The Whitesource scan reported several security vulnerability and open source license issues with the latest RASA Images.
The following docker images are scanned - RasaX-V0.22.2 Image (downloaded from Docker Hub docker pull rasa/rasa-x:0.22.2)
Rasa1.4.3 Image (downloaded from Docker Hub docker pull rasa/rasa:1.4.3)
Here are some of the security and license issues that we noticed -
License/Due Diligence issues:- apkcrawler-master_2016-06-01 argparse-r121* docutils-master_2012-05-26* openmetadata-v0.5.6 ppython-master_2016-06-07* pyparallel-px-orig* gunicorn-19.2.1* service.twitterfeed-Release1 docutils-1.0* mawk_1.3.3-17+b3_amd64.deb SickGear-release_0.11.0 libksba8_1.3.5-2_amd64.deb* cpython-v2.7.15rc1* x11-common_7.7+19_all.deb* libreadline7_7.0-5_amd64.deb readline-common_7.0-5_all.deb sensible-utils_0.0.12_all.deb libtasn1-6_4.13-3_amd64.deb* adduser_3.118_all.deb hostname_3.21_amd64.deb libidn2-0_2.0.5-1_amd64.deb* make_4.2.1-1.2_amd64.deb libsepol1_2.8-1_amd64.deb* libunistring2_0.9.10-1_amd64.deb* libsemanage1_2.8-2_amd64.deb* coreutils_8.30-3_amd64.deb liblzma5_5.2.4-1_amd64.deb* libsmartcols1_2.33.1-0.1_amd64.deb fdisk_2.33.1-0.1_amd64.deb libsemanage-common_2.8-2_all.deb* gzip_1.9-3_amd64.deb
Vulnerability Issues:-
libsqlite3-0_3.27.2-3_amd64.deb
libc-bin_2.28-10_amd64.deb
libc6_2.28-10_amd64.deb
libssh2-1_1.8.0-2.1_amd64.deb
libsqlite3-dev_3.27.2-3_amd64.deb
libseccomp2_2.3.3-4_amd64.deb
uuid-dev_2.33.1-0.1_amd64.deb
wget_1.20.1-1.1_amd64.deb
libk5crypto3_1.17-3_amd64.deb
curl_7.64.0-4_amd64.deb
libkrb5support0_1.17-3_amd64.deb
libgssapi-krb5-2_1.17-3_amd64.deb
libkrb5-3_1.17-3_amd64.deb
libcurl4_7.64.0-4_amd64.deb
libc-dev-bin_2.28-10_amd64.deb
libpng-dev_1.6.36-6_amd64.deb
libc6-dev_2.28-10_amd64.deb
libpng16-16_1.6.36-6_amd64.deb
binutils-x86-64-linux-gnu_2.31.1-16_amd64.deb
binutils_2.31.1-16_amd64.deb
bzip2_1.0.6-9.2~deb10u1_amd64.deb
libbz2-dev_1.0.6-9.2~deb10u1_amd64.deb
patch_2.7.6-3+deb10u1_amd64.deb
mount_2.33.1-0.1_amd64.deb
libblkid1_2.33.1-0.1_amd64.deb
libuuid1_2.33.1-0.1_amd64.deb
libmount1_2.33.1-0.1_amd64.deb
libsmartcols1_2.33.1-0.1_amd64.deb
fdisk_2.33.1-0.1_amd64.deb
util-linux_2.33.1-0.1_amd64.deb
libfdisk1_2.33.1-0.1_amd64.deb
passwd_4.5-1.1_amd64.deb
libbinutils_2.31.1-16_amd64.deb
has anyone noticed these Whitesource scan issue? It would be great if you can share how you resolved these issues. Please let me know If you require a full scan report and I can upload it here. Please note these issues are coming directly from RASA Images and it doesn’t have any of our code.
Thanks in advance for any help!