We are trying to build container image for GCP cloud run service from base image of python:3.9-slim and we could see that there is a recent vulnerability for the expat package(CVE-2022-40674) which is stopping the whole CI/CD process.
we tried to upgrade the package using (RUN apt-get update && apt-get upgrade -y) as well but its pointing to the version 2.2.10 which still contains the vulnerability. I am assuming that the latest version 2.4.8-2 is in un-stable version so its not upgrading to it; is there any interim solution to solve this issue?
Error: CRITICAL 9.8 projects/goog-vulnz/notes/CVE-2022-40674 expat 2.2.10
Related urls: https://security-tracker.debian.org/tracker/source-package/expat https://tracker.debian.org/pkg/expat
Dockerfile:
FROM python:3.9-slim
RUN apt-get update && apt-get upgrade -y
# Allow statements and log messages to immediately appear in the Knative logs
ENV PYTHONUNBUFFERED True
ARG APP_ENV
ENV APP_ENV=${APP_ENV}
RUN echo $APP_ENV
ENV APP_HOME /app
ENV PYTHONPATH /app
ENV CLOUD True
WORKDIR $APP_HOME
COPY . ./