Skip to content

[Snyk] Security upgrade python from 3.8 to 3.13.2#60

Open
vieiraamanda wants to merge 1 commit intomasterfrom
snyk-fix-6fc53af2db68371187d8be068c7ada0c
Open

[Snyk] Security upgrade python from 3.8 to 3.13.2#60
vieiraamanda wants to merge 1 commit intomasterfrom
snyk-fix-6fc53af2db68371187d8be068c7ada0c

Conversation

@vieiraamanda
Copy link
Copy Markdown

@vieiraamanda vieiraamanda commented Apr 11, 2025

snyk-top-banner

Snyk has created this PR to fix 2 vulnerabilities in the dockerfile dependencies of this project.

Keeping your Docker base image up-to-date means you’ll benefit from security fixes in the latest version of your chosen image.

Snyk changed the following file(s):

  • Dockerfile

We recommend upgrading to python:3.13.2, as this image has only 206 known vulnerabilities. To do this, merge this pull request, then verify your application still works as expected.

Vulnerabilities that will be fixed with an upgrade:

Issue Score
low severity Inappropriate Encoding for Output Context
SNYK-DEBIAN12-OPENSSH-1556053		   295  
low severity OS Command Injection
SNYK-DEBIAN12-IMAGEMAGICK-5660573		   256  
low severity OS Command Injection
SNYK-DEBIAN12-IMAGEMAGICK-5660573		   256  
low severity OS Command Injection
SNYK-DEBIAN12-IMAGEMAGICK-5660573		   256  
low severity OS Command Injection
SNYK-DEBIAN12-IMAGEMAGICK-5660573		   256  

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 OS Command Injection

@PauloNova8
Copy link
Copy Markdown

PauloNova8 commented Apr 11, 2025
edited by msant262
Loading

Logo
Checkmarx One – Scan Summary & Detailsc4b8595b-9e46-4cb8-bb76-92684a7fb5af

New Issues (43)

Checkmarx found the following issues in this Pull Request

Severity Issue Source File / Package Checkmarx Insight
HIGH Missing User Instruction /Dockerfile: 1
detailsA user should be specified in the dockerfile, otherwise the image will run as root
ID: QLyFhN1tbaspZT6OwOuaQzcfZXM%3D
HIGH Missing User Instruction /Dockerfile: 1
detailsA user should be specified in the dockerfile, otherwise the image will run as root
ID: l%2BjXWK7FAv3yAaBNwyM%2B%2BAkGP9c%3D
HIGH Passwords And Secrets - Generic Password /docker-compose.yml: 11
detailsQuery to find passwords and secrets in infrastructure code.
ID: V8AVMn8%2FoaddYde7YLHKWRCvPdg%3D
HIGH Passwords And Secrets - Generic Secret /teste_appscan.yml: 17
detailsQuery to find passwords and secrets in infrastructure code.
ID: ecwW1SCO5h3wdQn6xlTtH6F4Tsw%3D
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5
detailsWhen installing a package, its pin version should be defined
ID: fsm14vG2JXWj3EM9MOraEo6xYzM%3D
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 8
detailsWhen installing a package, its pin version should be defined
ID: 9hJUR2ny55AeOV8QkOQFZrYYBSc%3D
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5
detailsWhen installing a package, its pin version should be defined
ID: qAPdKq6s9kcxPyUxE97p5%2BtRXUA%3D
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5
detailsWhen installing a package, its pin version should be defined
ID: oSU%2B3STagtVtSZQ4qlb3hjVbxQs%3D
MEDIUM Container Capabilities Unrestricted /docker-compose.yml: 2
detailsSome capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessa...
ID: 3I7jXnLhrx%2BqHLQNBOIsmML8t%2F4%3D
MEDIUM Container Capabilities Unrestricted /docker-compose.yml: 4
detailsSome capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessa...
ID: NGSkwrNJEwraW3QQ412ZSmCGA8g%3D
MEDIUM Container Capabilities Unrestricted /docker-compose.yml: 12
detailsSome capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessa...
ID: gP%2F%2BfqNkZPyOqQAl0K%2FUbowMbuY%3D
MEDIUM Container Capabilities Unrestricted /docker-compose.yml: 14
detailsSome capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessa...
ID: YMDdiX99qe26NH6DUkTpzUZioDg%3D
MEDIUM Container Capabilities Unrestricted /docker-compose.yml: 23
detailsSome capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessa...
ID: A5OKucrLyUyytKqzlnG%2FENfj%2FOo%3D
MEDIUM Container Traffic Not Bound To Host Interface /docker-compose.yml: 6
detailsIncoming container traffic should be bound to a specific host interface
ID: Izr8mKlP7kboqARhEtoDYfL6AB8%3D
MEDIUM Container Traffic Not Bound To Host Interface /docker-compose.yml: 16
detailsIncoming container traffic should be bound to a specific host interface
ID: M72Rs3WU8T2L5K%2Fpqz7hNi%2Fc%2F4A%3D
MEDIUM Healthcheck Not Set /docker-compose.yml: 12
detailsCheck containers periodically to see if they are running properly.
ID: LLoY5ia4KoXmMvZMAth1f11wEKc%3D
MEDIUM Healthcheck Not Set /docker-compose.yml: 23
detailsCheck containers periodically to see if they are running properly.
ID: y8LfUkosBcLy78n%2B0TNKgDbCtBA%3D
MEDIUM Healthcheck Not Set /docker-compose.yml: 4
detailsCheck containers periodically to see if they are running properly.
ID: RkxATa9v7hACBgyka5eSvvGiG08%3D
MEDIUM Healthcheck Not Set /docker-compose.yml: 14
detailsCheck containers periodically to see if they are running properly.
ID: W9kY9jpfVAY7LiO4mlzrtjU5WHs%3D
MEDIUM Healthcheck Not Set /docker-compose.yml: 2
detailsCheck containers periodically to see if they are running properly.
ID: yZeqNyVsXZaEBnhDH69y3pVzj6E%3D
MEDIUM Memory Not Limited /docker-compose.yml: 12
detailsMemory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than t...
ID: RYkCpRgZQ5uMv73t15FSa6rlhFo%3D
MEDIUM Memory Not Limited /docker-compose.yml: 23
detailsMemory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than t...
ID: %2Bv2K%2FOPSWsd1pxX4%2FxzM2csqiYo%3D
MEDIUM Memory Not Limited /docker-compose.yml: 4
detailsMemory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than t...
ID: mGcZDeCNavannD1WuJ1mv4qNkoE%3D
MEDIUM Security Opt Not Set /docker-compose.yml: 14
detailsAttribute 'security_opt' should be defined.
ID: SWjK3q2wfJn5C8fJVElzaR7AxLc%3D
MEDIUM Security Opt Not Set /docker-compose.yml: 12
detailsAttribute 'security_opt' should be defined.
ID: oUc8m%2BoLYv3DH2oyaGpJucc8NZ8%3D
MEDIUM Security Opt Not Set /docker-compose.yml: 4
detailsAttribute 'security_opt' should be defined.
ID: MCrG6ZI%2F8g8l8bDS5VRG6fGS3Mo%3D
MEDIUM Security Opt Not Set /docker-compose.yml: 23
detailsAttribute 'security_opt' should be defined.
ID: aS1xfCR328sx%2B1Cc54XulT5qCgQ%3D
MEDIUM Security Opt Not Set /docker-compose.yml: 2
detailsAttribute 'security_opt' should be defined.
ID: LfrGadfcFaMKhZ0ZNvqarWtoNis%3D
MEDIUM Unpinned Package Version in Pip Install /Dockerfile: 20
detailsPackage version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes
ID: IA%2Fv%2FiK1LjRxfNj12spqF97EK5k%3D
LOW Cpus Not Limited /docker-compose.yml: 12
detailsCPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests
ID: VBPzm2SggskXoaNfCrkxWcBuUXg%3D
LOW Cpus Not Limited /docker-compose.yml: 4
detailsCPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests
ID: LYQFYqe8k%2Bg9%2FmSfoMEEunitbdU%3D
LOW Cpus Not Limited /docker-compose.yml: 23
detailsCPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests
ID: J%2BPs0ff8aualK4n%2Fv6Mr3kFK%2Fpo%3D
LOW Healthcheck Instruction Missing /Dockerfile: 1
detailsEnsure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working
ID: IpeMSEmUp34b74o%2Baua40zTxTOc%3D
LOW Healthcheck Instruction Missing /Dockerfile: 1
detailsEnsure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working
ID: a3ywFMC%2BStduESVo2O5%2FRG8MwEo%3D
LOW Multiple RUN, ADD, COPY, Instructions Listed /Dockerfile: 7
detailsMultiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers.
ID: SeZD%2BGEhganaS9o5%2BXA0z9lryYE%3D
LOW Multiple RUN, ADD, COPY, Instructions Listed /Dockerfile: 9
detailsMultiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers.
ID: pSXNcF%2BIgTo0DE2Z02Qbk5ayMGc%3D
LOW Pip install Keeping Cached Packages /Dockerfile: 14
detailsWhen installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller
ID: vo8JbTzC4EdMO2hcOjplTxyoMAQ%3D
LOW Pip install Keeping Cached Packages /Dockerfile: 9
detailsWhen installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller
ID: 6M0YLnjTRL9CI4881rYGhfWZbk4%3D
LOW Pip install Keeping Cached Packages /Dockerfile: 23
detailsWhen installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller
ID: jAISApa31%2FpYw%2B6l%2BbWgqD8YSfA%3D
LOW Pip install Keeping Cached Packages /Dockerfile: 20
detailsWhen installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller
ID: Tke%2BGe3KVJ4C1lqwwjr7yMs2zq4%3D
LOW Unpinned Actions Full Length Commit SHA /main.yml: 13
detailsPinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
ID: OlP4VuCso%2Bc62lmN05RdrBh00v4%3D
LOW Unpinned Actions Full Length Commit SHA /teste_appscan.yml: 14
detailsPinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
ID: 8aU5F3QD2MLDQj8q9nQ9WPVjiOw%3D
LOW Update Instruction Alone /Dockerfile: 8
detailsInstruction 'RUN update' should always be followed by ' install' in the same RUN statement
ID: %2Fq1ycAydykrSWXOuRdNqLMbnLjI%3D
Fixed Issues (7)

Great job! The following issues were fixed in this Pull Request

Severity Issue Source File / Package
CRITICAL CVE-2024-53908 Python-Django-5.1.3
HIGH CVE-2024-53907 Python-Django-5.1.3
MEDIUM CVE-2024-56201 Python-Jinja2-3.1.4
MEDIUM CVE-2024-56326 Python-Jinja2-3.1.4
MEDIUM CVE-2024-56374 Python-Django-5.1.3
MEDIUM CVE-2025-26699 Python-Django-5.1.3
MEDIUM CVE-2025-27516 Python-Jinja2-3.1.4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vieiraamanda @PauloNova8 @snyk-bot