When I scan my Docker image for vulnerabilities, Xray detects CVE-2018-20225
which is raised when using an extra index url in pip. However in my image I completely remove pip after the packages have been installed
FROM ubuntu:23.04 AS base
RUN python3 -m venv venv && \
. venv/bin/activate
# ... install the dependencies into virtual environment ...
FROM base AS final
RUN apt-get remove --purge -y python3-pip && \
apt-get autoremove --purge -y && \
apt-get clean && \
rm -rf venv/lib/python3.11/site-packages/pip* && \
rm -rf venv/bin/pip*
When I attach a shell on the container and execute pip it shows "command not found".
Why would the vulnerability be raised when pip is not available in the final layer of the docker image?
Thanks to @phd for the hint, the Xray logs indeed contained the path of the offending file, in this case /usr/local/lib/python3.11/dist-packages/virtualenv/seed/wheels/embed/pip-24.0-py3-none-any.whl