There is a critical vulnerability with our Docker image where we are not using Python at all
FROM alpine:3.18.4
RUN apk add nfs-utils
RUN rc-update add nfsmount
Python is a dependency which is added as part of nfs-unit in our Docker image
When Xray scans the Docker image we see that there is a critical vulnerability.
We tried adding and installing pip in version 23.3 using
RUN apk --no-cache --latest upgrade py3-pip
But, the same vulnerability is still reported.
How do we solve it?
Reference: https://access.redhat.com/security/cve/cve-2018-20225
CVE-2018-20225 is affecting all pip versions and will not be fixed as its an intended behavior by pip (The vulnerability is disputed by NVD)
Xray finds it as part of pip and this will not be changed but there is an improvement soon to better display disputed vulnerabilities.
If you don't --extra-index-url inside your docker project, As mentioned in the vulnerability description, you will not be affected and can create an ignore rule for this vulnerability on all pip versions.