Possible issue with pip detection

[rawrmonster17]

I fully understand that pip has a weird vulnerability cve-2018-20225 but even if you uninstall pip and pip3 docker scout is still showing this vulnerability. My question is does any package installed by pip still cause this cve? I thought it was only the pip package its self due to the way it could install packages incorrectly using the --extra-index-url flag.

[cdupuis]

@rawrmonster17 thanks for raising this. Would be possible for you push a public image to a container registry that demonstrates this issue? I’m happy to look into it.

[artemijan]

This is not only for docker-scout, I believe it's because you create virtual environment by using
python -m venv venv
This should have pip inside this venv folder.

[cdupuis]

Is there a public image somewhere that would let me reproduce this?

[artemijan]

Here is my setup.
base.Dockerfile

# Source: https://raw.githubusercontent.com/docker-library/python/9ff8b15bc523ab47020d9fb4a2449d5a82ff9750/3.9/bullseye/slim/Dockerfile

#
# NOTE: THIS DOCKERFILE IS GENERATED VIA "update.sh"
#
# PLEASE DO NOT EDIT IT DIRECTLY.
#

FROM python:3.9.18-slim-bookworm as base

# ensure local python is preferred over distribution python
ENV PATH /usr/local/bin:$PATH

# runtime dependencies
RUN set -eux; \
	apt-get update; \
    apt-get upgrade -y; \
	apt-get install -y --no-install-recommends \
		ca-certificates \
		netbase \
		tzdata \
	; \
	rm -rf /var/lib/apt/lists/*

RUN pip uninstall pip -y # we don't need pip, we use poetry

CMD ["python3"]

server.Dockerfile

FROM local/python:3.9.18-bookworm AS base


FROM base AS compile-image

## virtualenv
ENV VIRTUAL_ENV=/opt/venv
RUN python3 -m venv $VIRTUAL_ENV && . $VIRTUAL_ENV/bin/activate && pip uninstall pip -y && deactivate
ENV PATH="$VIRTUAL_ENV/bin:$PATH"

# Install psycopg2 build dependencies & wget+unzip for Oracle InstantClient & all DBs pip dependencies
RUN apt-get update && \
    apt-get install -y gcc libpq-dev python3-dev build-essential libssl-dev libffi-dev libcurl4-openssl-dev wget unzip curl && \
    curl -sSL https://install.python-poetry.org | python3 -

# specify path to poetry binary
ENV PATH="/root/.local/bin:$PATH"
ENV POETRY_NO_INTERACTION=1 \
    POETRY_VIRTUALENVS_CREATE=false


# Ideally, we should declare PIP_REQUIREMENTS at the first line (as we use it in both build and runtime stages).
# However, RUN commands run when an arg is changed, even if they don't use it: https://stackoverflow.com/a/57017745/13340988
# There is no problem we re-declare an arg, so we declare it as late as we can.
ARG PIP_REQUIREMENTS=common,task_initiator

COPY poetry.lock pyproject.toml ./
RUN poetry install --with $PIP_REQUIREMENTS


FROM base AS runtime-image
ARG PIP_REQUIREMENTS=common,task_initiator
RUN useradd --create-home example

USER example

COPY --from=compile-image --chown=example /opt/venv /opt/venv

ENV PATH=/opt/venv/bin:$PATH \
    PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1 \
    DJANGO_ENV=production \
    DOCKER=1

# Copy source code
WORKDIR /home/example/
COPY . .

CMD ["gunicorn", "-b", "0.0.0.0:8000", "--worker-tmp-dir", "/dev/shm", "-c", "./gunicorn.conf.py", "-w", "4", "--timeout", "90", "server.wsgi"]

ENTRYPOINT ["/home/example/entrypoint.sh"]

build.sh

set -e

image_tag_prefix=$1
dockerfiles_location=$(dirname "$0")

BASE_IMAGE_NAME='local/python:3.9.18-bookworm'
if [[ "$(docker images -q $BASE_IMAGE_NAME 2> /dev/null)" == "" ]]; then
echo "✨ Building base image $BASE_IMAGE_NAME:"
DOCKER_SCAN_SUGGEST=false docker build \
    -t $BASE_IMAGE_NAME \
    -f "$dockerfiles_location/base.Dockerfile" \
    $dockerfiles_location
else
echo "✨ Skip building base image $BASE_IMAGE_NAME"
fi

echo ""
server_image_tag="${image_tag_prefix}server"
echo "✨ Building server image (tag: $server_image_tag):"
DOCKER_SCAN_SUGGEST=false docker build \
    -t $server_image_tag \
    -f "$dockerfiles_location/server.Dockerfile" \
    "${@:2}" \
    $dockerfiles_location

poetry.zip
also attaching poetry dependency files as they needed to install python deps into docker image

put everything in a single directory and run build.sh like following

./build.sh tt --build-arg PIP_REQUIREMENTS=common,task_initiator

What I managed to understand is that

COPY . .

is the root cause, you can remove it from the docker image and just copy single file or folder and the issue is gone.

[vijay-jangir]

Is there a public image somewhere that would let me reproduce this?

i'm also facing the same issue,
you can find my image here
https://hub.docker.com/layers/vijayjangir/pre-commit/latest-java21/images/sha256-7ebea1ede28c3b67ab7c99e2b7b30666563243830fe40c7a5bb5e38e95603320?context=repo&tab=vulnerabilities