I’m looking for a bit of help on versioning… I’m looking at some code that pulls a Docker container that uses version python:3.12-alpine, which is great and works as expected, but looking here, it shows the image has 39 vulnerabilities from a score of 9.8, which I just don’t want to incorporate.
I then started looking at other Python/Alpine images and that’s where I just get totally confused. If I search here for images, for example 3.11.14-alpine3.23 has fewer vulnerabilities, but surely 3.11 is an older version than 3.12-alpine?
Can someone clarify? I am after a Python3 image with alpine, with fewer CVE’s
Only 5 of those 38 CVEs have anything to do with Python. Most of the relate to the expat package, in fact.
If avoiding nuisance CVEs is more important then docker image and container size (or running MUSL) and stability, perhaps pick a more security focussed Distro for the base image than Alpine. Or at the very least, the most up to date one with the latest fixes.
Or do the super light weight images, still have all those packages with CVEs pre-installed? If not, a multi-stage Docker build need not have those packages in the final image.
Also for example, I haven’t checked these bugs have actually been fixed. But they are old news.
The setuptools two both affect v 68.2.2 (from Sept 2023). As of today, the latest version is 80.10.2. Similarly the pip CVE affects 23.2.1 (July 2023), but is now on 25.3. Wheel, with a CVE for v0.41.2 (Aug 2023), is now on v. 0.46.3.
Further more, the attack vectors all require supply chain vulnerabilities of one sort or another. If malicious packages are being installed, there are far bigger problems to worry about than CVE lists. The pip one only affected Mercurial VCSs too, instead of Git (probably why it went unnoticed).
Attackers can craft a malicious wheel file that, when unpacked,
If these functions are exposed to user-controlled inputs, such as package URLs
this could be exploited … via malicious URLs present on the pages of a package index.
This vulnerability does not affect users who aren’t installing from Mercurial.