This repository was archived by the owner on Oct 7, 2025. It is now read-only.
Known Container vulnerabilities and SAST results #5
Description
Scanning the latest container using trivy reveals a total of 1744 (UNKNOWN: 5, LOW: 1123, MEDIUM: 340, HIGH: 215, CRITICAL: 61) known CVEs (not all of them fixable, though):
ghcr.io/num-codex/codex-flare:0.0.2 (debian 10.9)
=================================================
Total: 1744 (UNKNOWN: 5, LOW: 1123, MEDIUM: 340, HIGH: 215, CRITICAL: 61)Using python:3.9-slim as a base image already reduces the surface significantly:
Total: 111 (UNKNOWN: 2, LOW: 74, MEDIUM: 11, HIGH: 22, CRITICAL: 2)Running bandit on the repository reveals some additional points of interest:
bandit -r .
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO running on Python 3.9.0
Run started:2021-05-28 14:45:36.807982
Test results:
>> Issue: [B405:blacklist] Using xml.etree.ElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
Severity: Low Confidence: High
Location: .\src\algorithm\steps\build_xml_response.py:2
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b405-import-xml-etree
1 from typing import List
2 import xml.etree.ElementTree as Etree
3 import time
--------------------------------------------------
>> Issue: [B405:blacklist] Using xml.etree.ElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
Severity: Low Confidence: High
Location: .\src\fhir\fhir_executor.py:1
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b405-import-xml-etree
1 import xml.etree.ElementTree as Etree
2 from typing import List, Tuple, Optional
3
--------------------------------------------------
>> Issue: [B501:request_with_no_cert_validation] Requests call with verify=False disabling SSL certificate checks, security issue.
Severity: High Confidence: High
Location: .\src\fhir\fhir_executor.py:57
More Info: https://bandit.readthedocs.io/en/latest/plugins/b501_request_with_no_cert_validation.html
56 params = dict(parse_qsl(parsed_url.query))
57 response = requests.post(urlunparse(new_q), data=params, verify=False)
58
--------------------------------------------------
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Severity: Medium Confidence: High
Location: .\src\fhir\fhir_executor.py:62
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree
61
62 x_response = Etree.fromstring(response.text)
63 return get_next_page_url(x_response), x_response
--------------------------------------------------
>> Issue: [B405:blacklist] Using xml.etree.ElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
Severity: Low Confidence: High
Location: .\src\fhir\fhir_parser.py:1
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b405-import-xml-etree
1 import xml.etree.ElementTree as Etree
2 from typing import List, Set
3
--------------------------------------------------
>> Issue: [B405:blacklist] Using xml.etree.ElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
Severity: Low Confidence: High
Location: .\src\query_parser\i2b2\i2b2_parser.py:2
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b405-import-xml-etree
1 import json
2 import xml.etree.ElementTree as Etree
3 from typing import List
--------------------------------------------------
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Severity: Medium Confidence: High
Location: .\src\query_parser\i2b2\i2b2_parser.py:22
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b313-b320-xml-bad-elementtree
21 def parse_i2b2_query_xml_string(xml: str) -> List[List[List[dict]]]:
22 root = Etree.fromstring(xml)
23 panels = []
--------------------------------------------------
>> Issue: [B405:blacklist] Using ElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace ElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
Severity: Low Confidence: High
Location: .\src\run_server.py:10
More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b405-import-xml-etree
9 from uuid import uuid4, UUID
10 from xml.etree import ElementTree as Etree
11
12
13 from flask import Flask as Flask, request, Response
--------------------------------------------------
Code scanned:
Total lines of code: 1381
Total lines skipped (#nosec): 0
Run metrics:
Total issues (by severity):
Undefined: 0.0
Low: 5.0
Medium: 2.0
High: 1.0
Total issues (by confidence):
Undefined: 0.0
Low: 0.0
Medium: 0.0
High: 8.0
Files skipped (0):Both trivy and bandit could be integrated into the ci workflow. Maybe CodeQL for Python is wotth a look as well.