Hi There,

At our client we recently did a Twistlock scan of the following ODH images:

jupyterhub-img
jupyterhub
nbviewer
s2i-minimal-notebook
s2i-scipy-notebook
s2i-spark-minimal
s2i-spark-scipy-notebook
s2i-tensorflow-notebook


All of them failed with critical vulnerabilities. In order to use these images they cannot have critical or severe vulnerabilities, or we must get a security exception and assume the risk. For the time being our usage of the images is blocked. I have put in a request for an exemption, but not sure if that will be successful, and in general these look like solvable issues via package upgrades. For most of them it's just PyYaml and numpy, so I think changing the versions could solve it. However, spark has a ton of criticals, mostly related to jackson-core. I know that's something that's a general issue with spark so probably no solution there for the time being.

In the meantime I can make my own modifications to try to handle the PyYaml and numpy vulnerabilities, but I also don't have access to Twistlock so I have to take a shot in the dark at solving them, put in the request, and wait for a couple of days just to see if it fails again.

I've attached the reports here.

Thanks,
Alex