Hi, I installed python version 3.11.4 via its package Python-3.11.4.tgz on a centos 7 based docker container image. Image Scanning via Google Scanner displays 19 High Vulnerabilities (snapshot attached). Any plans to fix those vulnerabilities ?
I am working on a critical project, and cannot proceed with vulnerable image, kindly provide input.
Hmm, those don’t appear to be vulnerabilities in Python, they’re listed as being in the kernel-headers. I checked a few of the CVEs listed and they’re all part of the Linux kernel. Not much we can do about those; you’ll have to judge for yourself how severe they actually are.
Such requirements typically can only be provided by a commercial vendor, in general an open source project by itself will not provide any agreement or guarantees about vulnerability management.
There are many commerical vendors you could reach out that may satisfy your needs, e.g. Red Hat, Anaconda, ActiveState, etc.
It is the container that has the cve problem not python, as the report makes clear.
It seems you are not familiar with interpreting these security reports.
You will need to know what your security risk model is and how the CVEs
impact your usage. Some CVEs may not be exploitable for example others
may be very serious.
Looking at the report I understand it doesn’t seem to be from python.
To experiment that, First I created the image with just centos base without installing python and got 0 Critical and 0 High vulnerabilities.
After that, I created the image by installing python3.11.4 on top of centos image and got 19 High ones which I shared above. So I had this doubt if it is from python.
You’re correct Barry, I am not a security expert. I may need to check with security team.
Thanks Damian for the information.
You may find that the process of installing python into the container pulled in other packages into the container.