kishwarshafin / pepper

PEPPER-Margin-DeepVariant
MIT License
245 stars 42 forks source link

Critical Vulnerabilities in the published Docker image #171

Closed rberg2 closed 2 years ago

rberg2 commented 2 years ago

Hello,

Could you please create a new Docker image? kishwars/pepper_deepvariant:r0.8 has a number of vulnerabilities flagged as critical and high by our security scanner. I can't deploy anything that is flagged at those levels. Or if you could share the Dockerfile used to create this image I can take a crack at it myself.

It looks like the issues are in

python 3.8 python 3.9 tensorflow pillow protobuf ipython

Thanks!

Evaluation results
 - go vulnerabilities:package CRITICAL Vulnerability found in non-os package type (binary) - /opt/conda/bin/python3.9 (CVE-2015-20107 - https://nvd.nist.gov/vuln/detail/CVE-2015-20107)
 - go vulnerabilities:package CRITICAL Vulnerability found in non-os package type (binary) - /opt/conda/bin/python3.9 (CVE-2019-12900 - https://nvd.nist.gov/vuln/detail/CVE-2019-12900)
 - stop vulnerabilities:package CRITICAL Vulnerability found in non-os package type (binary) - /usr/local/lib/python3.8/dist-packages/tensorflow/include/external/local_config_python/python_include/patchlevel.h (CVE-2021-29921 - https://nvd.nist.gov/vuln/detail/CVE-2021-29921)
 - stop vulnerabilities:package CRITICAL Vulnerability found in non-os package type (binary) - /usr/local/lib/python3.8/dist-packages/tensorflow/include/external/local_config_python/python_include/patchlevel.h (CVE-2020-27619 - https://nvd.nist.gov/vuln/detail/CVE-2020-27619)
 - stop vulnerabilities:package CRITICAL Vulnerability found in non-os package type (binary) - /usr/local/lib/python3.8/dist-packages/tensorflow/include/external/local_config_python/python_include/patchlevel.h (CVE-2021-3177 - https://nvd.nist.gov/vuln/detail/CVE-2021-3177)
 - go vulnerabilities:package CRITICAL Vulnerability found in non-os package type (binary) - /usr/local/lib/python3.8/dist-packages/tensorflow/include/external/local_config_python/python_include/patchlevel.h (CVE-2015-20107 - https://nvd.nist.gov/vuln/detail/CVE-2015-20107)
 - go vulnerabilities:package CRITICAL Vulnerability found in non-os package type (binary) - /usr/local/lib/python3.8/dist-packages/tensorflow/include/external/local_config_python/python_include/patchlevel.h (CVE-2019-12900 - https://nvd.nist.gov/vuln/detail/CVE-2019-12900)
 - stop vulnerabilities:package CRITICAL Vulnerability found in non-os package type (python) - /usr/local/lib/python3.8/dist-packages/Pillow (CVE-2022-22817 - https://nvd.nist.gov/vuln/detail/CVE-2022-22817)
 - stop vulnerabilities:package CRITICAL Vulnerability found in non-os package type (python) - /usr/local/lib/python3.8/dist-packages/Pillow (CVE-2022-24303 - https://nvd.nist.gov/vuln/detail/CVE-2022-24303)
 - stop vulnerabilities:package CRITICAL Vulnerability found in non-os package type (python) - /usr/local/lib/python3.8/dist-packages/Pillow (VULNDB-278400 - http://sysdigcloud-anchore-api:8228/v1/query/vulnerabilities?id=VULNDB-278400)
 - stop vulnerabilities:package CRITICAL Vulnerability found in non-os package type (python) - /usr/local/lib/python3.8/dist-packages/protobuf (VULNDB-243350 - http://sysdigcloud-anchore-api:8228/v1/query/vulnerabilities?id=VULNDB-243350)
 - stop vulnerabilities:package CRITICAL Vulnerability found in non-os package type (python) - /usr/local/lib/python3.8/dist-packages/protobuf (VULNDB-243351 - http://sysdigcloud-anchore-api:8228/v1/query/vulnerabilities?id=VULNDB-243351)
 - stop vulnerabilities:package HIGH Vulnerability found in non-os package type (binary) - /opt/conda/bin/python3.9 (fixed in: 3.10.3, 3.7.13, 3.8.13, 3.9.11)(VULNDB-284248 - http://sysdigcloud-anchore-api:8228/v1/query/vulnerabilities?id=VULNDB-284248)
 - stop vulnerabilities:package HIGH Vulnerability found in non-os package type (binary) - /usr/local/lib/python3.8/dist-packages/tensorflow/include/external/local_config_python/python_include/patchlevel.h (fixed in: 3.8.3rc1, 3.7.8rc1, 3.6.11, 3.7.8, 3.6.11rc1, 3.5.10rc1)(VULNDB-222554 - http://sysdigcloud-anchore-api:8228/v1/query/vulnerabilities?id=VULNDB-222554)
 - stop vulnerabilities:package HIGH Vulnerability found in non-os package type (binary) - /usr/local/lib/python3.8/dist-packages/tensorflow/include/external/local_config_python/python_include/patchlevel.h (fixed in: 3.6.12, 3.7.9, 3.5.10rc1)(VULNDB-232139 - http://sysdigcloud-anchore-api:8228/v1/query/vulnerabilities?id=VULNDB-232139)
 - stop vulnerabilities:package HIGH Vulnerability found in non-os package type (binary) - /usr/local/lib/python3.8/dist-packages/tensorflow/include/external/local_config_python/python_include/patchlevel.h (fixed in: 3.9.5)(VULNDB-255505 - http://sysdigcloud-anchore-api:8228/v1/query/vulnerabilities?id=VULNDB-255505)
 - stop vulnerabilities:package HIGH Vulnerability found in non-os package type (binary) - /usr/local/lib/python3.8/dist-packages/tensorflow/include/external/local_config_python/python_include/patchlevel.h (fixed in: 3.10.3, 3.7.13, 3.8.13, 3.9.11)(VULNDB-284248 - http://sysdigcloud-anchore-api:8228/v1/query/vulnerabilities?id=VULNDB-284248)
 - stop vulnerabilities:package HIGH Vulnerability found in non-os package type (python) - /usr/local/lib/python3.8/dist-packages/Pillow (fixed in: 9.0.0)(VULNDB-278401 - http://sysdigcloud-anchore-api:8228/v1/query/vulnerabilities?id=VULNDB-278401)
 - stop vulnerabilities:package HIGH Vulnerability found in non-os package type (python) - /usr/local/lib/python3.8/dist-packages/Pillow (fixed in: 9.0.0)(VULNDB-278565 - http://sysdigcloud-anchore-api:8228/v1/query/vulnerabilities?id=VULNDB-278565)
 - stop vulnerabilities:package HIGH Vulnerability found in non-os package type (python) - /usr/local/lib/python3.8/dist-packages/Pillow (fixed in: 9.0.0)(VULNDB-277515 - http://sysdigcloud-anchore-api:8228/v1/query/vulnerabilities?id=VULNDB-277515)
 - warn vulnerabilities:package HIGH Vulnerability found in non-os package type (binary) - /opt/conda/bin/python3.9 (CVE-2021-3737 - https://nvd.nist.gov/vuln/detail/CVE-2021-3737)
 - warn vulnerabilities:package HIGH Vulnerability found in non-os package type (binary) - /opt/conda/bin/python3.9 (CVE-2018-25032 - https://nvd.nist.gov/vuln/detail/CVE-2018-25032)
 - warn vulnerabilities:package HIGH Vulnerability found in non-os package type (binary) - /opt/conda/bin/python3.9 (CVE-2021-28861 - https://nvd.nist.gov/vuln/detail/CVE-2021-28861)
 - warn vulnerabilities:package HIGH Vulnerability found in non-os package type (binary) - /usr/local/lib/python3.8/dist-packages/tensorflow/include/external/local_config_python/python_include/patchlevel.h (CVE-2020-26116 - https://nvd.nist.gov/vuln/detail/CVE-2020-26116)
 - warn vulnerabilities:package HIGH Vulnerability found in non-os package type (binary) - /usr/local/lib/python3.8/dist-packages/tensorflow/include/external/local_config_python/python_include/patchlevel.h (CVE-2022-0391 - https://nvd.nist.gov/vuln/detail/CVE-2022-0391)
 - warn vulnerabilities:package HIGH Vulnerability found in non-os package type (binary) - /usr/local/lib/python3.8/dist-packages/tensorflow/include/external/local_config_python/python_include/patchlevel.h (CVE-2021-3737 - https://nvd.nist.gov/vuln/detail/CVE-2021-3737)
 - warn vulnerabilities:package HIGH Vulnerability found in non-os package type (binary) - /usr/local/lib/python3.8/dist-packages/tensorflow/include/external/local_config_python/python_include/patchlevel.h (CVE-2019-20907 - https://nvd.nist.gov/vuln/detail/CVE-2019-20907)
 - warn vulnerabilities:package HIGH Vulnerability found in non-os package type (binary) - /usr/local/lib/python3.8/dist-packages/tensorflow/include/external/local_config_python/python_include/patchlevel.h (CVE-2021-28861 - https://nvd.nist.gov/vuln/detail/CVE-2021-28861)
 - warn vulnerabilities:package HIGH Vulnerability found in non-os package type (binary) - /usr/local/lib/python3.8/dist-packages/tensorflow/include/external/local_config_python/python_include/patchlevel.h (CVE-2018-25032 - https://nvd.nist.gov/vuln/detail/CVE-2018-25032)
 - warn vulnerabilities:package HIGH Vulnerability found in non-os package type (python) - /usr/local/lib/python3.8/dist-packages/ipython (CVE-2022-21699 - https://nvd.nist.gov/vuln/detail/CVE-2022-21699)
 - warn secret_scans:content_regex_checks Secret content search analyzer found regexp match in container: file=/usr/local/lib/python3.8/dist-packages/future/backports/test/badcert.pem regexp=PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+
 - warn secret_scans:content_regex_checks Secret content search analyzer found regexp match in container: file=/usr/local/lib/python3.8/dist-packages/future/backports/test/badkey.pem regexp=PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+
 - warn secret_scans:content_regex_checks Secret content search analyzer found regexp match in container: file=/usr/local/lib/python3.8/dist-packages/future/backports/test/keycert2.pem regexp=PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+
 - warn secret_scans:content_regex_checks Secret content search analyzer found regexp match in container: file=/usr/local/lib/python3.8/dist-packages/future/backports/test/keycert.passwd.pem regexp=PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+
 - warn secret_scans:content_regex_checks Secret content search analyzer found regexp match in container: file=/usr/local/lib/python3.8/dist-packages/future/backports/test/keycert.pem regexp=PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+
 - warn secret_scans:content_regex_checks Secret content search analyzer found regexp match in container: file=/usr/local/lib/python3.8/dist-packages/future/backports/test/ssl_key.passwd.pem regexp=PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+
 - warn secret_scans:content_regex_checks Secret content search analyzer found regexp match in container: file=/usr/local/lib/python3.8/dist-packages/future/backports/test/ssl_key.pem regexp=PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+
 - warn secret_scans:content_regex_checks Secret content search analyzer found regexp match in container: file=/usr/local/lib/python3.8/dist-packages/tornado/test/test.key regexp=PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+
kishwarshafin commented 2 years ago

@rberg2 , sure, can you please send me an email at shafin@google.com?

rberg2 commented 2 years ago

These issues are coming from the deepvariant image. I am going to close this ticket out.