dnf update not honored

[rupe120]

I'm trying to remediate Security Hub CVEs and updating libraries via my Dockerfile. When I run docker scout it indicates that the installed library version is unchanged.

This is what my Dockerfile currently looks like:

FROM public.ecr.aws/lambda/python:3.12

RUN dnf upgrade --refresh -y
RUN dnf update -y libarchive --releasever 3.7.4-2.amzn2023.0.2
RUN dnf repoquery libarchive

# Copy requirements.txt
COPY requirements.txt ${LAMBDA_TASK_ROOT}

# Install the specified packages
RUN python -m pip install --upgrade pip uv
RUN uv pip install -r requirements.txt --system

# Copy function code
COPY app.py ${LAMBDA_TASK_ROOT}
COPY parse_text.py ${LAMBDA_TASK_ROOT}

# Set the CMD to your handler (could also be done as a parameter override outside of the Dockerfile)
CMD [ "app.handler" ]

There are what I assume are automated bugs for the issues with the library version included.

#208
#207

We need to cleanup our Security Hub findings and this is a blocker right now.

[leandrodamascena]

Hi @rupe120! Is there any chance that you are getting the public.ecr.aws/lambda/python:3.12 image from your local cache and not from ECR Public? Can you please try with --pull always flag?

This public.ecr.aws/lambda/python:3.12 image is already using an updated version of libarchive: libarchive-3.7.4-2.amzn2023.0.2.x86_64. This is the recommended version that doesn't contain CVE in libarchive.

➜  /tmp docker run --rm -it --entrypoint bash public.ecr.aws/lambda/python:3.12
WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested
bash-5.2# rpm -qa |grep libarc
libarchive-3.7.4-2.amzn2023.0.2.x86_64

snyk also doesn't report this image contains those vulneratiblities. The only report is about CVE-2024-34459, but it is already reported.

➜  /tmp snyk container test --platform=linux/amd64  public.ecr.aws/lambda/python:3.12 

Testing public.ecr.aws/lambda/python:3.12...

✗ Medium severity vulnerability found in libxml2
  Description: Buffer Over-read
  Info: https://security.snyk.io/vuln/SNYK-AMZN2023-LIBXML2-8495188
  Introduced through: [email protected]
  From: [email protected]
  Fixed in: 0:2.10.4-1.amzn2023.0.7



Organization:      xxx
Package manager:   rpm
Project name:      docker-image|public.ecr.aws/lambda/python
Docker image:      public.ecr.aws/lambda/python:3.12
Platform:          linux/amd64
Licenses:          enabled

Tested 87 dependencies for known issues, found 1 issue.

-------------------------------------------------------

Testing public.ecr.aws/lambda/python:3.12...

Organization:      xxx
Package manager:   gomodules
Target file:       /usr/local/bin/aws-lambda-rie
Project name:      go.amzn.com
Docker image:      public.ecr.aws/lambda/python:3.12
Licenses:          enabled

✔ Tested 6 dependencies for known issues, no vulnerable paths found.


Tested 2 projects, 1 contained vulnerable paths.

Thanks

[rupe120]

Thank you @leandrodamascena that did it

[rupe120]

@leandrodamascena why did the dnf update not work? I feel like we should be able to resolve these issues without waiting for the AWS team to update the base image. Is there some trickery that is part of the Lambda environment that prevents directing our images to update existing packages?