You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When running a Trivy scan on a Docker image which uses the Flask Caching dependency downloaded by pip, a critical vulnerability is thrown by the scan: https://nvd.nist.gov/vuln/detail/CVE-2021-33026
This is due to the use of the Pickle dependency.
Thanks for the heads up. This is a well known hassle of using pickle protocol as warned in python official docs and it has been extensively discussed in #209, so I won't get into it again. Since means of avoiding pickle have being added in pallets-eco/cachelib#63, considering the incoming integration with cachelib, I'll be closing this for now. Once again, thanks for letting us know.
When running a Trivy scan on a Docker image which uses the Flask Caching dependency downloaded by pip, a critical vulnerability is thrown by the scan: https://nvd.nist.gov/vuln/detail/CVE-2021-33026
This is due to the use of the Pickle dependency.
Steps to reproduce:
Install Trivy following these steps: https://aquasecurity.github.io/trivy/v0.18.3/installation/
Create a new Docker image with flask caching, contents of Dockerfile
FROM python:3.10
RUN pip install flask-caching
Build the docker image:
docker build -t flask-caching-image .
Run the Trivy security scan:
trivy flask-caching-image
The output will list CVE-2021-33026 as a vulnerability of flask-caching
Expected Behaviour:
The scan should not pick up any CVEs for this project
Environment:
The text was updated successfully, but these errors were encountered: