You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
From what I can see, there are patches available for all of these, but no release of public.ecr.aws/lambda/python:3.12 that includes them.
This can be worked around with this in your Dockerfile:
FROM public.ecr.aws/lambda/python:3.12
RUN rm /etc/dnf/vars/releasever && dnf --refresh update --releasever=latest -y
An image built like this will report no 'high' vulnerabilities in Snyk.
HOWEVER, if you wish to install any dependencies as well you cannot. It appears that the package repos that result from the update are private to Amazon:
RUN dnf install cairo
Result:
...
11.87 (dnf:1): librepo-WARNING **: 16:49:45.432: LRO_MIRRORLISTURL processing failed: Status code: 403 for https://cdn.amazonlinux.com/al2023/core/mirrors/2023/aarch64/mirror.list (IP: 99.86.91.125)
11.87
11.87 (dnf:1): libdnf-WARNING **: 16:49:45.433: Skipping refresh of amazonlinux: cannot update repo 'amazonlinux': Cannot prepare internal mirrorlist: Status code: 403 for https://cdn.amazonlinux.com/al2023/core/mirrors/2023/aarch64/mirror.list (IP: 99.86.91.125); Last error: Status code: 403 for https://cdn.amazonlinux.com/al2023/core/mirrors/2023/aarch64/mirror.list (IP: 99.86.91.125)
11.88 error: No package matches 'cairo'
------
failed to solve: process "/bin/sh -c dnf install cairo" did not complete successfully: exit code: 1
Given the cadence of releases to patch vulnerabilities appears to be pretty slow (last one 22 days ago), how can I both patch vulnerabilities in the OS AND install dependencies?
The text was updated successfully, but these errors were encountered:
kevindixon
changed the title
Unable to both update AL2023 and install dependent packages
Unable to both update AL2023 and install dependent packages (Python 3.12)
May 9, 2024
Hi @kevindixon! I'm not sure if I still need this, but I periodically scan images on some workloads I have and these vulnerabilities have been fixed in the latest images.
x86
snyk container test --platform=linux/amd64 public.ecr.aws/lambda/python:3.12.2024.09.13.17-x86_64
Testing public.ecr.aws/lambda/python:3.12.2024.09.13.17-x86_64...
Organization: xxx
Package manager: rpm
Project name: docker-image|public.ecr.aws/lambda/python
Docker image: public.ecr.aws/lambda/python:3.12.2024.09.13.17-x86_64
Platform: linux/amd64
Licenses: enabled
✔ Tested 87 dependencies for known issues, no vulnerable paths found.
-------------------------------------------------------
Testing public.ecr.aws/lambda/python:3.12.2024.09.13.17-x86_64...
Organization: xxx
Package manager: gomodules
Target file: /usr/local/bin/aws-lambda-rie
Project name: go.amzn.com
Docker image: public.ecr.aws/lambda/python:3.12.2024.09.13.17-x86_64
Licenses: enabled
✔ Tested 6 dependencies for known issues, no vulnerable paths found.
Tested 2 projects, no vulnerable paths were found.
arm64
snyk container test --platform=linux/arm64 public.ecr.aws/lambda/python:3.12.2024.09.13.17-arm64
Testing public.ecr.aws/lambda/python:3.12.2024.09.13.17-arm64...
Organization: xxx
Package manager: rpm
Project name: docker-image|public.ecr.aws/lambda/python
Docker image: public.ecr.aws/lambda/python:3.12.2024.09.13.17-arm64
Platform: linux/arm64
Licenses: enabled
✔ Tested 87 dependencies for known issues, no vulnerable paths found.
-------------------------------------------------------
Testing public.ecr.aws/lambda/python:3.12.2024.09.13.17-arm64...
Organization: xxx
Package manager: gomodules
Target file: /usr/local/bin/aws-lambda-rie
Project name: go.amzn.com
Docker image: public.ecr.aws/lambda/python:3.12.2024.09.13.17-arm64
Licenses: enabled
✔ Tested 5 dependencies for known issues, no vulnerable paths found.
Tested 2 projects, no vulnerable paths were found.
The current
public.ecr.aws/lambda/python:3.12
image includes a a number of 'high' vulnerabilities as reported by Snyk:https://security.snyk.io/vuln/SNYK-AMZN2023-LIBNGHTTP2-6729276
https://security.snyk.io/vuln/SNYK-AMZN2023-GLIBCMINIMALLANGPACK-6729053
https://security.snyk.io/vuln/SNYK-AMZN2023-GLIBCCOMMON-6728841
https://security.snyk.io/vuln/SNYK-AMZN2023-GLIBC-6728979
From what I can see, there are patches available for all of these, but no release of
public.ecr.aws/lambda/python:3.12
that includes them.This can be worked around with this in your
Dockerfile
:(pulled from #140)
An image built like this will report no 'high' vulnerabilities in Snyk.
HOWEVER, if you wish to install any dependencies as well you cannot. It appears that the package repos that result from the
update
are private to Amazon:Result:
Given the cadence of releases to patch vulnerabilities appears to be pretty slow (last one 22 days ago), how can I both patch vulnerabilities in the OS AND install dependencies?
The text was updated successfully, but these errors were encountered: