Whitesource scan is failing for latest RASA Images with several security vulnerability and open source License issues

The Whitesource scan reported several security vulnerability and open source license issues with the latest RASA Images.

The following docker images are scanned - RasaX-V0.22.2 Image (downloaded from Docker Hub docker pull rasa/rasa-x:0.22.2)

Rasa1.4.3 Image (downloaded from Docker Hub docker pull rasa/rasa:1.4.3)

Here are some of the security and license issues that we noticed -

License/Due Diligence issues:- apkcrawler-master_2016-06-01 argparse-r121* docutils-master_2012-05-26* openmetadata-v0.5.6 ppython-master_2016-06-07* pyparallel-px-orig* gunicorn-19.2.1* service.twitterfeed-Release1 docutils-1.0* mawk_1.3.3-17+b3_amd64.deb SickGear-release_0.11.0 libksba8_1.3.5-2_amd64.deb* cpython-v2.7.15rc1* x11-common_7.7+19_all.deb* libreadline7_7.0-5_amd64.deb readline-common_7.0-5_all.deb sensible-utils_0.0.12_all.deb libtasn1-6_4.13-3_amd64.deb* adduser_3.118_all.deb hostname_3.21_amd64.deb libidn2-0_2.0.5-1_amd64.deb* make_4.2.1-1.2_amd64.deb libsepol1_2.8-1_amd64.deb* libunistring2_0.9.10-1_amd64.deb* libsemanage1_2.8-2_amd64.deb* coreutils_8.30-3_amd64.deb liblzma5_5.2.4-1_amd64.deb* libsmartcols1_2.33.1-0.1_amd64.deb fdisk_2.33.1-0.1_amd64.deb libsemanage-common_2.8-2_all.deb* gzip_1.9-3_amd64.deb

Vulnerability Issues:-

libsqlite3-0_3.27.2-3_amd64.deb
libc-bin_2.28-10_amd64.deb
libc6_2.28-10_amd64.deb
libssh2-1_1.8.0-2.1_amd64.deb
libsqlite3-dev_3.27.2-3_amd64.deb
libseccomp2_2.3.3-4_amd64.deb
uuid-dev_2.33.1-0.1_amd64.deb
wget_1.20.1-1.1_amd64.deb
libk5crypto3_1.17-3_amd64.deb
curl_7.64.0-4_amd64.deb
libkrb5support0_1.17-3_amd64.deb
libgssapi-krb5-2_1.17-3_amd64.deb
libkrb5-3_1.17-3_amd64.deb
libcurl4_7.64.0-4_amd64.deb
libc-dev-bin_2.28-10_amd64.deb
libpng-dev_1.6.36-6_amd64.deb
libc6-dev_2.28-10_amd64.deb
libpng16-16_1.6.36-6_amd64.deb
binutils-x86-64-linux-gnu_2.31.1-16_amd64.deb
binutils_2.31.1-16_amd64.deb
bzip2_1.0.6-9.2~deb10u1_amd64.deb
libbz2-dev_1.0.6-9.2~deb10u1_amd64.deb
patch_2.7.6-3+deb10u1_amd64.deb
mount_2.33.1-0.1_amd64.deb
libblkid1_2.33.1-0.1_amd64.deb
libuuid1_2.33.1-0.1_amd64.deb
libmount1_2.33.1-0.1_amd64.deb
libsmartcols1_2.33.1-0.1_amd64.deb
fdisk_2.33.1-0.1_amd64.deb
util-linux_2.33.1-0.1_amd64.deb
libfdisk1_2.33.1-0.1_amd64.deb
passwd_4.5-1.1_amd64.deb
libbinutils_2.31.1-16_amd64.deb

has anyone noticed these Whitesource scan issue? It would be great if you can share how you resolved these issues. Please let me know If you require a full scan report and I can upload it here. Please note these issues are coming directly from RASA Images and it doesn’t have any of our code.

Thanks in advance for any help!

@RASA Team

It would be great if someone from RASA Team can confirm if there is any RASA image that we should use to fix Whitesource scan issues. Please let us know if it is addressed in Enterprise edition only or if it is still in your research pipeline.

Thanks in advance!

@hari Thanks for bringing this up. Can you please create an issue on Github? If you have the capacity, then you can also fix the images yourself - the Dockerfiles are also on Github :slight_smile:

Thank you Tobias for quick reply. I have created a new issue on Github:- Whitesource scan is failing for latest RASA Images with several security vulnerability and open source License issues · Issue #4816 · RasaHQ/rasa · GitHub

awesome thanks!