[Bug]: 325 vulnerabilities found in chromadb docker image

[sbs2001]

What happened?

I scanned the docker image of chromadb via trivy and found that there are 325 vulnerabilties. scan-result.json

Almost all vulnerabilities are due to the base image python:3.10-slim-bookworm . I think fixing this CVEs would make chroma deployable in complaince heavy env and would boost adoption in general.

I would like to work on a PR to fix this by switching to something like https://www.chainguard.dev/chainguard-images or something similar.

Versions

image sha: sha256:8e449ce63cc4e7a61106ba21f0a6bbb4c1524dad472505fb5c0b9a27fa9875b1

Relevant log output

No response

[tazarov]

hey @sbs2001, thanks for reporting this. We are aware that our upstreams will have vulnerabilities, as you mentioned. That said, I don't think we'll be changing from our default Debian bookworm base image, but we are in the process of shifting left on security, so we will provide a vulnerability report, SBOM and sigstore signed images in the coming Chroma releases.

As far as deployment in a compliance-heavy environment, the number of CVEs is not as relevant as the actual impact of vulnerabilities, and experience shows that each enterprise has different tolerance levels for vulnerabilities.

Looking at trivy results, I can tell that most vulnerabilities come from packages we install in our build process. Python bookworm image only accounts for 1/3:

python:3.10-slim-bookworm (debian 12.2)

Total: 73 (UNKNOWN: 0, LOW: 64, MEDIUM: 7, HIGH: 1, CRITICAL: 1)

[sbs2001]

@tazarov thanks for the info. Great to know the team is shift left-ing .

I understand 99% vulnerabilities are coming due to the base image and not due to chroma's code.