Add alpine tag for container #164
Comments
|
Hi @evan361425 https://nvd.nist.gov/vuln/detail/CVE-2021-3177 Did you find these CVEs in the Dockerhub image or the public ECR image? |
|
I found it in Docker Hub image. $ docker run --net=host -e AWS_REGION=ap-northeast-1 -d amazon/aws-xray-daemon -o
87a4e6fc6975816793ca648a42f116fedfc242e0d9d427f84357622a98269110
$ ls -l /usr/lib64 | grep python
-rwxr-xr-x 1 root root 1790912 Jun 10 2021 libpython2.7.so.1.0
drwxr-xr-x 27 root root 20480 Dec 1 18:20 python2.7And the vulnerable file is |
|
Hi @evan361425 At this point I'm not sure if we remove the Python module from the image, it won't break its functionality or have other implications. Since the daemon itself is a GoLang program and doesn't use Python in any form, I believe these vulnerabilities are not exploitable for the daemon. |
|
Hi @srprash. If removing the vulnerable package will break the functionality then we are using the vulnerable package implicitly and we should fix it. If not then removing it makes this issue kind of enhancement request. Making container image more tiny is a good practice anyway. The reason I open this issue is Trivy detect the vulnerable package and start warning. Trivy don't know whether application use the package or not. It just detect the existence of vulnerability. For your information I have remove the package and commit a new tag myself to fix Trivy warning and it works fine in lab environment. |
Using Amazon 2 will detected the CVEs by Trivy
Although we are not using python, it still exist in the OS. Could we add more tags for different OS or delete some unused packages(e.g.
usr/lib64/python2.7/lib-dynload/Python-2.7.18-py2.7.egg-info) when building image?The text was updated successfully, but these errors were encountered: