wglambert
commented
3 years ago $ docker run --rm openjdk:11 apt list --installed | grep -i python
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
libpython-stdlib/now 2.7.16-1 amd64 [installed,local]
libpython2-stdlib/now 2.7.16-1 amd64 [installed,local]
libpython2.7-minimal/now 2.7.16-2+deb10u1 amd64 [installed,local]
libpython2.7-stdlib/now 2.7.16-2+deb10u1 amd64 [installed,local]
python-minimal/now 2.7.16-1 amd64 [installed,local]
python2-minimal/now 2.7.16-1 amd64 [installed,local]
python2.7-minimal/now 2.7.16-2+deb10u1 amd64 [installed,local]
python2.7/now 2.7.16-2+deb10u1 amd64 [installed,local]
python2/now 2.7.16-1 amd64 [installed,local]
python/now 2.7.16-1 amd64 [installed,local]Python 2.7 is still vulnerable so there's nothing actionable we can do, the Debian Security team also considers it a minor issue
Also see https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves And https://github.com/docker-library/postgres/issues/286#issuecomment-302512767 docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.
A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).
During an automatic vulnerability scan of a Docker image, our scanner flagged openjdk:11 for containing the following high vulnerability: https://security-tracker.debian.org/tracker/CVE-2020-8492