Yum not able to update to a fixed version suggested by trivy security scan inside AWS lambda image
I'm building a very basic Dockerfile for a python-based AWS lambda,
Dockerfile (docker build -f Dockerfile -t test-img:0.0.1 .):
FROM public.ecr.aws/lambda/python:3.9
RUN yum update -y && yum install libgomp -y && yum clean all
A trivy scan is showing vulnerabilities from openldap. I attempt to yum update openldap and it can't find the fixed version suggested by the trivy scan, 2.4.44-25.amzn2.0.5, it returns No package openldap-2.4.44-25.amzn2.0.5 available.
trivy --cache-dir .trivycache/ image --ignore-unfixed --no-progress --exit-code 1 --input test-lambda.tar
Does anyone know how I can update to the suggested version?
Security notes here: https://alas.aws.amazon.com/AL2/ALAS-2023-2033.html
I had a similar issue but with a Java-based Amazon image.
I just updated the base image to a version that did not have any vulnerabilities, you may be able to do something similar. I often find that upgrading the base image is the simplest way to go in order to squash image-based dependencies, it at least narrows down the offenders.
For example, I went from
FROM amazoncorretto:17
to:
FROM amazoncorretto:17.0.7-al2023
And this fixed Trivy scanner reporting problems with openldap
- Changing the name of a Load Balancer on AWS Console
- Timeout when trying to retrieve EC2 instance-id metadata from within it
- Row was updated or deleted by another transaction (or unsaved-value mapping was incorrect)
- Downloading an entire S3 bucket?
- Unable to unzip .zip file on linux machine
- Missing Authentication Token while accessing API Gateway?
- AWS S3 Access Denied when open object URL in browser
- AWS Lambda NodeJs unable to return response
- How can I access my AWS MSK managed kafka queue from my local machine and EC2 instances in other regions
- How to recreate EC2 instances of an autoscaling group with terraform?
- AWS Cloudwatch Alarm Issue
- AWS EC2 | using Rusoto SDK: Couldn't find AWS credentials
- How to enable "Use for Hive table metadata" in "AWS Glue Data Catalog settings" using Terraform?
- Determine if instance is a part of some AutoScaling Group in AWS
- Difference bw "start_of_file" and "end_of_file" in AWS cloud agent configuration
- not authorized to perform: ec2:DescribeInstances because no identity-based policy allows the ec2:DescribeInstances action
- Environment specific ebextensions Beanstalk commands
- Deleting records from a DynamoDB table where the TTL value has been set incorrectly
- MySQL/Amazon RDS error: "you do not have SUPER privileges..."
- Is EC2 t3.micro created by ECS cluster eligible for free tier?
- Amazon Neptune OpenCypher - What is the cause for "Operation terminated (internal error)" when using SET after MERGE?
- AWS SAM CLI cannot access Dynamo DB when function is invoked locally
- EC2 instance connect : There was a problem setting up the instance connection
- Wildcard filter in aws-nuke
- Add advanced validation for AWS::Serverless::Api GET query params
- Organizing AWS IAM permissions: limit of 10 policies?
- AWS: S3 Bucket AWS You can't grant public access because Block public access settings are turned on for this account
- failed calling webhook "vingress.elbv2.k8s.aws"
- terraform tags for list variable not working
- Amazon SES successfully forwarded emails but respond with 451 4.3.0 This message could not be delivered