[Bug][Backend] Vulnerabilities detected by Trivy

[wbkoetsier]

Search before asking

• I had searched in the issues and found no similar issues.

What happened

Similar to issue #6792

We use https://trivy.dev/ to scan images before deploying. Trivy reports a long list of high and critical vulnerabilities on devlake backend since last month. I'm using devlake release v1.0.1. (btw thanks for devlake, it's a very helpful tool, I'm using it to get a gist on how we're doing DORA-wise)

My report shows:

- bash
- curl
- libcurl3-gnutls
- libcurl4
- libdb5.3
- libgcrypt20
- libldap-2.4-2
- libldap-common
- libpam-modules
- libpam-modules-bin
- libpam-runtime
- libpam0g
- libpython3.9
- libpython3.9-dev
- libpython3.9-minimal
- libpython3.9-stdlib
- libtiff5
- libxml2
- libzstd1
- linux-libc-dev
- python3.9
- python3.9-dev
- python3.9-minimal
- zlib1g
- zlib1g-dev
Vulnerabilities:
- CVE-2019-8457: critical
- CVE-2023-23914: critical
- CVE-2023-45853: critical
- CVE-2024-47685: critical
- CVE-2013-7445: high
- CVE-2019-19449: high
- CVE-2019-19814: high
- CVE-2020-12362: high
- CVE-2021-33560: high
- CVE-2021-3847: high
- CVE-2021-3864: high
- CVE-2021-39686: high
- CVE-2021-4204: high
- CVE-2021-47014: high
- CVE-2021-47028: high
- CVE-2021-47094: high
- CVE-2021-47198: high
- CVE-2021-47366: high
- CVE-2021-47467: high
- CVE-2021-47624: high
- CVE-2022-0391: high
- CVE-2022-0500: high
- CVE-2022-3566: high
- CVE-2022-3715: high
- CVE-2022-42916: high
- CVE-2022-43551: high
- CVE-2022-48626: high
- CVE-2022-48670: high
- CVE-2022-48674: high
- CVE-2022-48950: high
- CVE-2022-4899: high
- CVE-2022-48990: high
- CVE-2023-2953: high
- CVE-2023-52355: high
- CVE-2023-52356: high
- CVE-2023-52452: high
- CVE-2023-52480: high
- CVE-2023-52588: high
- CVE-2023-52590: high
- CVE-2023-52640: high
- CVE-2023-52751: high
- CVE-2023-52752: high
- CVE-2023-52755: high
- CVE-2023-52760: high
- CVE-2023-52921: high
- CVE-2024-10963: high
- CVE-2024-21803: high
- CVE-2024-23307: high
- CVE-2024-25062: high
- CVE-2024-25742: high
- CVE-2024-25743: high
- CVE-2024-26589: high
- CVE-2024-26668: high
- CVE-2024-26669: high
- CVE-2024-26913: high
- CVE-2024-26929: high
- CVE-2024-26930: high
- CVE-2024-26952: high
- CVE-2024-36013: high
- CVE-2024-38538: high
- CVE-2024-38545: high
- CVE-2024-38570: high
- CVE-2024-38581: high
- CVE-2024-38588: high
- CVE-2024-38630: high
- CVE-2024-38667: high
- CVE-2024-39479: high
- CVE-2024-39494: high
- CVE-2024-39496: high
- CVE-2024-39508: high
- CVE-2024-41013: high
- CVE-2024-41019: high
- CVE-2024-41061: high
- CVE-2024-41071: high
- CVE-2024-41073: high
- CVE-2024-42136: high
- CVE-2024-42159: high
- CVE-2024-42160: high
- CVE-2024-42162: high
- CVE-2024-42225: high
- CVE-2024-42271: high
- CVE-2024-43900: high
- CVE-2024-44934: high
- CVE-2024-44940: high
- CVE-2024-44941: high
- CVE-2024-44942: high
- CVE-2024-44949: high
- CVE-2024-44977: high
- CVE-2024-44986: high
- CVE-2024-45026: high
- CVE-2024-46746: high
- CVE-2024-46774: high
- CVE-2024-46811: high
- CVE-2024-46812: high
- CVE-2024-46813: high
- CVE-2024-46820: high
- CVE-2024-46821: high
- CVE-2024-46833: high
- CVE-2024-46836: high
- CVE-2024-46849: high
- CVE-2024-46853: high
- CVE-2024-46854: high
- CVE-2024-46858: high
- CVE-2024-46859: high
- CVE-2024-46865: high
- CVE-2024-46871: high
- CVE-2024-47659: high
- CVE-2024-47670: high
- CVE-2024-47691: high
- CVE-2024-47695: high
- CVE-2024-47696: high
- CVE-2024-47697: high
- CVE-2024-47698: high
- CVE-2024-47701: high
- CVE-2024-47718: high
- CVE-2024-47723: high
- CVE-2024-47730: high
- CVE-2024-47742: high
- CVE-2024-47745: high
- CVE-2024-47747: high
- CVE-2024-47748: high
- CVE-2024-47757: high
- CVE-2024-49854: high
- CVE-2024-49860: high
- CVE-2024-49861: high
- CVE-2024-49882: high
- CVE-2024-49883: high
- CVE-2024-49884: high
- CVE-2024-49889: high
- CVE-2024-49894: high
- CVE-2024-49895: high
- CVE-2024-49900: high
- CVE-2024-49903: high
- CVE-2024-49924: high
- CVE-2024-49928: high
- CVE-2024-49930: high
- CVE-2024-49936: high
- CVE-2024-49950: high
- CVE-2024-49960: high
- CVE-2024-49966: high
- CVE-2024-49967: high
- CVE-2024-49969: high
- CVE-2024-49981: high
- CVE-2024-49982: high
- CVE-2024-49983: high
- CVE-2024-49989: high
- CVE-2024-49991: high
- CVE-2024-49992: high
- CVE-2024-49995: high
- CVE-2024-49996: high
- CVE-2024-49997: high
- CVE-2024-50007: high
- CVE-2024-50033: high
- CVE-2024-50035: high
- CVE-2024-50036: high
- CVE-2024-50047: high
- CVE-2024-50055: high
- CVE-2024-50059: high
- CVE-2024-50061: high
- CVE-2024-50063: high
- CVE-2024-50067: high
- CVE-2024-50073: high
- CVE-2024-50074: high
- CVE-2024-50083: high
- CVE-2024-50086: high
- CVE-2024-50106: high
- CVE-2024-50112: high
- CVE-2024-50115: high
- CVE-2024-50121: high
- CVE-2024-50125: high
- CVE-2024-50127: high
- CVE-2024-50131: high
- CVE-2024-50143: high
- CVE-2024-50150: high
- CVE-2024-50151: high
- CVE-2024-50154: high
- CVE-2024-50180: high
- CVE-2024-50193: high
- CVE-2024-50209: high
- CVE-2024-50217: high
- CVE-2024-50230: high
- CVE-2024-50234: high
- CVE-2024-50262: high
- CVE-2024-50264: high
- CVE-2024-50267: high
- CVE-2024-50268: high
- CVE-2024-50269: high
- CVE-2024-50278: high
- CVE-2024-50279: high
- CVE-2024-50282: high
- CVE-2024-50283: high
- CVE-2024-50286: high
- CVE-2024-50301: high
- CVE-2024-53057: high
- CVE-2024-53059: high
- CVE-2024-53061: high
- CVE-2024-53068: high
- CVE-2024-53103: high
- CVE-2024-7006: high

What do you expect to happen

I can see that you're using debian bullseye, which is eol. The vulnerabilities seem to originate from python-slim-bullseye.

Would you kindly update all images so you're using debian bookworm?

(I do see golang 1.20.4-bullseye, I'm not at home with golang, it would mean to upgrade at least to 1.20.5 as that's avaliable https://hub.docker.com/layers/library/golang/1.20.5-bookworm/images/sha256-3a27e287139274678c9907646e35acddc4c5498a21e8c97f6f3b040355f4a225)

It would also perhaps be helpful to use cve scan on dockerhub (docker scout I believe), or implement a cve scan in your own pipelines? And some tooling like renovate for regular updates of dependencies?

For me, I can no longer run devlake as our dependency scanning is strict and has to be repeated quite often. I'm down atm because of this (and I fully agree with our security team on this). I'm a bit surprised no-one else encountered this, besides the reported issue #6792.

How to reproduce

Run a cve scan on backend version 1.0.1

Anything else

No response

Version

v1.0.1

Are you willing to submit PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct