda/pkgs/
+RUN conda clean -a -y && rm -rf /opt/miniconda/pkgs/ /opt/conda/pkgs/
 

assets/training/finetune_acft_hf_nlp/environments/acpt-rft/context/requirements.txt

@@ -26,7 +26,7 @@ tensorboard==2.20.0
 tensordict==0.9.1
 torchdata==0.11.0
 torchvision==0.23.0
-transformers==4.57.3
+transformers==4.57.6
 uvicorn==0.35.0
 zmq==0.0.0
 filelock>=3.20.1