Vulnerabilities detected in container

[joewxboy]

To replicate:

make build
docker scan ibmosquito/web-hello-python:1.0.0

Results found four vulnerabilities:

Testing ibmosquito/web-hello-python:1.0.0...

✗ Medium severity vulnerability found in sqlite/sqlite-libs
  Description: Use After Free
  Info: https://snyk.io/vuln/SNYK-ALPINE312-SQLITE-1300270
  Introduced through: sqlite/[email protected], [email protected]
  From: sqlite/[email protected]
  From: [email protected] > sqlite/[email protected]
  Fixed in: 3.32.1-r1

✗ Medium severity vulnerability found in sqlite/sqlite-libs
  Description: Out-of-bounds Write
  Info: https://snyk.io/vuln/SNYK-ALPINE312-SQLITE-1300271
  Introduced through: sqlite/[email protected], [email protected]
  From: sqlite/[email protected]
  From: [email protected] > sqlite/[email protected]
  Fixed in: 3.32.1-r1

✗ High severity vulnerability found in krb5/krb5-libs
  Description: NULL Pointer Dereference
  Info: https://snyk.io/vuln/SNYK-ALPINE312-KRB5-1533463
  Introduced through: krb5/[email protected], krb5-conf/[email protected], libtirpc/[email protected]
  From: krb5/[email protected]
  From: krb5-conf/[email protected] > krb5/[email protected]
  From: libtirpc/[email protected] > krb5/[email protected]
  Fixed in: 1.18.4-r0

✗ High severity vulnerability found in apk-tools/apk-tools
  Description: Out-of-bounds Read
  Info: https://snyk.io/vuln/SNYK-ALPINE312-APKTOOLS-1533753
  Introduced through: apk-tools/[email protected]
  From: apk-tools/[email protected]
  Fixed in: 2.10.7-r0



Package manager:   apk
Project name:      docker-image|ibmosquito/web-hello-python
Docker image:      ibmosquito/web-hello-python:1.0.0
Platform:          linux/amd64
Base image:        python:3-alpine3.12

Tested 37 dependencies for known vulnerabilities, found 4 vulnerabilities.

[johnwalicki]

This is a good first issue. The way to fix this would be to modify the Dockerfile, change it to pull the latest stable Python Alpine image:

FROM python:3.10-alpine

or, to always stay on the most recent python:alpine by just:

FROM python:alpine

The full list of python official images on DockerHub are listed here: https://hub.docker.com/_/python

There are two schools of thought. I like to be deterministic when building my containers. I want to know exactly the pedigree of how it was build and the SBOM it contains. I often pin my containers to the exact base image ( 3.10.7-alpine3.16 is the most recent) so I know definitively what's inside the container. Rolling on python:alpine you're never really certain which base image it was built from (you'd have to run a docker inspect or skopeo on the container)

For examples like this one, however, that might be short lived experiments, letting it roll forward on python:alpine might be justified.

I'd Approve a PR using either technique if someone makes the case.

[WilliamLi10]

@joewxboy can I be assigned this issue please?

[johnwalicki]

@WilliamLi10 I've assigned this issue to you. Thanks!