search

feast-dev / feast

The Open Source Feature Store for Machine Learning
https://feast.dev
Apache License 2.0
5.58k stars 996 forks source link

Remove some vulnerabilities from go modules #4506

Closed brijesh-vora-sp closed 1 month ago

brijesh-vora-sp commented 1 month ago

Description:

There are quite some vulnerabilities in feast when I build docker image of k8s materialization engine. Seems to be all go related. Would appreciate alteast removing critical and high one's ASAP. Thanks

Severity CVE ID Package name & version
High CVE-2021-3121 github.com/gogo/protobuf v1.2.1
High CVE-2022-24450 github.com/nats-io/nats-server/v2 v2.1.2
High CVE-2019-13126 github.com/nats-io/nats-server/v2 v2.1.2
High CVE-2020-28466 github.com/nats-io/nats-server/v2 v2.1.2
High CVE-2018-16886 go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738
Medium CVE-2020-15106 go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738
Medium CVE-2020-15112 go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738
Medium CVE-2022-41727 golang.org/x/image v0.0.0-20220302094943-723b81ca9867
Medium CVE-2023-29408 golang.org/x/image v0.0.0-20220302094943-723b81ca9867
Medium CVE-2023-29407 golang.org/x/image v0.0.0-20220302094943-723b81ca9867
Critical CVE-2020-26892 github.com/nats-io/jwt v0.3.2
High CVE-2021-3127 github.com/nats-io/jwt v0.3.2
High CVE-2020-26521 github.com/nats-io/jwt v0.3.2
Medium CVE-2022-2582 github.com/aws/aws-sdk-go v1.27.0
Medium CVE-2020-8911 github.com/aws/aws-sdk-go v1.27.0
Low CVE-2020-8912 github.com/aws/aws-sdk-go v1.27.0
High CVE-2020-26160 github.com/dgrijalva/jwt-go v3.2.0+incompatible
Medium CVE-2019-19794 github.com/miekg/dns v1.0.14
High CVE-2022-21698 github.com/prometheus/client_golang v1.3.0
High CVE-2020-27813 github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c

Possible Solution

Upgrade packages?

tokoko commented 1 month ago

@EXPEbdodla Let me use this opportunity to involve you here. So far we have been steering clear of the go codebase as (at least my) assumption is that the best path forward would be to upstream the changes from your fork instead of diverging in any way. I realize we have never really discussed that though :smile: Is upstreaming also what you're working towards?

shuchu commented 1 month ago

@EXPEbdodla which version did you check for this list of Vulns? in the latest version (0.40.1) , I didn't see this package github.com/gogo/protobuf v1.2.1

EXPEbdodla commented 1 month ago

We are using google.golang.org/protobuf v1.34.2 version.

@tokoko We can do that. But we have a backlog item for using endpoint from feature_store.yaml for transformation server calls. Once we fix that, we can do that. And we also use Datadog for our monitoring. It's added in code. Easy to resolve.

shuchu commented 1 month ago

sorry, It seems I asked a wrong person about the question.... .my bad. @EXPEbdodla. Apologize about this. @brijesh-vora-sp which Feast version are you using for build the materialization engine?

brijesh-vora-sp commented 1 month ago

@shuchu I believe it was until this commit https://github.com/feast-dev/feast/commit/c42d9fd6da85f098914d9113536bd826f7e17501 if I am not mistaken. This vulnerabilities are created using crowdstrike. Not sure where github.com/gogo/protobuf one is coming from.

brijesh-vora-sp commented 1 month ago

Ok, so I cloned the repo and created docker image on master (e675cbdaf638c6208cb09a41fe8ed34216c9b87f) 09/23. Checked vulnerabilities again. Here are the updated ones:

<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns="http://www.w3.org/TR/REC-html40">

Severity | ExPRT rating | CVE ID | CVSS score | Package name & version | Layer command -- | -- | -- | -- | -- | -- Medium | Medium | CVE-2024-8096 | 6.5 | curl 7.74.0-1.3+deb11u13 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Medium | Low | CVE-2023-28320 | 5.9 | curl 7.74.0-1.3+deb11u13 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Medium | Medium | CVE-2024-2379 | 5.4 | curl 7.74.0-1.3+deb11u13 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Medium | Low | CVE-2021-22922 | 6.5 | curl 7.74.0-1.3+deb11u13 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Medium | Low | CVE-2023-23915 | 6.5 | curl 7.74.0-1.3+deb11u13 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Medium | Low | CVE-2021-22923 | 5.3 | curl 7.74.0-1.3+deb11u13 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Critical | Low | CVE-2023-23914 | 9.1 | curl 7.74.0-1.3+deb11u13 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Medium | Medium | CVE-2023-46219 | 5.3 | curl 7.74.0-1.3+deb11u13 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit High | Medium | CVE-2022-43551 | 7.5 | curl 7.74.0-1.3+deb11u13 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit High | Low | CVE-2022-42916 | 7.5 | curl 7.74.0-1.3+deb11u13 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit High | Low | CVE-2018-1000021 | 8.8 | git 1:2.30.2-1+deb11u3 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Low | Low | CVE-2024-32020 | 3.9 | git 1:2.30.2-1+deb11u3 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit High | Low | CVE-2022-24975 | 7.5 | git 1:2.30.2-1+deb11u3 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Medium | Low | CVE-2023-4641 | 5.5 | shadow 1:4.8.1-1 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Low | Medium | CVE-2023-29383 | 3.3 | shadow 1:4.8.1-1 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Medium | Low | CVE-2013-4235 | 4.7 | shadow 1:4.8.1-1 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit High | Low | CVE-2019-19882 | 7.8 | shadow 1:4.8.1-1 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Medium | Low | CVE-2007-5686 | 4.9 | shadow 1:4.8.1-1 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Medium | Medium | CVE-2023-4039 | 4.8 | gcc-10 10.2.1-6 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit High | Low | CVE-2022-1304 | 7.8 | e2fsprogs 1.46.2-2 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit High | Low | CVE-2022-3715 | 7.8 | bash 5.1-2+deb11u1 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit High | Medium | CVE-2024-26458 | 8.6 | krb5 1.18.3-6+deb11u5 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit High | Low | CVE-2018-5709 | 7.5 | krb5 1.18.3-6+deb11u5 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit High | Low | CVE-2024-26461 | 7.5 | krb5 1.18.3-6+deb11u5 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Medium | Medium | CVE-2024-22365 | 5.5 | pam 1.4.0-9+deb11u1 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Critical | Low | CVE-2019-8457 | 9.8 | db5.3 5.3.28+dfsg1-0.8 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit High | Low | CVE-2011-4116 | 7.5 | perl 5.32.1-4+deb11u3 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit High | Medium | CVE-2020-16156 | 7.8 | perl 5.32.1-4+deb11u3 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit High | Low | CVE-2023-31486 | 8.1 | perl 5.32.1-4+deb11u3 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit High | Low | CVE-2023-31484 | 8.1 | perl 5.32.1-4+deb11u3 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit High | Medium | CVE-2023-45918 | 8.8 | ncurses 6.2+20201114-2+deb11u2 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Medium | Low | CVE-2023-50495 | 6.5 | ncurses 6.2+20201114-2+deb11u2 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit High | Low | CVE-2005-2541 | 10 | tar 1.34+dfsg-1+deb11u1 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Medium | Medium | CVE-2023-4039 | 4.8 | gcc-9 9.3.0-22 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit High | Low | CVE-2015-3276 | 7.5 | openldap 2.4.57+dfsg-3+deb11u1 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit High | Low | CVE-2017-17740 | 7.5 | openldap 2.4.57+dfsg-3+deb11u1 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Medium | Low | CVE-2017-14159 | 4.7 | openldap 2.4.57+dfsg-3+deb11u1 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Medium | Low | CVE-2020-15719 | 4.2 | openldap 2.4.57+dfsg-3+deb11u1 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit High | Low | CVE-2023-2953 | 7.5 | openldap 2.4.57+dfsg-3+deb11u1 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit High | Low | CVE-2021-36690 | 7.5 | sqlite3 3.34.1-3 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit High | Low | CVE-2023-7104 | 7.3 | sqlite3 3.34.1-3 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit High | Low | CVE-2021-31239 | 7.5 | sqlite3 3.34.1-3 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Medium | Low | CVE-2021-45346 | 4.3 | sqlite3 3.34.1-3 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit High | Low | CVE-2022-35737 | 7.5 | sqlite3 3.34.1-3 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Medium | Low | CVE-2022-0563 | 5.5 | util-linux 2.36.1-8+deb11u2 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Medium | Low | CVE-2016-2781 | 6.5 | coreutils 8.32-4 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Medium | Low | CVE-2017-18018 | 4.7 | coreutils 8.32-4 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit High | Low | CVE-2019-9192 | 7.5 | glibc 2.31-13+deb11u11 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit High | Low | CVE-2018-20796 | 7.5 | glibc 2.31-13+deb11u11 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Medium | Low | CVE-2019-1010024 | 5.3 | glibc 2.31-13+deb11u11 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Medium | Low | CVE-2019-1010025 | 5.3 | glibc 2.31-13+deb11u11 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Critical | Low | CVE-2019-1010022 | 9.8 | glibc 2.31-13+deb11u11 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Medium | Low | CVE-2023-4813 | 5.9 | glibc 2.31-13+deb11u11 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Medium | Low | CVE-2019-1010023 | 5.4 | glibc 2.31-13+deb11u11 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Medium | Low | CVE-2023-4806 | 5.9 | glibc 2.31-13+deb11u11 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Medium | Low | CVE-2010-4756 | 4 | glibc 2.31-13+deb11u11 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Medium | Low | CVE-2024-28182 | 5.3 | nghttp2 1.43.0-1+deb11u1 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Medium | High | CVE-2011-3389 | 4.3 | gnutls28 3.7.1-5+deb11u5 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Medium | Low | CVE-2024-28835 | 5 | gnutls28 3.7.1-5+deb11u5 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Medium | Low | CVE-2024-28834 | 5.3 | gnutls28 3.7.1-5+deb11u5 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Low | Low | CVE-2021-36086 | 3.3 | libsepol 3.1-1 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Low | Low | CVE-2021-36084 | 3.3 | libsepol 3.1-1 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Low | Low | CVE-2021-36087 | 3.3 | libsepol 3.1-1 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Low | Low | CVE-2021-36085 | 3.3 | libsepol 3.1-1 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Medium | Low | CVE-2020-13529 | 6.1 | systemd 247.3-7+deb11u6 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Medium | Low | CVE-2023-31439 | 5.3 | systemd 247.3-7+deb11u6 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Medium | Low | CVE-2023-31438 | 5.3 | systemd 247.3-7+deb11u6 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Low | Low | CVE-2013-4392 | 3.3 | systemd 247.3-7+deb11u6 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Medium | Low | CVE-2023-31437 | 5.3 | systemd 247.3-7+deb11u6 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit High | Low | CVE-2017-11164 | 7.5 | pcre3 2:8.39-13 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit High | Low | CVE-2017-7246 | 7.8 | pcre3 2:8.39-13 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit High | Low | CVE-2017-7245 | 7.8 | pcre3 2:8.39-13 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Medium | Low | CVE-2017-16231 | 5.5 | pcre3 2:8.39-13 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit High | Low | CVE-2019-20838 | 7.5 | pcre3 2:8.39-13 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Low | Low | CVE-2011-3374 | 3.7 | apt 2.2.4 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Medium | Low | CVE-2023-52426 | 5.5 | expat 2.2.10-2+deb11u5 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Medium | Low | CVE-2013-0340 | 6.8 | expat 2.2.10-2+deb11u5 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Critical | Medium | CVE-2024-45491 | 9.8 | expat 2.2.10-2+deb11u5 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit High | Low | CVE-2023-52425 | 7.5 | expat 2.2.10-2+deb11u5 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit High | Low | CVE-2024-28757 | 7.5 | expat 2.2.10-2+deb11u5 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Critical | Medium | CVE-2024-45492 | 9.8 | expat 2.2.10-2+deb11u5 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Critical | Medium | CVE-2024-45490 | 9.8 | expat 2.2.10-2+deb11u5 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Medium | Low | CVE-2024-0727 | 5.5 | openssl 1.1.1w-0+deb11u1 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Critical | High | CVE-2024-5535 | 9.1 | openssl 1.1.1w-0+deb11u1 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Low | Low | CVE-2024-2511 | 3.7 | openssl 1.1.1w-0+deb11u1 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Medium | Low | CVE-2024-4741 | 5.6 | openssl 1.1.1w-0+deb11u1 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Medium | Low | CVE-2023-5678 | 5.3 | openssl 1.1.1w-0+deb11u1 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit High | Low | CVE-2018-6829 | 7.5 | libgcrypt20 1.8.7-6 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit High | Low | CVE-2021-33560 | 7.5 | libgcrypt20 1.8.7-6 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Medium | Low | CVE-2024-2236 | 5.9 | libgcrypt20 1.8.7-6 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Low | Low | CVE-2022-3219 | 3.3 | gnupg2 2.2.27-2+deb11u2 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit Critical | Low | CVE-2023-45853 | 9.8 | zlib 1:1.2.11.dfsg-2+deb11u2 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit High | Low | CVE-2022-41409 | 7.5 | pcre2 10.36-2+deb11u1 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit High | Low | CVE-2022-4899 | 7.5 | libzstd 1.4.8+dfsg-2.1 | RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit High | High | CVE-2024-6345 | 8.8 | setuptools 65.5.1 | RUN /bin/sh -c set -eux; savedAptMark="$(apt-mark showmanual)"; apt-get update; apt-get install -y --no-install-recommends dpkg-dev gcc gnupg libbluetooth-dev libbz2-dev libc6-dev libdb-dev libexpat1-dev libffi-dev libgdbm-dev liblzma-dev libncursesw5-dev libreadline-dev libsqlite3-dev libssl-dev make tk-dev uuid-dev wget xz-utils zlib1g-dev ; wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; gpg --batch --verify python.tar.xz.asc python.tar.xz; gpgconf --kill all; rm -rf "$GNUPGHOME" python.tar.xz.asc; mkdir -p /usr/src/python; tar --extract --directory /usr/src/python --strip-components=1 --file python.tar.xz; rm python.tar.xz; cd /usr/src/python; gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; ./configure --build="$gnuArch" --enable-loadable-sqlite-extensions --enable-optimizations --enable-option-checking=fatal --enable-shared --with-lto --with-system-expat --with-ensurepip ; nproc="$(nproc)"; EXTRA_CFLAGS="$(dpkg-buildflags --get CFLAGS)"; LDFLAGS="$(dpkg-buildflags --get LDFLAGS)"; LDFLAGS="${LDFLAGS:--Wl}%2C--strip-all"; make -j "$nproc" "EXTRA_CFLAGS=${EXTRA_CFLAGS:-}" "LDFLAGS=${LDFLAGS:-}" "PROFILE_TASK=${PROFILE_TASK:-}" ; rm python; make -j "$nproc" "EXTRA_CFLAGS=${EXTRA_CFLAGS:-}" "LDFLAGS=${LDFLAGS:--Wl}%2C-rpath='\$\$ORIGIN/../lib'" "PROFILE_TASK=${PROFILE_TASK:-}" python ; make install; cd /; rm -rf /usr/src/python; find /usr/local -depth \( \( -type d -a \( -name test -o -name tests -o -name idle_test \) \) -o \( -type f -a \( -name '*.pyc' -o -name '*.pyo' -o -name 'libpython*.a' \) \) \) -exec rm -rf '{}' + ; ldconfig; apt-mark auto '.*' > /dev/null; apt-mark manual $savedAptMark; find /usr/local -type f -executable -not \( -name '*tkinter*' \) -exec ldd '{}' ';' \| awk '/=>/ { so = $(NF-1); if (index(so%2C "/usr/local/") == 1) { next }; gsub("^/(usr/)?"%2C ""%2C so); printf "*%s\n"%2C so }' \| sort -u \| xargs -r dpkg-query --search \| cut -d: -f1 \| sort -u \| xargs -r apt-mark manual ; apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; rm -rf /var/lib/apt/lists/*; export PYTHONDONTWRITEBYTECODE=1; python3 --version; pip3 install --disable-pip-version-check --no-cache-dir --no-compile 'setuptools==65.5.1' wheel ; pip3 --version %23 buildkit

brijesh-vora-sp commented 1 month ago

Most of these are coming from python3.11 image used. Can you update that to latest non-vulnerable image?

Below image is from docker desktop. So after building the image you can check in vulnerabilities section if are any.

image
shuchu commented 1 month ago

Thank you for all the details, @brijesh-vora-sp , let me work on this.