wbkoetsier opened a new issue, #8263: URL: https://github.com/apache/incubator-devlake/issues/8263
### Search before asking - [x] I had searched in the [issues](https://github.com/apache/incubator-devlake/issues?q=is%3Aissue) and found no similar issues. ### What happened Similar to issue #6792 We use https://trivy.dev/ to scan images before deploying. Trivy reports a long list of high and critical vulnerabilities since last month. I'm using devlake release 1.0.1. (btw thanks for devlake, it's a very helpful tool, I'm using it to get a gist on how we're doing DORA-wise) My report shows: ``` - bash - curl - libcurl3-gnutls - libcurl4 - libdb5.3 - libgcrypt20 - libldap-2.4-2 - libldap-common - libpam-modules - libpam-modules-bin - libpam-runtime - libpam0g - libpython3.9 - libpython3.9-dev - libpython3.9-minimal - libpython3.9-stdlib - libtiff5 - libxml2 - libzstd1 - linux-libc-dev - python3.9 - python3.9-dev - python3.9-minimal - zlib1g - zlib1g-dev Vulnerabilities: - CVE-2019-8457: critical - CVE-2023-23914: critical - CVE-2023-45853: critical - CVE-2024-47685: critical - CVE-2013-7445: high - CVE-2019-19449: high - CVE-2019-19814: high - CVE-2020-12362: high - CVE-2021-33560: high - CVE-2021-3847: high - CVE-2021-3864: high - CVE-2021-39686: high - CVE-2021-4204: high - CVE-2021-47014: high - CVE-2021-47028: high - CVE-2021-47094: high - CVE-2021-47198: high - CVE-2021-47366: high - CVE-2021-47467: high - CVE-2021-47624: high - CVE-2022-0391: high - CVE-2022-0500: high - CVE-2022-3566: high - CVE-2022-3715: high - CVE-2022-42916: high - CVE-2022-43551: high - CVE-2022-48626: high - CVE-2022-48670: high - CVE-2022-48674: high - CVE-2022-48950: high - CVE-2022-4899: high - CVE-2022-48990: high - CVE-2023-2953: high - CVE-2023-52355: high - CVE-2023-52356: high - CVE-2023-52452: high - CVE-2023-52480: high - CVE-2023-52588: high - CVE-2023-52590: high - CVE-2023-52640: high - CVE-2023-52751: high - CVE-2023-52752: high - CVE-2023-52755: high - CVE-2023-52760: high - CVE-2023-52921: high - CVE-2024-10963: high - CVE-2024-21803: high - CVE-2024-23307: high - CVE-2024-25062: high - CVE-2024-25742: high - CVE-2024-25743: high - CVE-2024-26589: high - CVE-2024-26668: high - CVE-2024-26669: high - CVE-2024-26913: high - CVE-2024-26929: high - CVE-2024-26930: high - CVE-2024-26952: high - CVE-2024-36013: high - CVE-2024-38538: high - CVE-2024-38545: high - CVE-2024-38570: high - CVE-2024-38581: high - CVE-2024-38588: high - CVE-2024-38630: high - CVE-2024-38667: high - CVE-2024-39479: high - CVE-2024-39494: high - CVE-2024-39496: high - CVE-2024-39508: high - CVE-2024-41013: high - CVE-2024-41019: high - CVE-2024-41061: high - CVE-2024-41071: high - CVE-2024-41073: high - CVE-2024-42136: high - CVE-2024-42159: high - CVE-2024-42160: high - CVE-2024-42162: high - CVE-2024-42225: high - CVE-2024-42271: high - CVE-2024-43900: high - CVE-2024-44934: high - CVE-2024-44940: high - CVE-2024-44941: high - CVE-2024-44942: high - CVE-2024-44949: high - CVE-2024-44977: high - CVE-2024-44986: high - CVE-2024-45026: high - CVE-2024-46746: high - CVE-2024-46774: high - CVE-2024-46811: high - CVE-2024-46812: high - CVE-2024-46813: high - CVE-2024-46820: high - CVE-2024-46821: high - CVE-2024-46833: high - CVE-2024-46836: high - CVE-2024-46849: high - CVE-2024-46853: high - CVE-2024-46854: high - CVE-2024-46858: high - CVE-2024-46859: high - CVE-2024-46865: high - CVE-2024-46871: high - CVE-2024-47659: high - CVE-2024-47670: high - CVE-2024-47691: high - CVE-2024-47695: high - CVE-2024-47696: high - CVE-2024-47697: high - CVE-2024-47698: high - CVE-2024-47701: high - CVE-2024-47718: high - CVE-2024-47723: high - CVE-2024-47730: high - CVE-2024-47742: high - CVE-2024-47745: high - CVE-2024-47747: high - CVE-2024-47748: high - CVE-2024-47757: high - CVE-2024-49854: high - CVE-2024-49860: high - CVE-2024-49861: high - CVE-2024-49882: high - CVE-2024-49883: high - CVE-2024-49884: high - CVE-2024-49889: high - CVE-2024-49894: high - CVE-2024-49895: high - CVE-2024-49900: high - CVE-2024-49903: high - CVE-2024-49924: high - CVE-2024-49928: high - CVE-2024-49930: high - CVE-2024-49936: high - CVE-2024-49950: high - CVE-2024-49960: high - CVE-2024-49966: high - CVE-2024-49967: high - CVE-2024-49969: high - CVE-2024-49981: high - CVE-2024-49982: high - CVE-2024-49983: high - CVE-2024-49989: high - CVE-2024-49991: high - CVE-2024-49992: high - CVE-2024-49995: high - CVE-2024-49996: high - CVE-2024-49997: high - CVE-2024-50007: high - CVE-2024-50033: high - CVE-2024-50035: high - CVE-2024-50036: high - CVE-2024-50047: high - CVE-2024-50055: high - CVE-2024-50059: high - CVE-2024-50061: high - CVE-2024-50063: high - CVE-2024-50067: high - CVE-2024-50073: high - CVE-2024-50074: high - CVE-2024-50083: high - CVE-2024-50086: high - CVE-2024-50106: high - CVE-2024-50112: high - CVE-2024-50115: high - CVE-2024-50121: high - CVE-2024-50125: high - CVE-2024-50127: high - CVE-2024-50131: high - CVE-2024-50143: high - CVE-2024-50150: high - CVE-2024-50151: high - CVE-2024-50154: high - CVE-2024-50180: high - CVE-2024-50193: high - CVE-2024-50209: high - CVE-2024-50217: high - CVE-2024-50230: high - CVE-2024-50234: high - CVE-2024-50262: high - CVE-2024-50264: high - CVE-2024-50267: high - CVE-2024-50268: high - CVE-2024-50269: high - CVE-2024-50278: high - CVE-2024-50279: high - CVE-2024-50282: high - CVE-2024-50283: high - CVE-2024-50286: high - CVE-2024-50301: high - CVE-2024-53057: high - CVE-2024-53059: high - CVE-2024-53061: high - CVE-2024-53068: high - CVE-2024-53103: high - CVE-2024-7006: high ``` ### What do you expect to happen I can see that you're using debian bullseye, which is eol. The vulnerabilities seem to originate from python-slim-bullseye, at least for backend. Would you kindly update all images so you're using debian bookworm? It would also perhaps be helpful to use cve scan on dockerhub, or implement a cve scan in your own pipelines? And some tooling like renovate for regular updates of dependencies? For me, I can no longer run devlake as our dependency scanning is strict and has to be repeated quite often. I'm down atm because of this (and I fully agree with our security team on this). I'm a bit surprised no-one else encountered this, besides the reported issue #6792. ### How to reproduce Run a cve scan on backend and config-ui version 1.0.1 ### Anything else _No response_ ### Version v1.0.1 ### Are you willing to submit PR? - [x] Yes I am willing to submit a PR! ### Code of Conduct - [x] I agree to follow this project's [Code of Conduct](https://www.apache.org/foundation/policies/conduct) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@devlake.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
