For a client in the financial industry, in order to use Airflow, we have to
pass the security scans from Twistlock (
https://www.cloudfoundry.org/the-foundry/twistlock/). Twistlock is
currently raising the following issues at CRITICAL level for the
apache/airflow:2.5.0 image:(1)
https://nvd.nist.gov/vuln/detail/CVE-2021-46848.
(2) https://nvd.nist.gov/vuln/detail/CVE-2022-32221.
(3) https://nvd.nist.gov/vuln/detail/CVE-2022-47629.
(4) https://nvd.nist.gov/vuln/detail/cve-2019-17495.I am relatively new to
Airflow and seek some guidance as to how to make progress on this issue.(a)
Are these known issues?
(b) I understand that a lot of alerts from twistlock can be spurious due to
libraries in the base image which are not being used, etc. Do these alerts
fall in that category (that is, can these be dismissed as false positives)?Any
help with analyzing these will be appreciated.Thanks.
