Grype detects a critical vulnerability in python:3.13.3-alpine

[JoanaPedrosoDiconium]

Hello

We're using python:3.13.3-alpine3.20 as base of one our images and we use Gyrpe v0.87.0 to do scan of our container. Since today it is dectecting the following vulnerabilities:

As you can see it detects a critical one for sqlite-libs 3.45.3-r1

I also tried with alpine 3.21 and it's the same:

I checked the docker-hub tag information: python:3.13.3-alpine3.20 and python:3.13.3-alpine3.21 and in none does this vulnerability appear, maybe because the scanning tool is different.

Do you have prediction to fix this vulnerability?

Thank you
Joana

[yosifkit]

It seems like the fix was added to Alpine 3.20 and 3.21 just 6 hours ago, so it wouldn't have been picked up in 3.13 by our most recent image builds from the version bumps last week (#1018 and docker-library/official-images#18803).

• https://gitlab.alpinelinux.org/alpine/aports/-/tree/3.21-stable/main/sqlite (https://gitlab.alpinelinux.org/alpine/aports/-/commit/f582ed9d5f50627745fb2fa93498103c53610638)
• https://gitlab.alpinelinux.org/alpine/aports/-/tree/3.20-stable/main/sqlite (https://gitlab.alpinelinux.org/alpine/aports/-/commit/efdbf1e16b03ec605b18bf92cf16e9ad30e76680)

---

Background:

Tags in the [official-images] library file[s] are only built through an update to that library file or as a result of its base image being updated (ie, an image FROM debian:bookworm would be rebuilt when debian:bookworm is built).

-https://github.com/docker-library/official-images/tree/2f086314307c04e1de77f0a515f20671e60d40bb#library-definition-files

Official Images FAQ:

Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame

- https://github.com/docker-library/faq/tree/0ad5fd60288109c875a54a37f6581b2deaa836db#why-does-my-security-scanner-show-that-an-image-has-cves

To ensure that we don't push contentless image changes, we rely on periodic base image updates.

We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule.

- from the same FAQ link

---

So, to answer the question on when, it is either when there is a Python release or other useful Dockerfile change, or when there is an Alpine base image change. Alpine historically updates at their 6-month release cycle (roughly May and November/December), or if there is a vulnerable package in the base image (see alpine update PRs to Docker Official Images).

🔨 If users need updated packages sooner, then they should apk upgrade or apt-get upgrade as appropriate in their own images FROM python:*.

[JoanaPedrosoDiconium]

Apparently the vulnerability was downgraded to Low, so my pipeline no longer fails (it's set to fail on Critical CVEs).
Thank you for your response