Python package vulnerability
chengjun0124 opened this issue · comments
Hi
I have built an image from this Dockerfile:
FROM quay.io/openshift/origin-jenkins-agent-base@sha256:2a543b358bd8f5823f6e717dd8775ae13e05b965f6dbe62b14635a6c4cb74222
RUN yum -y update --security \
&& yum -y upgrade --security
Then I used clair scan to scan it. It reports some vulnerabilities, one of which is
my-image:my-tag found pip 9.0.3 pyup.io-38765 (CVE-2019-20916)
And here is its whole debug info:
clair.txt
I can see that the vulnerability is from "package_db": "python:usr/lib/python3.6/site-packages"
. I have tried to uninstall python3-pip via yum remove python3-pip
, it cannot fix this vulnerability. Even if I have deleted whole python3 folder via rm -rf usr/lib/python3.6/
, it still cannot fix this vulnerability. Could you please give me some advises how to fix this kind of vulnerability?
Expected Outcome
Actual Outcome
Environment
- Clair version/image: quay.io/projectquay/clair:4.1.5
- Clair client name/version: clairctl-linux-amd64 v4.1.5(https://github.com/quay/clair/releases/download/v4.1.5/clairctl-linux-amd64)
- Host OS: The scanned image is
Red Hat Enterprise Linux 8.4 (Ootpa)
- Kernel (e.g.
uname -a
): The scanned image isLinux 6ebc5a863073 5.10.76-linuxkit #1 SMP Mon Nov 8 10:21:19 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
- Kubernetes version (use
kubectl version
): Clair is running in openshift 4.7 - Network/Firewall setup: N/A
I don't have any insight into this package or vulnerability. My generic suggestions are to upgrade the package to whatever version fixes the issue, and double-checking that the vulnerability is present in the Red Hat package. The RHEL packaging sometimes backports fixes without changing the version.
Hi @hdonnay
I have upgraded that package, and I have deleted folder /usr/lib/python3.6/site-packages, but clair still reports that vulnerability. I suffered this kind of issue in other os.
Actually, my question is not how fix this issue. I was wonder why clair reports a folder which I have deleted.
"package_db": "python:usr/lib/python3.6/site-packages"
command clairctl -D report -o json --host=http://my-clair-server:6060/ some-image
returned a json which included text above, however I have deleted that folder.
If you've deleted it in a later layer, it's still present in earlier layers.
Hi @hdonnay
I have ever fixed some vulnerabilities. The most way to fix them was to upgrade packages via yum update -y
in Dockerfile, like
FROM some-image-has-vulnerabilities
yum update -y
It worked fine.
Does this mean that I fixed the vulnerabilities in a later layer? If yes, it should be present in earlier layer, but clair doesn't report the vulnerability. However, clair always reports python packages vulnerability whatever I delete or upgrade them.