[Metro][Traffic Agent] Fix security vulnerabilities (#1945)

Author: madhuri-rai07

metro-ai-suite/smart-traffic-intersection-agent/Makefile

@@ -99,7 +99,7 @@ TEST_TARGETS := $(addprefix test-,$(TEST_COMPONENTS))
         clean-all clean-all-keep-models \
         shellcheck pylint ruff \
         trivy-scan trivy-scan-fs trivy-scan-image trivy-scan-config \
-        clamav-scan bandit-scan gitleaks-scan codeql-scan \
+        clamav-scan bandit-scan-new bandit-scan gitleaks-scan codeql-scan codeql-scan-new \
         $(TEST_TARGETS) \
         get-service-name get-component-names get-image-tags get-context-dirs \
         get-python-version get-scan-matrix-json
@@ -403,6 +403,28 @@ clamav-scan:
 		> security-results/clamav-$(SERVICE_NAME)-$$(date +%Y%m%d-%H%M%S).txt 2>&1 || true
 	@echo "✅ ClamAV scan complete: security-results/clamav-*"
 
+bandit-scan-new:
+	@echo "🔐 Running Bandit Security Scan..."
+	@mkdir -p security-results
+	@python3 -m venv bandit-venv && \
+	source bandit-venv/bin/activate && \
+	pip install --upgrade pip && \
+	pip install bandit[toml] && \
+	CONFIG_OPT=""; \
+	if [ -f "pyproject.toml" ]; then CONFIG_OPT="-c pyproject.toml"; fi; \
+	echo "📝 Generating TXT Report (matches CI)..." && \
+	bandit $$CONFIG_OPT --severity-level low --confidence-level low -r src/ tests/ \
+		-f txt -o security-results/bandit-report-$(SERVICE_NAME).txt || true && \
+	echo "📊 Generating JSON Report..." && \
+	bandit $$CONFIG_OPT --severity-level low --confidence-level low -r src/ tests/ \
+		-f json -o security-results/bandit-report-$(SERVICE_NAME).json || true && \
+	echo "🌐 Generating HTML Report..." && \
+	bandit $$CONFIG_OPT --severity-level low --confidence-level low -r src/ tests/ \
+		-f html -o security-results/bandit-report-$(SERVICE_NAME).html || true && \
+	deactivate && \
+	rm -rf bandit-venv
+	@echo "✅ Bandit scan complete. Check security-results/ for txt, json, and html reports."
+
 bandit-scan:
 	@echo "🔐 Running Bandit Security Scan..."
 	@mkdir -p security-results
@@ -428,6 +450,54 @@ gitleaks-scan:
 		-r security-results/gitleaks-$(SERVICE_NAME)-$$(date +%Y%m%d-%H%M%S).json || true
 	@echo "✅ Gitleaks scan complete: security-results/gitleaks-*"
 
+codeql-scan-new:
+	@echo "🛡️  Running CodeQL Security Analysis..."
+	@if ! command -v codeql >/dev/null 2>&1; then \
+		echo "❌ CodeQL CLI is not installed. Install: https://github.com/github/codeql-cli-binaries/releases"; \
+		exit 1; \
+	fi
+
+	@mkdir -p security-results
+
+	@echo "→ Creating CodeQL database for Python..."
+	@codeql database create security-results/codeql-db-python-$(SERVICE_NAME) \
+		--language=python \
+		--source-root=. \
+		--build-mode=none \
+		--overwrite 2>&1 | tail -5
+
+	@echo "→ Updating CodeQL Python Query Packs..."
+	@codeql pack download codeql/python-queries
+
+	@echo "→ Running CodeQL analysis (SARIF)..."
+	@codeql database analyze security-results/codeql-db-python-$(SERVICE_NAME) \
+		codeql/python-queries \
+		--format=sarif-latest \
+		--output=security-results/codeql-python-$(SERVICE_NAME).sarif || true
+
+	@echo "→ Running CodeQL analysis (CSV)..."
+	@codeql database analyze security-results/codeql-db-python-$(SERVICE_NAME) \
+		codeql/python-queries \
+		--format=csv \
+		--output=security-results/codeql-python-$(SERVICE_NAME).csv || true
+
+	@echo "→ Converting CSV to JSON..."
+	@if [ -f security-results/codeql-python-$(SERVICE_NAME).csv ]; then \
+		python3 -c "import csv,json; h=['name','description','severity','message','path','start_line','start_col','end_line','end_col']; rows=[dict(zip(h,r)) for r in csv.reader(open('security-results/codeql-python-$(SERVICE_NAME).csv')) if r]; json.dump(rows,open('security-results/codeql-python-$(SERVICE_NAME).json','w'),indent=2); print('  Converted '+str(len(rows))+' finding(s) to JSON')"; \
+	else \
+		echo "  ⚠️ No CSV findings to convert."; \
+	fi
+
+	@echo "→ Converting SARIF to HTML..."
+	@if [ -f security-results/codeql-python-$(SERVICE_NAME).sarif ]; then \
+		python3 -c "import json,html; s=json.load(open('security-results/codeql-python-$(SERVICE_NAME).sarif')); fs=[{'id':r.get('ruleId',''),'sev':r.get('level','warning'),'msg':r.get('message',{}).get('text',''),'path':r.get('locations',[{}])[0].get('physicalLocation',{}).get('artifactLocation',{}).get('uri',''),'line':r.get('locations',[{}])[0].get('physicalLocation',{}).get('region',{}).get('startLine',0)} for run in s.get('runs',[]) for r in run.get('results',[])]; rows=''.join(['<tr><td>%d</td><td>%s</td><td>%s</td><td>%s</td><td>%s:%s</td></tr>'%(i+1,html.escape(f['sev']),html.escape(f['id']),html.escape(f['msg'][:200]),html.escape(f['path']),f['line']) for i,f in enumerate(fs)]); open('security-results/codeql-python-$(SERVICE_NAME).html','w').write('<!DOCTYPE html><html><head><meta charset=utf-8><title>CodeQL Report - $(SERVICE_NAME)</title><style>body{font-family:Arial,sans-serif;margin:20px}table{border-collapse:collapse;width:100%%}th,td{border:1px solid #ddd;padding:8px;text-align:left}th{background:#4472C4;color:white}tr:nth-child(even){background:#f2f2f2}</style></head><body><h1>CodeQL Security Report: $(SERVICE_NAME)</h1><p><strong>Total findings:</strong> %d</p><table><tr><th>#</th><th>Severity</th><th>Rule</th><th>Message</th><th>Location</th></tr>%s</table></body></html>'%(len(fs),rows)); print('  Generated HTML report with %d finding(s)'%len(fs))"; \
+	else \
+		echo "  ⚠️ No SARIF file to convert."; \
+	fi
+
+	@echo "✅ Python analysis complete."
+	@echo "✅ CodeQL scan complete: security-results/codeql-*"
+
 codeql-scan:
 	@echo "🛡️  Running CodeQL Security Analysis..."
 	@if ! command -v codeql >/dev/null 2>&1; then \

metro-ai-suite/smart-traffic-intersection-agent/docker/agent-compose.yaml

@@ -52,7 +52,7 @@ services:
     build:
       context: ${APP_DIR:-..}/src
       dockerfile: Dockerfile
-    image: ${REGISTRY:-}smart-traffic-intersection-agent:${TAG:-1.0.0-rc1}
+    image: ${REGISTRY:-}smart-traffic-intersection-agent:${TAG:-1.0.0-rc2}
     ports:
       - "${AGENT_BACKEND_PORT:-}:8081"
       - "${AGENT_UI_PORT:-}:7860"

metro-ai-suite/smart-traffic-intersection-agent/docs/user-guide/get-started.md

@@ -23,7 +23,7 @@ an introduction.
 - **Registry configuration**: To pull pre-built images from a specific registry, set the `REGISTRY` and `TAG` parameters. Following is the recommended default setting.
   ```bash
   export REGISTRY="intel"
-  export TAG="1.0.0-rc1"
+  export TAG="1.0.0-rc2"
   ```
 
 

metro-ai-suite/smart-traffic-intersection-agent/docs/user-guide/release-notes.md

@@ -1,6 +1,15 @@
 # Release Notes
 
-## Current Release: 1.0.0-rc1
+## Current Release: 1.0.0-rc2
+
+**Release Date**: 27 Feb 2026
+
+### Features
+
+- Fixed security vulnerabities in code
+- Update base image to python:3.13-slim
+
+## Previous Releases: 1.0.0-rc1
 
 **Release Date**: 17 Feb 2026
 

metro-ai-suite/smart-traffic-intersection-agent/src/Dockerfile

@@ -1,7 +1,7 @@
 # Copyright (C) 2025 Intel Corporation
 # SPDX-License-Identifier: Apache-2.0
 
-FROM python:3.11-slim
+FROM python:3.13-slim
 
 # Set working directory
 WORKDIR /app
@@ -21,6 +21,9 @@ COPY . .
 # Create virtual environment and install dependencies using uv
 RUN uv sync && uv pip install -r ui/requirements.txt
 
+# Copy license file
+COPY third_party_programs.txt /licenses/third_party_programs.txt
+
 # Create non-root user and adjust permissions
 RUN useradd -m -u 1000 traffic && \
     chmod +x docker-entrypoint.sh && \

metro-ai-suite/smart-traffic-intersection-agent/src/pyproject.toml

@@ -12,11 +12,11 @@ dependencies = [
     "paho-mqtt==2.1.0",
     "aiohttp==3.13.3",
     "structlog==23.2.0",
-    "pydantic==2.7.0",
+    "pydantic==2.9.2",
     "python-dateutil==2.8.2",
     "python-dotenv==1.0.0",
-    "gradio==5.49.1",
-    "pillow>=9.0.0",
+    "gradio==6.2.0",
+    "pillow>=12.1.1,<13.0",
     "markdown>=3.4.0",
     "requests==2.32.5",
     "huggingface_hub==0.36.0",

…ersection-agent/third_party_programs.txt …ction-agent/src/third_party_programs.txtmetro-ai-suite/smart-traffic-intersection-agent/third_party_programs.txt renamed to metro-ai-suite/smart-traffic-intersection-agent/src/third_party_programs.txt metro-ai-suite/smart-traffic-intersection-agent/third_party_programs.txt renamed to metro-ai-suite/smart-traffic-intersection-agent/src/third_party_programs.txt

@@ -278,7 +278,6 @@ def main():
             server_port=Config.get_app_port(),
             share=False,
             show_error=True,
-            show_api=False,
             quiet=False
         )