I'm trying to fix some Common Vulnerabilities and Exposures from my docker images hosted at AWS ECR.
I have a Debian Bullseye that is basically a copy from the official python 3.11 bullseye slim image.
When I run a scan in it, ECR shows the CVE-2019-8457 - SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.
I tried to remove both sqlite3 and db5.3 from the image, but the warning persists.
RUN apt-get purge --auto-remove sqlite3 -y
RUN apt-get purge --auto-remove libsqlite3-dev -y
RUN apt-get purge --auto-remove db5.3-util -y
So my final question is: The scan is performed in the base image? Is there a way to fix this CVEs?
Related
I want the exact version of Python 3.8.13 to run on my container, but so far when I used the below, it generated a very large Docker image:
RUN yum update -y && yum install -y python3.8 python38-pip && yum clean all
The command "yum install python3.8" installs 3.8.13 and this is fine, but as mentioned, the end result (with other required elements) is a bit above 2 GB once built. I would like to make the image smaller and I am wondering if I can use a slim or alpine version of Python 3.8.13.
I was trying with the following commands:
yum install -y python3.8.13-slim
yum install -y python3.8.13-slim-buster
yum install -y python3.8-slim
Did not succeed, yum does not recognize these as valid packages.
Is there a workaround for this?
I'm using the micromamba image in a Gitlab CI pipeline. I need to install an additional package with apt-get (libgl1-mesa-glx).
With the miniconda image this was working:
image: continuumio/miniconda3:latest
before_script:
- apt-get update && apt-get install -y libgl1-mesa-glx
With micromamba, it does not work anymore:
image: mambaorg/micromamba:1.1.0-bullseye
before_script:
- apt-get update && apt-get install -y libgl1-mesa-glx
results in
Reading package lists...
E: List directory /var/lib/apt/lists/partial is missing. - Acquire (13: Permission denied)
Is this possible at all? Or do I need to generate a custom docker image?
This is because the user you are running the command from is root or non-sudo user. In the first repo, the user automatically comes with root privileges. That's why you can run commands that require sudo authority.
This is explained on the official Dockerhub pages:
Changing the user id or name The default username is stored in the
environment variable MAMBA_USER, and is currently mambauser. (Before
2022-01-13 it was micromamba, and before 2021-06-30 it was root.)
Micromamba-docker can be run with any UID/GID by passing the docker
run ... command the --user=UID: GID parameters. Running with
--user=root is supported....
Please look at the "Changing the user id or name" section of this page.
This problem has several solution, it might be help;
https://gitlab.com/gitlab-org/gitlab-runner/-/issues/248/designs
I'm a beginner into python language. I want to develop an android app. I've wrote some code and few days ago I wanted to see how my app looks on mobile before continue.
I've tried all methods to convert .py to .apk but failed. I've tried with google colab, I've installed a VM... but nothing worked. If I use google colab, after all I receive an .apk, but when I install it on my phone, doesn't work... The app opens, but closes imediatly.
If I use VM I receive this error: error message
This is a picture of all my components: components
For google colab I'm using this commands :
!pip install buildozer
!pip install cython==0.29.19
!sudo apt-get install -y
python3-pip
build-essential
git
python3
python3-dev
ffmpeg
libsdl2-dev
libsdl2-image-dev
libsdl2-mixer-dev
libsdl2-ttf-dev
libportmidi-dev
libswscale-dev
libavformat-dev
libavcodec-dev
zlib1g-dev
!sudo apt-get install -y
libgstreamer1.0
gstreamer1.0-plugins-base
gstreamer1.0-plugins-good
!sudo apt-get install build-essential libsqlite3-dev sqlite3 bzip2 libbz2-dev zlib1g-dev libssl-dev openssl libgdbm-dev libgdbm-compat-dev liblzma-dev libreadline-dev libncursesw5-dev libffi-dev uuid-dev libffi6
!sudo apt-get install libffi-dev
!buildozer init
!buildozer -v android debug
!buildozer android clean
This is a picture with my google colab: google colab & buildozer.spec
I've tried all tutorials I've found on internet but nothing worked.
The code works perfectly on PC!
Please, help me!
You could try pydroid 3... This isn't really a solution but for now, if you are trying to see how your app looks on an Android device. Get Pydroid 3 from play store. Create a new file and copy your code across into the app and run it... It will run kivy but not kivymd....
If your getting the apk from colab it might be a problem in the code, trying it on pyroid my highlight something and if so when that's altered the new APK might work
Can you connect phone to your system and run this command
adb logcat -s python and then open the app in mobile. This will give you a log why your app crashed. I suspect some issue with the requirements in buildozer.
Could you run the command and share the log?
I think you should see this solution
You can use this video to test that solution (It's in Spanish but I hope you can translate it)
I tried and it works
The key is to edit buildozer.spec
After that you can test your own solution
I'm currently working on the "Google cloud platform fundamentals" labs and I'm running into issues.
Each time I have to use a CoreOS instance to spin up a docker instance there is an error I get.
For example: in the Cloud SQL lab, at some point I have to build a docker image of the folder I just cloned from a git repo using the command:
docker build -t cp100/cloudsql-python cp100-cloud-sql-python
which gives me a wall of text that ends with an error :
Downloading/unpacking flask
Cannot fetch index base URL http://pypi.python.org/simple/
Could not find any downloads that satisfy the requirement flask
No distributions at all found for flask
Storing complete log in /root/.pip/pip.log`
The thing Is, there is no "/root/.pip/pip.log" file.
So here are my questions :
Are the tutorials outdated, and if yes, where can I find the up-to-date tutorials?
Why does it happen? I think It is because pip or Python or both are not installed but shouldn't the command docker build take the installation in charge?
How can I fix it?
the cp100-cloud-sql-python file is available at https://github.com/GoogleCloudPlatformTraining/cp100-cloud-sql-python.git
Thanks for your answers.
Ok I found the answers by myself:
So the reason it doesn't work is that pip (and easy install) use HTTP and pypi.python.org requires HTTPS, the issue is further documented here :
https://bugzilla.redhat.com/show_bug.cgi?id=1510444
So in order to fix it I modified the Dockerfile inside the app from
FROM google/debian:wheezy
MAINTAINER Sharif Salah <sharif.salah+docker#gmail.com>
RUN apt-get update && \
apt-get install -y python-dev python-pip python-mysqldb && \
pip install flask
ADD app /app
EXPOSE 80
CMD [ "python", "/app/app.py" ]
to
FROM google/debian:wheezy
MAINTAINER Sharif Salah <sharif.salah+docker#gmail.com>
RUN apt-get update && \
apt-get install -y python-dev python-setuptools python-mysqldb && \
easy_install -i https://pypi.python.org/simple flask
ADD app /app
EXPOSE 80
CMD [ "python", "/app/app.py" ]
which will force easy_install to use the address specified after the -i.
It worked in my case but as documented on Bugzilla, it may not work for everything.
I hope this will help someone
I'm currently building a docker image and running the container to run some tests in it for a Python application I'm working on. Currently the Dockerfile copies the files over from the host machine, sets the working directory to those copied files, runs a sudo apt-get and installs pip, and finally runs the tests from setup.py. The Dockerfile can be seen below.
FROM ubuntu
ADD . /home/dev/ProjectName
WORKDIR /home/dev/ProjectName
RUN apt-get update && \
apt-get install -y python3-pip && \
python3 setup.py test
I was curious if there were a more conventional way to avoid having to run the apt-get and apt-get install pip every time I'd like to run a test. The main idea I had was to build an image with pip already on it, and then build this image from that one.
Docker builds using cached layers if it can. By adding files you have changed it invalidates the cache for all subsequent rules. Put the apt commands first and those will only be run the first time you build. See this blog for more info.