我的 Trivy 扫描报告了以下漏洞: CVE-2022-24407 CVE-2022-25235 CVE-2022-25236 CVE-2022-25315
似乎是因为 libexpat 库是我图像中的依赖项。下面是我的码头文件:
FROM python:3.10-slim-bullseye
WORKDIR /usr/src/app
USER root
ENV PULUMI_VERSION="v3.24.1"
ENV PULUMI_AZURE_NATIVE_VERSION="v1.56.0"
ENV PULUMI_AZURE_AD_VERSION="5.16.0"
ENV PULUMI_HOME="/home/xx/.pulumi"
ENV PATH="${PULUMI_HOME}/bin:$PATH"
ENV VIRTUAL_ENV=/opt/venv
# activating venv via venv/bin/activate seems not to be persistent in Docker images
# see https://pythonspeed.com/articles/activate-virtualenv-dockerfile/
ENV PATH="$VIRTUAL_ENV/bin:$PATH"
RUN apt update \
&& apt dist-upgrade -y \
&& addgroup --gid 1001 --system xx \
&& adduser --uid 1001 --gid 1001 xx \
&& python3 -m venv $VIRTUAL_ENV \
&& apt-get update \
&& echo "Testing" \
&& DEBIAN_FRONTEND=noninteractive apt-get -o Dpkg::Options::=--force-confold -o Dpkg::Options::=--force-confdef -y --allow-downgrades --allow-remove-essential --allow-change-held-packages upgrade \
&& apt-get install -y curl git gcc python3-dev bash \
&& git clone https://github.com/udhos/update-golang \
&& cd update-golang \
&& bash update-golang.sh \
&& mkdir ${PULUMI_HOME} \
&& curl -sSL https://get.pulumi.com/releases/sdk/pulumi-${PULUMI_VERSION}-linux-x64.tar.gz -o /tmp/pulumi.tar.gz \
&& tar -xzvf /tmp/pulumi.tar.gz -C /tmp/ \
&& cp -r /tmp/pulumi ${PULUMI_HOME}/bin \
&& pip install --upgrade --no-cache-dir pip azure-cli setuptools \
&& pulumi plugin install resource azure-native ${PULUMI_AZURE_NATIVE_VERSION} \
&& pulumi plugin install resource azuread ${PULUMI_AZURE_AD_VERSION} \
&& apt-get purge -y --autoremove gcc python3-dev \
&& apt-get clean \
&& pip cache purge \
&& rm -rf /var/lib/apt/lists/* \
&& rm -rf /tmp/pulumi \
&& rm -f /tmp/pulumi.tar.gz
如何升级依赖项?