It’s confusing that the directory /etc/ssl/certs of the image is identified by Black Duck with 5% Match Score to this GitHub repo APlonks/plonkc which has no license.
It brings license risks if a project built with python:3.12-slim as the base image.
Does anyone encounter the same issue, and any idea about how to deal with it?
Are you saying that Python copied from this repository? Because I don’t see any evidence of that. Look into what’s actually duplicated there.
Wild guess but files in /etc/ssl/certs likely come from a public source for a trust store.
What is “the python:3.12-slim image”?
This is most likely a false positive/irrelevant match from the scanning tool as the files in /etc/certs are most probably coming from the os base image/packages in both cases and the linked repo seems to have committed a root file system.
Any blackbox scanning tool like this will necessarily need manual verification of its results and you’re probably better of getting help for that in that tools channels.
A Docker tag presumably. I would assume for an image built from:
At least, according to: python - Official Image | Docker Hub
More precision is needed for a proper bug report of course.
But that says “Maintained by: the Docker Community” and “Where to get help: the Docker Community Slack, Server Fault, Unix & Linux, or Stack Overflow”.
This would be far from the first time someone’s asked for help here, despite it being the wrong place.