Possible issue with pip detection

[rawrmonster17]

I fully understand that pip has a weird vulnerability cve-2018-20225 but even if you uninstall pip and pip3 docker scout is still showing this vulnerability. My question is does any package installed by pip still cause this cve? I thought it was only the pip package its self due to the way it could install packages incorrectly using the --extra-index-url flag.

[cdupuis]

@rawrmonster17 thanks for raising this. Would be possible for you push a public image to a container registry that demonstrates this issue? I’m happy to look into it.

[artemijan]

This is not only for docker-scout, I believe it's because you create virtual environment by using
python -m venv venv
This should have pip inside this venv folder.

[cdupuis]

Is there a public image somewhere that would let me reproduce this?

[artemijan]

Here is my setup.
base.Dockerfile

# Source: https://raw.githubusercontent.com/docker-library/python/9ff8b15bc523ab47020d9fb4a2449d5a82ff9750/3.9/bullseye/slim/Dockerfile

#
# NOTE: THIS DOCKERFILE IS GENERATED VIA "update.sh"
#
# PLEASE DO NOT EDIT IT DIRECTLY.
#

FROM python:3.9.18-slim-bookworm as base

# ensure local python is preferred over distribution python
ENV PATH /usr/local/bin:$PATH

# runtime dependencies
RUN set -eux; \
	apt-get update; \
    apt-get upgrade -y; \
	apt-get install -y --no-install-recommends \
		ca-certificates \
		netbase \
		tzdata \
	; \
	rm -rf /var/lib/apt/lists/*

RUN pip uninstall pip -y # we don't need pip, we use poetry

CMD ["python3"]

server.Dockerfile

FROM local/python:3.9.18-bookworm AS base


FROM base AS compile-image

## virtualenv
ENV VIRTUAL_ENV=/opt/venv
RUN python3 -m venv $VIRTUAL_ENV && . $VIRTUAL_ENV/bin/activate && pip uninstall pip -y && deactivate
ENV PATH="$VIRTUAL_ENV/bin:$PATH"

# Install psycopg2 build dependencies & wget+unzip for Oracle InstantClient & all DBs pip dependencies
RUN apt-get update && \
    apt-get install -y gcc libpq-dev python3-dev build-essential libssl-dev libffi-dev libcurl4-openssl-dev wget unzip curl && \
    curl -sSL https://install.python-poetry.org | python3 -

# specify path to poetry binary
ENV PATH="/root/.local/bin:$PATH"
ENV POETRY_NO_INTERACTION=1 \
    POETRY_VIRTUALENVS_CREATE=false


# Ideally, we should declare PIP_REQUIREMENTS at the first line (as we use it in both build and runtime stages).
# However, RUN commands run when an arg is changed, even if they don't use it: https://stackoverflow.com/a/57017745/13340988
# There is no problem we re-declare an arg, so we declare it as late as we can.
ARG PIP_REQUIREMENTS=common,task_initiator

COPY poetry.lock pyproject.toml ./
RUN poetry install --with $PIP_REQUIREMENTS


FROM base AS runtime-image
ARG PIP_REQUIREMENTS=common,task_initiator
RUN useradd --create-home example

USER example

COPY --from=compile-image --chown=example /opt/venv /opt/venv

ENV PATH=/opt/venv/bin:$PATH \
    PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1 \
    DJANGO_ENV=production \
    DOCKER=1

# Copy source code
WORKDIR /home/example/
COPY . .

CMD ["gunicorn", "-b", "0.0.0.0:8000", "--worker-tmp-dir", "/dev/shm", "-c", "./gunicorn.conf.py", "-w", "4", "--timeout", "90", "server.wsgi"]

ENTRYPOINT ["/home/example/entrypoint.sh"]

build.sh

set -e

image_tag_prefix=$1
dockerfiles_location=$(dirname "$0")

BASE_IMAGE_NAME='local/python:3.9.18-bookworm'
if [[ "$(docker images -q $BASE_IMAGE_NAME 2> /dev/null)" == "" ]]; then
echo "✨ Building base image $BASE_IMAGE_NAME:"
DOCKER_SCAN_SUGGEST=false docker build \
    -t $BASE_IMAGE_NAME \
    -f "$dockerfiles_location/base.Dockerfile" \
    $dockerfiles_location
else
echo "✨ Skip building base image $BASE_IMAGE_NAME"
fi

echo ""
server_image_tag="${image_tag_prefix}server"
echo "✨ Building server image (tag: $server_image_tag):"
DOCKER_SCAN_SUGGEST=false docker build \
    -t $server_image_tag \
    -f "$dockerfiles_location/server.Dockerfile" \
    "${@:2}" \
    $dockerfiles_location

poetry.zip
also attaching poetry dependency files as they needed to install python deps into docker image

put everything in a single directory and run build.sh like following

./build.sh tt --build-arg PIP_REQUIREMENTS=common,task_initiator

What I managed to understand is that

COPY . .

is the root cause, you can remove it from the docker image and just copy single file or folder and the issue is gone.

[vijay-jangir]

Is there a public image somewhere that would let me reproduce this?

i'm also facing the same issue,
you can find my image here
https://hub.docker.com/layers/vijayjangir/pre-commit/latest-java21/images/sha256-7ebea1ede28c3b67ab7c99e2b7b30666563243830fe40c7a5bb5e38e95603320?context=repo&tab=vulnerabilities

[davbl]

It looks like I have the same issue. Attached is a screenshot from Docker Dekstop.

[cdupuis]

To dig into where this package and thus the CVE is being detected from, it usually easiest to use the --locations flag with the docker scout cves command. See the following example:

❯ docker scout cves vijayjangir/pre-commit:latest-java21 --locations --only-cve-id CVE-2018-20225
    ✓ SBOM of image already cached, 106 packages indexed
    ✗ Detected 1 vulnerable package with 1 vulnerability


## Overview

                    │                  Analyzed Image
────────────────────┼────────────────────────────────────────────────────
  Target            │  vijayjangir/pre-commit:latest-java21
    digest          │  67ff15b5e7d8
    platform        │ linux/amd64
    provenance      │ https://github.com/vijay-jangir/pre-commit-docker
                    │  1b23f4824f341aa6a94faf135baa9b4ee7d3ed61
    vulnerabilities │    0C     1H     0M     0L
    size            │ 107 MB
    packages        │ 106


## Packages and Vulnerabilities

   0C     1H     0M     0L  pip 24.0
pkg:pypi/pip@24.0

13: sha256:205151bc9d4c648bc742ff1abf3fefac6a10e27841540dab246d32c9874ff552
/usr/local/lib/python3.11/site-packages/pip-24.0.dist-info/METADATA (evident by)
/usr/local/lib/python3.11/site-packages/pip-24.0.dist-info/RECORD (evident by)
/usr/local/lib/python3.11/site-packages/pip-24.0.dist-info/top_level.txt (evident by)

    ✗ HIGH CVE-2018-20225 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
      https://scout.docker.com/v/CVE-2018-20225
      Affected range  : >=0
      Fixed version   : not fixed
      CVSS Score      : 7.8
      CVSS Vector     : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
      EPSS Score      : 0.11%
      EPSS Percentile : 45th percentile



1 vulnerability found in 1 package
  LOW       0
  MEDIUM    0
  HIGH      1
  CRITICAL  0

So, even though there is no debian or similar pip package installed in this image, there are still traces of the installation on the filesystem of the container that trigger this CVE. In this example it is add the path /usr/local/lib/python3.11/site-packages/pip-24.0.dist-info.