Python package vulnerability

Question

Python package vulnerability

chengjun0124 opened this issue 2 years ago · comments

Hi
I have built an image from this Dockerfile:

FROM quay.io/openshift/origin-jenkins-agent-base@sha256:2a543b358bd8f5823f6e717dd8775ae13e05b965f6dbe62b14635a6c4cb74222

RUN yum -y update --security \
   && yum -y upgrade --security

Then I used clair scan to scan it. It reports some vulnerabilities, one of which is
my-image:my-tag found pip 9.0.3 pyup.io-38765 (CVE-2019-20916)

And here is its whole debug info:
clair.txt

I can see that the vulnerability is from "package_db": "python:usr/lib/python3.6/site-packages". I have tried to uninstall python3-pip via yum remove python3-pip, it cannot fix this vulnerability. Even if I have deleted whole python3 folder via rm -rf usr/lib/python3.6/, it still cannot fix this vulnerability. Could you please give me some advises how to fix this kind of vulnerability?

Expected Outcome

Actual Outcome

Environment

Clair version/image: quay.io/projectquay/clair:4.1.5
Clair client name/version: clairctl-linux-amd64 v4.1.5(https://github.com/quay/clair/releases/download/v4.1.5/clairctl-linux-amd64)
Host OS: The scanned image is Red Hat Enterprise Linux 8.4 (Ootpa)
Kernel (e.g. uname -a): The scanned image is Linux 6ebc5a863073 5.10.76-linuxkit #1 SMP Mon Nov 8 10:21:19 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Kubernetes version (use kubectl version): Clair is running in openshift 4.7
Network/Firewall setup: N/A

Hank Donnay · Answer 1 · Tue Mar 01 2022 00:38:04 GMT+0800 (China Standard Time)

I don't have any insight into this package or vulnerability. My generic suggestions are to upgrade the package to whatever version fixes the issue, and double-checking that the vulnerability is present in the Red Hat package. The RHEL packaging sometimes backports fixes without changing the version.

Cheng Jun · Answer 2 · Tue Mar 01 2022 14:30:35 GMT+0800 (China Standard Time)

Hi @hdonnay
I have upgraded that package, and I have deleted folder /usr/lib/python3.6/site-packages, but clair still reports that vulnerability. I suffered this kind of issue in other os.

Actually, my question is not how fix this issue. I was wonder why clair reports a folder which I have deleted.

"package_db": "python:usr/lib/python3.6/site-packages"

command clairctl -D report -o json --host=http://my-clair-server:6060/ some-image returned a json which included text above, however I have deleted that folder.

Hank Donnay · Answer 3 · Tue Mar 01 2022 23:16:05 GMT+0800 (China Standard Time)

If you've deleted it in a later layer, it's still present in earlier layers.

Cheng Jun · Answer 4 · Wed Mar 02 2022 10:05:20 GMT+0800 (China Standard Time)

Hi @hdonnay

I have ever fixed some vulnerabilities. The most way to fix them was to upgrade packages via yum update -y in Dockerfile, like

FROM some-image-has-vulnerabilities

yum update -y

It worked fine.

Does this mean that I fixed the vulnerabilities in a later layer? If yes, it should be present in earlier layer, but clair doesn't report the vulnerability. However, clair always reports python packages vulnerability whatever I delete or upgrade them.