pont-us
commented
2 years ago A few notes:
- Quay.io's vulnerability scanner works by checking package versions against a CVE database, so the warnings are related known vulnerabilities in dependencies rather than any code analysis of xcube itself.
- Some of these warnings look questionable: for instance, CVE-2020-27619 is only present in Python <=3.9.0, but reported here by Quay.io against 3.9.2.
- Other grounds for scepticism: the clearly erroneous "fixed in version: 0.0" for many of the warnings, and the sudden jump in the number of supposed vulnerabilities.
- I've already encountered spurious warnings from Quay.io for the AVL user image, so it's evidently not entirely trustworthy.
I wanted to force a re-run of the scan to see if the warnings were due to some temporary problem at Quay.io; unfortunately this doesn't seem to be possible.
Is your feature request related to a problem? Please describe. On Quay.io we get Security alerts for our docker images. These need to be addressed. https://quay.io/repository/bcdev/xcube?tab=tags&tag=latest