docker image vulnerabilities at arcdata extension #9003
Description
Describe the bug
We’ve observed that our ACR Docker images are under compliance review and need to be cleaned and rebuilt. Previously, we were using the base image mcr.microsoft.com/cbl-mariner/base/python:3.9, but we’ve now noted that this image will reach End of Life (EOL) on July 31, 2025.
As part of the remediation, I’ve updated the base image to mcr.microsoft.com/azurelinux/base/python:3.12. However, after rebuilding, vulnerabilities are still being reported.
Please refer the latest docker image with tag "vfix" and the issue for Jinja2 at arcdata extension.
Ref: Vulnerability Management
Exploring Security for Kubernetes Connect Service
https://mcr.microsoft.com/en-us/artifact/mar/azurelinux/base/python/about
Related command
We are building docker images with ADO pipeline.
Sample docker file
FROM mcr.microsoft.com/azurelinux/base/python:3.12
RUN tdnf makecache && tdnf update -y && tdnf install -y tar && tdnf install -y gawk && tdnf install -y util-linux
RUN tdnf install gnupg ca-certificates curl wget jq -y
RUN tdnf install azure-cli -y
RUN /usr/bin/curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/latest.txt)/bin/linux/amd64/kubectl
&& chmod +x ./kubectl
&& mv ./kubectl /usr/local/bin/kubectl
COPY ./ds_connect_core/requirements.txt ./
RUN --mount=type=secret,id=ado_pat,target=/run/secrets/ado_pat
token=$(cat /run/secrets/ado_pat) &&
index_url="https://ArcValidationPackages:[email protected]/ArcValidationProgram/ArcValidationProgram/_packaging/ArcValidationPackages/pypi/simple/" &&
mkdir -p ~/.config/pip &&
echo "[global]" > ~/.config/pip/pip.conf &&
echo "index-url = $index_url" >> ~/.config/pip/pip.conf &&
echo "extra-index-url = $index_url" >> ~/.config/pip/pip.conf &&
echo "trusted-host = pkgs.dev.azure.com" >> ~/.config/pip/pip.conf &&
cat ~/.config/pip/pip.conf &&
pip install --upgrade -r requirements.txt
#RUN az upgrade --yes
RUN az extension add --upgrade --name connectedk8s --yes --debug
RUN az extension add --upgrade --name k8s-configuration --yes --debug
RUN az extension add --upgrade --name k8s-extension --yes --debug
RUN az extension add --upgrade --name customlocation --yes --debug
RUN az extension add --upgrade --name arcdata --yes --debug
RUN tdnf update -y
ARG SONOBUOY_VERSION
RUN curl -L https://github.com/vmware-tanzu/sonobuoy/releases/download/v${SONOBUOY_VERSION}/sonobuoy_${SONOBUOY_VERSION}_linux_amd64.tar.gz --output /bin/sonobuoy.tar.gz
RUN ["tar", "-xzf", "/bin/sonobuoy.tar.gz", "-C", "/bin/"]
COPY ["./ds_connect_core/arc_ds_connect_conformance.sh", "./ds_connect_core/ds_pre_cleanup.sh", "./ds_connect_core/ds_setup_failure_handler.py", "./"]
COPY ["./ds_connect_core/pytest.ini", "./ds_connect_core/conftest.py", "./common", "/conformancetests/"]
COPY ["./ds_connect_core/pytest.ini", "./ds_connect_core/conftest.py", "./common", "/conformancetests-indirect/"]
Ds direct tests
COPY ["./ds_connect_core/ds_connect_constants.py", "./ds_connect_core/test_check_namespace_existence.py", "./ds_connect_core/test_check_pod_existence.py", "./ds_connect_core/test_check_pv_existence.py", "./ds_connect_core/test_ds_direct_cleanup.py", "./ds_connect_core/test_check_kubernetes_extension_arm.py", "/ds_connect_core/test_check_datacontroller_arm.py", "./ds_connect_core/test_check_customlocation_arm.py", "./ds_connect_core/test_check_connected_cluster_arm.py", "./ds_connect_core/test_check_azure_arc_namespace_existence.py", "./ds_connect_core/test_data_controller_ready.py", "./ds_connect_core/test_create_sql_mi.py", "/conformancetests/"]
To do will add these below tests once postgres sql is ready from az cli
#COPY ./ds_connect_core/test_create_postgressql.py /conformancetests/
#COPY ./ds_connect_core/test_scale_out_postgressql.py /conformancetests/
DS indirect tests
COPY ["./ds_core/test_check_namespace_existence.py", "./ds_core/test_check_pod_existence.py", "./ds_core/test_check_pv_existence.py", "./ds_core/test_create_sql_mi.py", "./ds_core/test_data_controller_ready.py", "./ds_core/test_create_postgressql.py", "./ds_core/test_scale_out_postgressql.py", "./ds_core/test_ds_indirect_cleanup.py", "/conformancetests-indirect/"]
RUN ["chmod", "+x", "ds_pre_cleanup.sh"]
RUN ["chmod", "+x", "arc_ds_connect_conformance.sh"]
RUN sed -i -e 's/\r$//' arc_ds_connect_conformance.sh
RUN sed -i -e 's/\r$//' ds_pre_cleanup.sh
RUN rm -rf ~/.config/pip/pip.conf
ENTRYPOINT ["/arc_ds_connect_conformance.sh"]
Errors
vulnerability flags from service 360
Issue script & Debug output
Please refer the image and document.
Expected behavior
vulnerability free.
Environment Summary
root [ / ]# az -v
azure-cli 2.75.0
core 2.75.0
telemetry 1.1.0
Extensions:
arcdata 1.5.24
Dependencies:
msal 1.33.0b1
azure-mgmt-resource 23.3.0
Python location '/usr/bin/python3.12'
Config directory '/root/.azure'
Extensions directory '/root/.azure/cliextensions'
Python (Linux) 3.12.9 (main, Jun 12 2025, 19:38:44) [GCC 13.2.0]
Legal docs and information: aka.ms/AzureCliLegal
Your CLI is up-to-date.
Additional context
Please guide and suggest us.