keep: Fix CVE-2026-48710 in ODH shipped dependencies

Override the Konflux PyPI wheelhouse to install a fixed Starlette release in the final runtime image, omit direct packages listed in `requirements/konflux-pypi.in` from the final AIPCC lockfile, add explicit cross-arch AIPCC pins where the index resolves different versions per architecture, and include `hatchling` in the Konflux build-only dependencies so Starlette sdist builds succeed in the hermetic builder.

Signed-off-by: mprahl <mprahl@users.noreply.github.com>

Author: mprahl

Dockerfile.konflux

@@ -58,7 +58,8 @@ RUN set -eux; \
         /tmp/dist/mlflow-*.whl \
         /tmp/dist/mlflow_kubernetes_plugins-*.whl \
         /tmp/dist/prometheus_flask_exporter-*.whl \
-        /tmp/dist/psycopg2-*.whl && \
+        /tmp/dist/psycopg2-*.whl \
+        /tmp/dist/starlette-*.whl && \
     microdnf clean all && \
     rm -rf /tmp/dist /tmp/konflux-aipcc-requirements.txt
 

pyproject.toml

@@ -239,7 +239,7 @@ docs = [
 
 [tool.uv]
 exclude-newer = "P14D"
-exclude-newer-package = { torch = false, torchvision = false, mlflow-kubernetes-plugins = false }
+exclude-newer-package = { torch = false, torchvision = false, mlflow-kubernetes-plugins = false, starlette = false }
 required-version = ">=0.10.12"
 constraint-dependencies = [
   # xgboost 3.1.0 changed base_score format to vector for multi-output models, breaking shap compatibility

requirements/compile.py

@@ -2,7 +2,9 @@
 
 For AIPCC requirements (konflux-aipcc, konflux-build-aipcc), runs uv pip compile
 inside Docker containers for each target architecture, then merges the
-per-architecture hashes into a single output file.
+per-architecture hashes into a single output file. Packages explicitly listed
+in requirements/konflux-pypi.in are omitted from the final-image AIPCC output
+so SBOM and CVE tooling see a single source of truth per shipped package.
 
 For PyPI requirements (konflux-pypi), runs a single uv pip compile since these
 packages are built from source and don't need multi-arch hashes.
@@ -20,6 +22,7 @@
 import tempfile
 from concurrent.futures import ThreadPoolExecutor, as_completed
 from dataclasses import dataclass, field
+from functools import cache
 from pathlib import Path
 from typing import Any
 
@@ -41,6 +44,7 @@
 }
 
 REPO_ROOT = Path(__file__).resolve().parent.parent
+KONFLUX_PYPI_IN = REPO_ROOT / "requirements/konflux-pypi.in"
 
 
 @dataclass
@@ -92,6 +96,14 @@ def _canonicalize(name: str) -> str:
     return re.sub(r"[-_.]+", "-", name).lower()
 
 
+@cache
+def read_requirements_names(path: Path) -> frozenset[str]:
+    session = PipSession()
+    return frozenset(
+        _canonicalize(ireq.req.name) for ireq in parse_requirements(str(path), session=session)
+    )
+
+
 def run_uv_compile_in_docker(
     target: CompileTarget,
     arch: str,
@@ -204,7 +216,10 @@ def parse_and_collect_hashes(
             detail = ", ".join(f"{a}: {v}" for a, v in sorted(arch_versions.items()))
             raise SystemExit(
                 f"Version mismatch for {name}: {detail}. "
-                "All architectures must resolve to the same version."
+                "All architectures must resolve to the same version. "
+                "Add an explicit constraint for this package to the relevant "
+                "AIPCC input file (for example `requirements/konflux-aipcc.in`) "
+                "and rerun `python requirements/compile.py`."
             )
 
     return canonical_ireqs, merged_hashes
@@ -214,6 +229,7 @@ def write_multiarch_output(
     target: CompileTarget,
     canonical_ireqs: dict[str, Any],
     merged_hashes: dict[str, set[str]],
+    excluded_names: set[str] | None = None,
 ) -> None:
     out_path = REPO_ROOT / target.out_file
     parts: list[str] = []
@@ -232,6 +248,8 @@ def write_multiarch_output(
         parts.append(f"--index-url {target.index_url}\n\n")
 
     for name in sorted(canonical_ireqs):
+        if excluded_names and name in excluded_names:
+            continue
         ireq = canonical_ireqs[name]
         hashes = merged_hashes[name]
         parts.append(format_requirement(ireq, hashes=hashes) + "\n")
@@ -289,7 +307,12 @@ def compile_multiarch(target: CompileTarget, image: str) -> None:
 
         canonical_ireqs, merged_hashes = parse_and_collect_hashes(arch_outputs)
 
-        write_multiarch_output(target, canonical_ireqs, merged_hashes)
+        excluded_names = (
+            read_requirements_names(KONFLUX_PYPI_IN) if target.name == "konflux-aipcc" else None
+        )
+        write_multiarch_output(
+            target, canonical_ireqs, merged_hashes, excluded_names=excluded_names
+        )
     finally:
         for arch_tag in arch_images.values():
             subprocess.run(["docker", "rmi", arch_tag], capture_output=True)

requirements/konflux-aipcc-requirements.txt

@@ -19,5 +19,8 @@ prometheus-client
 
 # Cross-arch constraints: pin packages to versions available on all target
 # architectures (aarch64, ppc64le, x86_64) on the AIPCC index.
+matplotlib==3.10.8
 pyarrow<23.0.1
 litellm<2,>=1.0.0
+pydantic==2.13.1
+tokenizers==0.22.2

requirements/konflux-aipcc.in

@@ -6,13 +6,21 @@
 #
 --index-url https://console.redhat.com/api/pypi/public-rhai/rhoai/3.4/cpu-ubi9/simple
 
-build==1.4.2 \
-    --hash=sha256:ef5814e19f805164dd8c5111bd7015bf17da172017ef4a1101f9a1b82cd8b15e
-packaging==26.0 \
-    --hash=sha256:3d88de7604ff5eef52df30fd9803c8cf1565e6da3bd3c8c3f4e7d7f18c11069c
+build==1.5.0 \
+    --hash=sha256:7f948e63f9f6094d01ea6b9354b226d8bf8e7c9b2d56d5f21b904c6a236cc985
+hatchling==1.29.0 \
+    --hash=sha256:9a3792b32617f6e19cff11058e2f2fcf3befcb7220c7cbafccd9eecee1a74c73
+packaging==26.2 \
+    --hash=sha256:31c96589d316a65625213114e0a1c9707c47a620bf0e89c19e6c062c946a760f
+pathspec==1.1.1 \
+    --hash=sha256:19f453436f4bb6c9de7c6b67127dc34afd9f65a9828ad50c36b0417ffbce05bc
+pluggy==1.6.0 \
+    --hash=sha256:984df28329611bee51530a6c39a6b3267a07abc257ea752a83b40146e1923b87
 pyproject-hooks==1.2.0 \
     --hash=sha256:23f914be06e835a1cac214a3c08daffbdf4d33f685194c76b38b079d8cf1dc62
 setuptools==80.10.2 \
     --hash=sha256:05ef2ee3d34409715c7d0589a3a0c6064a2b117f8489a5b512aef078173d1faf
-wheel==0.46.3 \
-    --hash=sha256:70ed432fbcd9b7d938edc4be7ac57478e1f48a6b165494deb7e6e1c81a34a15c
+trove-classifiers==2026.4.28.13 \
+    --hash=sha256:dfb9cb476ea0705e542127c2d995a76942f8410f55d2b93aaa27d161950fda32
+wheel==0.47.0 \
+    --hash=sha256:8593705d08f649098548a620edff8cceee09e57cb953f78a94c1aa3b9c051704

requirements/konflux-build-aipcc-requirements.txt

@@ -6,5 +6,6 @@
 #   python requirements/compile.py
 
 build
+hatchling
 setuptools
 wheel

requirements/konflux-build-aipcc.in

@@ -18,3 +18,7 @@ psycopg2==2.9.11 \
     --hash=sha256:e03e4a6dbe87ff81540b434f2e5dc2bddad10296db5eea7bdc995bf5f4162938 \
     --hash=sha256:f10a48acba5fe6e312b891f290b4d2ca595fc9a06850fe53320beac353575578
     # via -r requirements/konflux-pypi.in
+starlette==1.2.0 \
+    --hash=sha256:36e0c76ac59157e75dc4b3bdeafba97fb04eaf1878045f15dbef666a6f092ed7 \
+    --hash=sha256:3c5a6b23fff42492914e93890bb80cbfea72dbf37de268eec06185d62a4ca553
+    # via -r requirements/konflux-pypi.in

requirements/konflux-pypi-requirements.txt

@@ -3,7 +3,7 @@
 # hermetically by Cachi2 during the Konflux pipeline.
 #
 # All transitive dependencies of these packages are already satisfied by
-# the AIPCC Python package index (requirements/konflux-aipcc-requirements.txt), so only these two
+# the AIPCC Python package index (requirements/konflux-aipcc-requirements.txt), so only these
 # packages themselves need to be listed here.
 #
 # To regenerate the lock file (requirements/konflux-pypi-requirements.txt), run:
@@ -13,3 +13,5 @@
 mlflow-kubernetes-plugins==1.2.1
 psycopg2
 prometheus-flask-exporter
+# Starlette 1.0.1+ is not yet available on the rhoai/3.4 AIPCC index.
+starlette>=1.0.1,<2