-
-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Trivy scan errors with pyenv installation in Dockerfile #2956
Comments
These are old releases and naturally, they have older versions of libraries bundled. (See Status of Python versions) 3.7 is EOL so it's unpatched. We can accept a patch PR with a fix from an interested party. |
So as per above, I'm not sure what you expect us to do. |
@native-api , my requirement is to install multiple versions of python inside a docker image. For that reason, I used pyenv and when I scan my image with trivy , it was giving me these vulnerabilties. So , was unsure what to do Even if I use 3.8 and the above versions, I am getting this issue . Hope my requirement is clear. Also ,can you suggest me to achieve my requirement in a different approach , if there are any ? |
You can upgrade setuptools after installation. In fact, since 3.4, CPython's build is supposed to do that itself during the build. Then, unless you require specific micro versions, you can |
This is my dockerfile
RUN curl https://pyenv.run | bash
ENV PYENV_ROOT="/root/.pyenv"
ENV PATH="$PYENV_ROOT/bin:$PYENV_ROOT/shims:$PATH"
RUN echo 'eval "$(pyenv init --path)"' >> /root/.bashrc
RUN pyenv install 3.7.17
&& pyenv install 3.8.18
&& pyenv install 3.9.18
&& pyenv install 3.10.13
&& pyenv install 3.11.5
RUN pyenv versions
RUN pyenv global 3.7.17 3.8.18 3.9.18 3.10.13 3.11.5
My base image is clean and doesn't have any vulnerabilities
When I execute this command below:-
trivy image --severity HIGH,CRITICAL --ignore-unfixed image_name
I am getting these vulnerabilities:-
Thanks
The text was updated successfully, but these errors were encountered: