ansible-operator container is having two versions of python

[sivani01]

Hi, we are currently using operator-sdk v1.37.1 as the base image to build our operator.
During our Security scan, a vulnerability was raised for "requests-2.25.1.dist-info" present at "/usr/lib/python3.9/site-packages/requests-2.25.1.dist-info" as per CVE-2024-35195

When we started container using operator-sdk v1.37.1 image & checked inside, it had python3.9 which has the vulnerable requests package, although the default version of python is 3.12.

Output from the container:
bash-5.1# ls
debug games modules motd.d pam.d python3.9 swidtag sysimage sysusers.d udev
environment.d locale motd os-release python3.12 rpm sysctl.d systemd tmpfiles.d
bash-5.1# cd python3.9
bash-5.1# ls
site-packages
bash-5.1# cd site-packages
bash-5.1# ls|grep -i requests-2.25.1
requests-2.25.1.dist-info

Can we know the purpose of having two python versions and is there any way to resolve this?

[acornett21]

Hi @sivani01 If you see the below pull request, this explains why there are two versions of python.

• Relates: Bump base image to RHEL9 and Python version to 3.12 #101

If you need to have no CVE's you need to run dnf update in your Dockerfile.

[sivani01]

Hi @acornett21 , thanks for responding.
As suggested, we have added "RUN dnf update" command in our dockerfile but the vulnerable package is still present in the container which is picked up by our security scan. Is there any other way to resolve this CVE?

[acornett21]

Hi @sivani01 sorry I read this issue incorrectly, I thought you were saying an RPM had an issue. But this is the requests python dependency, not the python-requests RPM. This is a duplicate of:

• Replates: Update python requests dependency #127

TLDR: We can't update requests since it doesn't support the protocol http+unix in a library we depend on.

Note: We can't address every low/medium CVE, but try and address high CVE when time allows.

Closing this in favor of 127.