Skip to content

Grype detects a critical vulnerability in python:3.13.3-alpine #1029

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
JoanaPedrosoDiconium opened this issue Apr 14, 2025 · 2 comments
Closed

Grype detects a critical vulnerability in python:3.13.3-alpine #1029

JoanaPedrosoDiconium opened this issue Apr 14, 2025 · 2 comments

Comments

@JoanaPedrosoDiconium
Copy link

JoanaPedrosoDiconium commented Apr 14, 2025
edited
Loading

Hello

We're using python:3.13.3-alpine3.20 as base of one our images and we use Gyrpe v0.87.0 to do scan of our container. Since today it is dectecting the following vulnerabilities:

Image

As you can see it detects a critical one for sqlite-libs 3.45.3-r1

I also tried with alpine 3.21 and it's the same:
Image

I checked the docker-hub tag information: python:3.13.3-alpine3.20 and python:3.13.3-alpine3.21 and in none does this vulnerability appear, maybe because the scanning tool is different.

Do you have prediction to fix this vulnerability?

Thank you
Joana
@yosifkit
Copy link
Member

It seems like the fix was added to Alpine 3.20 and 3.21 just 6 hours ago, so it wouldn't have been picked up in 3.13 by our most recent image builds from the version bumps last week (#1018 and docker-library/official-images#18803).

Background:

Tags in the [official-images] library file[s] are only built through an update to that library file or as a result of its base image being updated (ie, an image FROM debian:bookworm would be rebuilt when debian:bookworm is built).

-https://github.com/docker-library/official-images/tree/2f086314307c04e1de77f0a515f20671e60d40bb#library-definition-files

Official Images FAQ:

Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame

- https://github.com/docker-library/faq/tree/0ad5fd60288109c875a54a37f6581b2deaa836db#why-does-my-security-scanner-show-that-an-image-has-cves

To ensure that we don't push contentless image changes, we rely on periodic base image updates.

We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule.

- from the same FAQ link

So, to answer the question on when, it is either when there is a Python release or other useful Dockerfile change, or when there is an Alpine base image change. Alpine historically updates at their 6-month release cycle (roughly May and November/December), or if there is a vulnerable package in the base image (see alpine update PRs to Docker Official Images).

🔨 If users need updated packages sooner, then they should apk upgrade or apt-get upgrade as appropriate in their own images FROM python:*.

@tianon tianon closed this as completed Apr 21, 2025
@JoanaPedrosoDiconium
Copy link
Author

JoanaPedrosoDiconium commented Apr 22, 2025
edited
Loading

Image

Apparently the vulnerability was downgraded to Low, so my pipeline no longer fails (it's set to fail on Critical CVEs).
Thank you for your response

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tianon @yosifkit @JoanaPedrosoDiconium