[Contributors] Twistlock Image Vulnerabilities
by Alexander Feiszli
Hi There,
At our client we recently did a Twistlock scan of the following ODH images:
jupyterhub-img
jupyterhub
nbviewer
s2i-minimal-notebook
s2i-scipy-notebook
s2i-spark-minimal
s2i-spark-scipy-notebook
s2i-tensorflow-notebook
All of them failed with critical vulnerabilities. In order to use these
images they cannot have critical or severe vulnerabilities, or we must get
a security exception and assume the risk. For the time being our usage of
the images is blocked. I have put in a request for an exemption, but not
sure if that will be successful, and in general these look like solvable
issues via package upgrades. For most of them it's just PyYaml and numpy,
so I think changing the versions could solve it. However, spark has a ton
of criticals, mostly related to jackson-core. I know that's something
that's a general issue with spark so probably no solution there for the
time being.
In the meantime I can make my own modifications to try to handle the PyYaml
and numpy vulnerabilities, but I also don't have access to Twistlock so I
have to take a shot in the dark at solving them, put in the request, and
wait for a couple of days just to see if it fails again.
I've attached the reports here.
Thanks,
Alex
5 years, 10 months