Docker Desktop shows image has a python wheel vulnerability even though it has been updated

Not sure what i’m missing and cannot find anything helpful while searching around the internet. I’m working on building a docker image and am able to do so without issue. However, for reasons that are not evident nor apparent, docker desktop declares that the built image has 1 H (high) vulnerability because it claims the wheel package is version 0.37.1.

Clicking through the link provides zero information about how to remediate this and searching around the web also provides no help.

What is confusing is that i am updating wheel as port of the RUN command:

python3 -m pip install --upgrade --force-reinstall wheel

Review the build steps verifies that wheel updated to 0.40. Viewing the wheel version in the image as well also verifies wheel is updated.

Am I missing something?

EDIT TO ADD: realizing I didn’t include a link to the actual CVE: Choose the Most Secure Images | Docker Image Vulnerability Database

Can you share simple Dockerfile that gives you the same vulnerability and can show us the tag of your base image? Also what gives you the vulnerability? The base image or the image that you built?

You probably know that but can’t hurt mentioning that “resinstalling” anything in a Dockerfile will not change the older layers or the base image.

Thanks for your reply! After some trial and error I tracked down the cause of the CVE, its apt-get --no-install-recommends install python3-pip (there are more packages that go along with it, such as python3 but that is the jist.) As soon as I remove python3-pip the CVE goes away. As soon as i add it back, it reappears.

Sample dockerfile that could reproduce this:

FROM ubuntu:22.04

RUN apt-get -y update \
    && apt-get -y upgrade \
    && apt-get --no-install-recommends install python3 python3-pip curl gnupg lsb-release -y

I was able to “remediate” the CVE using the following commands. This is an ok-ish workaround for me since i don’t need wheel at all, but I am very curious how one would correctly resolve this (if it is even possible).

RUN rm -rf /usr/lib/python3/dist-packages/wheel \
    && rm -rf /usr/lib/python3/dist-packages/wheel-0.37.1.egg-info


Almost all the images has some vulnerabilities, so it is hard to avoid it unless you create your image from scratch and copy a single binary into the image or at least use distroless images. In your case you could avoid having this issue if you don’t use apt to install Python and pip at all. You can check how the official Python image is created:

It is not based on Ubuntu, so if you want that, you can use Ubuntu as base image, but instead of installing python from the APT repository, download the python sourcecode and build it.

It is also worth to note that even though Python could be required to run an application, the pip module is not likely to be a requirement in runtime. As far as I know pip is not the only way to install modules, but if you choose to use pip, you could probably build your application in one stage, uninstall the pip in that same stage at the end and copy the remaining python libraries to another stage.

1 Like