Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Critical Vulnerabilities in the published Docker image #171

Closed
rberg2 opened this issue Sep 29, 2022 · 2 comments
Closed

Critical Vulnerabilities in the published Docker image #171

rberg2 opened this issue Sep 29, 2022 · 2 comments

Comments

@rberg2
Copy link

rberg2 commented Sep 29, 2022

Hello,

Could you please create a new Docker image? kishwars/pepper_deepvariant:r0.8 has a number of vulnerabilities flagged as critical and high by our security scanner. I can't deploy anything that is flagged at those levels. Or if you could share the Dockerfile used to create this image I can take a crack at it myself.

It looks like the issues are in

python 3.8
python 3.9
tensorflow
pillow
protobuf
ipython

Thanks!

Evaluation results
 - go vulnerabilities:package CRITICAL Vulnerability found in non-os package type (binary) - /opt/conda/bin/python3.9 (CVE-2015-20107 - https://nvd.nist.gov/vuln/detail/CVE-2015-20107)
 - go vulnerabilities:package CRITICAL Vulnerability found in non-os package type (binary) - /opt/conda/bin/python3.9 (CVE-2019-12900 - https://nvd.nist.gov/vuln/detail/CVE-2019-12900)
 - stop vulnerabilities:package CRITICAL Vulnerability found in non-os package type (binary) - /usr/local/lib/python3.8/dist-packages/tensorflow/include/external/local_config_python/python_include/patchlevel.h (CVE-2021-29921 - https://nvd.nist.gov/vuln/detail/CVE-2021-29921)
 - stop vulnerabilities:package CRITICAL Vulnerability found in non-os package type (binary) - /usr/local/lib/python3.8/dist-packages/tensorflow/include/external/local_config_python/python_include/patchlevel.h (CVE-2020-27619 - https://nvd.nist.gov/vuln/detail/CVE-2020-27619)
 - stop vulnerabilities:package CRITICAL Vulnerability found in non-os package type (binary) - /usr/local/lib/python3.8/dist-packages/tensorflow/include/external/local_config_python/python_include/patchlevel.h (CVE-2021-3177 - https://nvd.nist.gov/vuln/detail/CVE-2021-3177)
 - go vulnerabilities:package CRITICAL Vulnerability found in non-os package type (binary) - /usr/local/lib/python3.8/dist-packages/tensorflow/include/external/local_config_python/python_include/patchlevel.h (CVE-2015-20107 - https://nvd.nist.gov/vuln/detail/CVE-2015-20107)
 - go vulnerabilities:package CRITICAL Vulnerability found in non-os package type (binary) - /usr/local/lib/python3.8/dist-packages/tensorflow/include/external/local_config_python/python_include/patchlevel.h (CVE-2019-12900 - https://nvd.nist.gov/vuln/detail/CVE-2019-12900)
 - stop vulnerabilities:package CRITICAL Vulnerability found in non-os package type (python) - /usr/local/lib/python3.8/dist-packages/Pillow (CVE-2022-22817 - https://nvd.nist.gov/vuln/detail/CVE-2022-22817)
 - stop vulnerabilities:package CRITICAL Vulnerability found in non-os package type (python) - /usr/local/lib/python3.8/dist-packages/Pillow (CVE-2022-24303 - https://nvd.nist.gov/vuln/detail/CVE-2022-24303)
 - stop vulnerabilities:package CRITICAL Vulnerability found in non-os package type (python) - /usr/local/lib/python3.8/dist-packages/Pillow (VULNDB-278400 - http://sysdigcloud-anchore-api:8228/v1/query/vulnerabilities?id=VULNDB-278400)
 - stop vulnerabilities:package CRITICAL Vulnerability found in non-os package type (python) - /usr/local/lib/python3.8/dist-packages/protobuf (VULNDB-243350 - http://sysdigcloud-anchore-api:8228/v1/query/vulnerabilities?id=VULNDB-243350)
 - stop vulnerabilities:package CRITICAL Vulnerability found in non-os package type (python) - /usr/local/lib/python3.8/dist-packages/protobuf (VULNDB-243351 - http://sysdigcloud-anchore-api:8228/v1/query/vulnerabilities?id=VULNDB-243351)
 - stop vulnerabilities:package HIGH Vulnerability found in non-os package type (binary) - /opt/conda/bin/python3.9 (fixed in: 3.10.3, 3.7.13, 3.8.13, 3.9.11)(VULNDB-284248 - http://sysdigcloud-anchore-api:8228/v1/query/vulnerabilities?id=VULNDB-284248)
 - stop vulnerabilities:package HIGH Vulnerability found in non-os package type (binary) - /usr/local/lib/python3.8/dist-packages/tensorflow/include/external/local_config_python/python_include/patchlevel.h (fixed in: 3.8.3rc1, 3.7.8rc1, 3.6.11, 3.7.8, 3.6.11rc1, 3.5.10rc1)(VULNDB-222554 - http://sysdigcloud-anchore-api:8228/v1/query/vulnerabilities?id=VULNDB-222554)
 - stop vulnerabilities:package HIGH Vulnerability found in non-os package type (binary) - /usr/local/lib/python3.8/dist-packages/tensorflow/include/external/local_config_python/python_include/patchlevel.h (fixed in: 3.6.12, 3.7.9, 3.5.10rc1)(VULNDB-232139 - http://sysdigcloud-anchore-api:8228/v1/query/vulnerabilities?id=VULNDB-232139)
 - stop vulnerabilities:package HIGH Vulnerability found in non-os package type (binary) - /usr/local/lib/python3.8/dist-packages/tensorflow/include/external/local_config_python/python_include/patchlevel.h (fixed in: 3.9.5)(VULNDB-255505 - http://sysdigcloud-anchore-api:8228/v1/query/vulnerabilities?id=VULNDB-255505)
 - stop vulnerabilities:package HIGH Vulnerability found in non-os package type (binary) - /usr/local/lib/python3.8/dist-packages/tensorflow/include/external/local_config_python/python_include/patchlevel.h (fixed in: 3.10.3, 3.7.13, 3.8.13, 3.9.11)(VULNDB-284248 - http://sysdigcloud-anchore-api:8228/v1/query/vulnerabilities?id=VULNDB-284248)
 - stop vulnerabilities:package HIGH Vulnerability found in non-os package type (python) - /usr/local/lib/python3.8/dist-packages/Pillow (fixed in: 9.0.0)(VULNDB-278401 - http://sysdigcloud-anchore-api:8228/v1/query/vulnerabilities?id=VULNDB-278401)
 - stop vulnerabilities:package HIGH Vulnerability found in non-os package type (python) - /usr/local/lib/python3.8/dist-packages/Pillow (fixed in: 9.0.0)(VULNDB-278565 - http://sysdigcloud-anchore-api:8228/v1/query/vulnerabilities?id=VULNDB-278565)
 - stop vulnerabilities:package HIGH Vulnerability found in non-os package type (python) - /usr/local/lib/python3.8/dist-packages/Pillow (fixed in: 9.0.0)(VULNDB-277515 - http://sysdigcloud-anchore-api:8228/v1/query/vulnerabilities?id=VULNDB-277515)
 - warn vulnerabilities:package HIGH Vulnerability found in non-os package type (binary) - /opt/conda/bin/python3.9 (CVE-2021-3737 - https://nvd.nist.gov/vuln/detail/CVE-2021-3737)
 - warn vulnerabilities:package HIGH Vulnerability found in non-os package type (binary) - /opt/conda/bin/python3.9 (CVE-2018-25032 - https://nvd.nist.gov/vuln/detail/CVE-2018-25032)
 - warn vulnerabilities:package HIGH Vulnerability found in non-os package type (binary) - /opt/conda/bin/python3.9 (CVE-2021-28861 - https://nvd.nist.gov/vuln/detail/CVE-2021-28861)
 - warn vulnerabilities:package HIGH Vulnerability found in non-os package type (binary) - /usr/local/lib/python3.8/dist-packages/tensorflow/include/external/local_config_python/python_include/patchlevel.h (CVE-2020-26116 - https://nvd.nist.gov/vuln/detail/CVE-2020-26116)
 - warn vulnerabilities:package HIGH Vulnerability found in non-os package type (binary) - /usr/local/lib/python3.8/dist-packages/tensorflow/include/external/local_config_python/python_include/patchlevel.h (CVE-2022-0391 - https://nvd.nist.gov/vuln/detail/CVE-2022-0391)
 - warn vulnerabilities:package HIGH Vulnerability found in non-os package type (binary) - /usr/local/lib/python3.8/dist-packages/tensorflow/include/external/local_config_python/python_include/patchlevel.h (CVE-2021-3737 - https://nvd.nist.gov/vuln/detail/CVE-2021-3737)
 - warn vulnerabilities:package HIGH Vulnerability found in non-os package type (binary) - /usr/local/lib/python3.8/dist-packages/tensorflow/include/external/local_config_python/python_include/patchlevel.h (CVE-2019-20907 - https://nvd.nist.gov/vuln/detail/CVE-2019-20907)
 - warn vulnerabilities:package HIGH Vulnerability found in non-os package type (binary) - /usr/local/lib/python3.8/dist-packages/tensorflow/include/external/local_config_python/python_include/patchlevel.h (CVE-2021-28861 - https://nvd.nist.gov/vuln/detail/CVE-2021-28861)
 - warn vulnerabilities:package HIGH Vulnerability found in non-os package type (binary) - /usr/local/lib/python3.8/dist-packages/tensorflow/include/external/local_config_python/python_include/patchlevel.h (CVE-2018-25032 - https://nvd.nist.gov/vuln/detail/CVE-2018-25032)
 - warn vulnerabilities:package HIGH Vulnerability found in non-os package type (python) - /usr/local/lib/python3.8/dist-packages/ipython (CVE-2022-21699 - https://nvd.nist.gov/vuln/detail/CVE-2022-21699)
 - warn secret_scans:content_regex_checks Secret content search analyzer found regexp match in container: file=/usr/local/lib/python3.8/dist-packages/future/backports/test/badcert.pem regexp=PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+
 - warn secret_scans:content_regex_checks Secret content search analyzer found regexp match in container: file=/usr/local/lib/python3.8/dist-packages/future/backports/test/badkey.pem regexp=PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+
 - warn secret_scans:content_regex_checks Secret content search analyzer found regexp match in container: file=/usr/local/lib/python3.8/dist-packages/future/backports/test/keycert2.pem regexp=PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+
 - warn secret_scans:content_regex_checks Secret content search analyzer found regexp match in container: file=/usr/local/lib/python3.8/dist-packages/future/backports/test/keycert.passwd.pem regexp=PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+
 - warn secret_scans:content_regex_checks Secret content search analyzer found regexp match in container: file=/usr/local/lib/python3.8/dist-packages/future/backports/test/keycert.pem regexp=PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+
 - warn secret_scans:content_regex_checks Secret content search analyzer found regexp match in container: file=/usr/local/lib/python3.8/dist-packages/future/backports/test/ssl_key.passwd.pem regexp=PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+
 - warn secret_scans:content_regex_checks Secret content search analyzer found regexp match in container: file=/usr/local/lib/python3.8/dist-packages/future/backports/test/ssl_key.pem regexp=PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+
 - warn secret_scans:content_regex_checks Secret content search analyzer found regexp match in container: file=/usr/local/lib/python3.8/dist-packages/tornado/test/test.key regexp=PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+
@kishwarshafin
Copy link
Owner

@rberg2 , sure, can you please send me an email at shafin@google.com?

@rberg2
Copy link
Author

rberg2 commented Oct 3, 2022

These issues are coming from the deepvariant image. I am going to close this ticket out.

@rberg2 rberg2 closed this as not planned Won't fix, can't repro, duplicate, stale Oct 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kishwarshafin @rberg2