Quay.io's vulnerability scanner works by checking package versions against a CVE database, so the warnings are related known vulnerabilities in dependencies rather than any code analysis of xcube itself.
Some of these warnings look questionable: for instance, CVE-2020-27619 is only present in Python <=3.9.0, but reported here by Quay.io against 3.9.2.
Other grounds for scepticism: the clearly erroneous "fixed in version: 0.0" for many of the warnings, and the sudden jump in the number of supposed vulnerabilities.
I've already encountered spurious warnings from Quay.io for the AVL user image, so it's evidently not entirely trustworthy.
I wanted to force a re-run of the scan to see if the warnings were due to some temporary problem at Quay.io; unfortunately this doesn't seem to be possible.
Is your feature request related to a problem? Please describe. On Quay.io we get Security alerts for our docker images. These need to be addressed. https://quay.io/repository/bcdev/xcube?tab=tags&tag=latest