Open rocketnova opened 2 months ago
The Anchore scans are currently failing due to a package vulnerability issue. The security vuln is CVE-2024-26130, which impacts the python cryptography package starting in version 38.0.0 and prior to version 42.0.4.
cryptography
The test app (/app) installs the aws-cli tool in an alpine image. The cryptography package is a required dependency for aws-cli v2. aws-cli has an open dependabot issue for addressing this vuln.
/app
aws-cli
"cryptography>=3.3.2,<40.0.2"
Problem
The Anchore scans are currently failing due to a package vulnerability issue. The security vuln is CVE-2024-26130, which impacts the python
cryptography
package starting in version 38.0.0 and prior to version 42.0.4.Context
The test app (
/app
) installs theaws-cli
tool in an alpine image. Thecryptography
package is a required dependency foraws-cli
v2.aws-cli
has an open dependabot issue for addressing this vuln.aws-cli
is 2.15.47, which requires"cryptography>=3.3.2,<40.0.2"
.aws-cli
avaliable on alpine 3.19.1 is 2.13.25-r0, which requires"cryptography>=3.3.2,<40.0.2"
.cryptography
available on alpine 3.19.1 is 41.0.7-r0.