Vulnerabilities in mcr.microsoft.com/devcontainers/python:3.11

[lesscodingmorehappiness]

Hi,

My team is building mcr.microsoft.com/devcontainers/python:3.11 as our base image. But the security scan alert our built image has vulnerability Python (Pip) Security Update for setuptools (GHSA-r9hx-vwmv-q579)

I checked our build logs, it should build with at least 66.1.1 version of setuptools. But security team claims a wrong scan result could be super rare.

So I want to confirm:

1. what's the setuptools version in mcr.microsoft.com/devcontainers/python:3.11? does it have the vulnerability Python (Pip) Security Update for setuptools (GHSA-r9hx-vwmv-q579)?
2. how can I check the list of vulnerability of a specific version of the repo/registry?

Thanks

[samruddhikhandale]

Hi 👋

Thanks for reporting, we are tracking this vulnerability in our internal repository and @gauravsaini04 & @bhupendra-vaishnav are actively working on it.

We have identified two traces of these vulnerable package as highlighted in the 👇 screenshot.

./usr/local/lib/python3.11/ensurepip/_bundled/setuptools-65.5.0-py3-none-any.whl

This ^ is coming from the Python library and we have opened upstream reports, see https://github.com/docker-library/python/issues/901, https://github.com/python/cpython/issues/114446 and https://github.com/python/cpython/issues/102202. However, we are continuing to find ways and see if we can patch this in our image itself.

./usr/local/py-utils/shared/lib/python3.11/site-packages/setuptools-65.5.0.dist-info

This ^ is installed as a dependency of some other package from the Python Feature. @gauravsaini04 is working on upgrading or removing dependency.

how can I check the list of vulnerability of a specific version of the repo/registry?

We have internals tools and scanners which detects and reports image vulnerabilities for the devcontainer/images. Also, we are actively (daily) working on patching them to provide secure images to the community. We appreciate your patience and confidence in the dev container images.

Thank you, and let me know if something is unclear. We will provide updates on this issue as we make progress!

[lesscodingmorehappiness]

Thanks. Is there any ETA for the fix? so that I can change the ETA on my side correspondingly.

[samruddhikhandale]

./usr/local/py-utils/shared/lib/python3.11/site-packages/setuptools-65.5.0.dist-info

For resolving ☝ , we are targeting end of this week.

The other one is tricky, and most likely depends on the official Python team to fix it, looking forward to nudge them for faster patching!

[lesscodingmorehappiness]

Hi, any updates there?

[samruddhikhandale]

./usr/local/py-utils/shared/lib/python3.11/site-packages/setuptools-65.5.0.dist-info

For fixing ^ we merged https://github.com/devcontainers/features/pull/815. We will be releasing dev tags today and prod tags on Monday.

./usr/local/lib/python3.11/ensurepip/_bundled/setuptools-65.5.0-py3-none-any.whl

Waiting for python to patch this, it can not be patched in the image as it ends up breaking pip. See https://github.com/python/cpython/issues/102202

[lesscodingmorehappiness]

Hi,

I found that the items is no more in our vulnerability report list. Just curious is this fixed by python? I'm asking because some other items were gone but we actually didn't make change.

[samruddhikhandale]

./usr/local/py-utils/shared/lib/python3.11/site-packages/setuptools-65.5.0.dist-info

For fixing ^ we merged https://github.com/devcontainers/features/pull/815.

./usr/local/lib/python3.11/ensurepip/_bundled/setuptools-65.5.0-py3-none-any.whl

We fixed it on our end with https://github.com/devcontainers/features/pull/866

We published new images yesterday which would have updated it for your scanners. Closing as the image is completely patched from the vulnerability. 🎉