Unable to both update AL2023 and install dependent packages (Python 3.12)

[kevindixon]

The current public.ecr.aws/lambda/python:3.12 image includes a a number of 'high' vulnerabilities as reported by Snyk:

https://security.snyk.io/vuln/SNYK-AMZN2023-LIBNGHTTP2-6729276
https://security.snyk.io/vuln/SNYK-AMZN2023-GLIBCMINIMALLANGPACK-6729053
https://security.snyk.io/vuln/SNYK-AMZN2023-GLIBCCOMMON-6728841
https://security.snyk.io/vuln/SNYK-AMZN2023-GLIBC-6728979

From what I can see, there are patches available for all of these, but no release of public.ecr.aws/lambda/python:3.12 that includes them.
This can be worked around with this in your Dockerfile:

FROM public.ecr.aws/lambda/python:3.12
RUN rm /etc/dnf/vars/releasever && dnf --refresh update --releasever=latest -y

(pulled from #140)

An image built like this will report no 'high' vulnerabilities in Snyk.

HOWEVER, if you wish to install any dependencies as well you cannot. It appears that the package repos that result from the update are private to Amazon:

RUN dnf install cairo

Result:

...
11.87 (dnf:1): librepo-WARNING **: 16:49:45.432: LRO_MIRRORLISTURL processing failed: Status code: 403 for https://cdn.amazonlinux.com/al2023/core/mirrors/2023/aarch64/mirror.list (IP: 99.86.91.125)
11.87 
11.87 (dnf:1): libdnf-WARNING **: 16:49:45.433: Skipping refresh of amazonlinux: cannot update repo 'amazonlinux': Cannot prepare internal mirrorlist: Status code: 403 for https://cdn.amazonlinux.com/al2023/core/mirrors/2023/aarch64/mirror.list (IP: 99.86.91.125); Last error: Status code: 403 for https://cdn.amazonlinux.com/al2023/core/mirrors/2023/aarch64/mirror.list (IP: 99.86.91.125)
11.88 error: No package matches 'cairo'
------
failed to solve: process "/bin/sh -c dnf install cairo" did not complete successfully: exit code: 1

Given the cadence of releases to patch vulnerabilities appears to be pretty slow (last one 22 days ago), how can I both patch vulnerabilities in the OS AND install dependencies?

[leandrodamascena]

Hi @kevindixon! I'm not sure if I still need this, but I periodically scan images on some workloads I have and these vulnerabilities have been fixed in the latest images.

x86

snyk container test --platform=linux/amd64 public.ecr.aws/lambda/python:3.12.2024.09.13.17-x86_64 

Testing public.ecr.aws/lambda/python:3.12.2024.09.13.17-x86_64...

Organization:      xxx
Package manager:   rpm
Project name:      docker-image|public.ecr.aws/lambda/python
Docker image:      public.ecr.aws/lambda/python:3.12.2024.09.13.17-x86_64
Platform:          linux/amd64
Licenses:          enabled

✔ Tested 87 dependencies for known issues, no vulnerable paths found.

-------------------------------------------------------

Testing public.ecr.aws/lambda/python:3.12.2024.09.13.17-x86_64...

Organization:      xxx
Package manager:   gomodules
Target file:       /usr/local/bin/aws-lambda-rie
Project name:      go.amzn.com
Docker image:      public.ecr.aws/lambda/python:3.12.2024.09.13.17-x86_64
Licenses:          enabled

✔ Tested 6 dependencies for known issues, no vulnerable paths found.


Tested 2 projects, no vulnerable paths were found.

arm64

snyk container test --platform=linux/arm64 public.ecr.aws/lambda/python:3.12.2024.09.13.17-arm64

Testing public.ecr.aws/lambda/python:3.12.2024.09.13.17-arm64...

Organization:      xxx
Package manager:   rpm
Project name:      docker-image|public.ecr.aws/lambda/python
Docker image:      public.ecr.aws/lambda/python:3.12.2024.09.13.17-arm64
Platform:          linux/arm64
Licenses:          enabled

✔ Tested 87 dependencies for known issues, no vulnerable paths found.

-------------------------------------------------------

Testing public.ecr.aws/lambda/python:3.12.2024.09.13.17-arm64...

Organization:      xxx
Package manager:   gomodules
Target file:       /usr/local/bin/aws-lambda-rie
Project name:      go.amzn.com
Docker image:      public.ecr.aws/lambda/python:3.12.2024.09.13.17-arm64
Licenses:          enabled

✔ Tested 5 dependencies for known issues, no vulnerable paths found.


Tested 2 projects, no vulnerable paths were found.