Vulnerabilities [ "CVE-2021-3450","CVE-2021-3449","CVE-2021-3450","CVE-2021-3449" ] found against various alpine versions of python

[ankitsrao]

Hi Team,

Vulnerabilities [ "CVE-2021-3450","CVE-2021-3449","CVE-2021-3450","CVE-2021-3449" ] found against various alpine versions of python3.7.

This seems to be an additional strict check proposed.
Request to provide some help around the resolution of the same.

Thanks,

[wglambert]

The Python images were just updated 12 days ago, and currently all packages are at their latest version

$ docker run -it --rm python:3.7-alpine sh
/ # apk update
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/community/x86_64/APKINDEX.tar.gz
v3.13.2-132-gce231d64d5 [https://dl-cdn.alpinelinux.org/alpine/v3.13/main]
v3.13.3-2-g3f5c5c2567 [https://dl-cdn.alpinelinux.org/alpine/v3.13/community]
OK: 13884 distinct packages available
/ # apk list -u
/ #

See also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves
And docker-library/openjdk#449 (comment), docker-library/postgres#286 (comment) docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, #152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).