3.11.4-slim adds dev packages

[kohtala]

I run trivy for vulnerability scan on the python image. After upgrade from python:3.11.3-slim to python:3.11.4-slim, it started to report on vulnerabilities in Linux kernel due to linux-libc-dev.

It seems to contain upgrade from bullseye to bookworm. The base debian:bookworm-slim does not add the dev packages, but they seem to be added during Python build.

The added packages are these:

libc-dev-bin
libc6-dev
libcrypt-dev
libnsl-dev
libtirpc-dev
linux-libc-dev
rpcsvc-proto

These total about 20 MB of unnecessary packages.

I traced the problem into libc6-dev containing file paths that embed the searched library path

$ docker run --rm python:3.11.4-slim dpkg-query --search lib/x86_64-linux-gnu/libc.so.6
libc6-dev:amd64: /usr/share/gdb/auto-load/lib/x86_64-linux-gnu/libc.so.6-gdb.py
libc6:amd64: /lib/x86_64-linux-gnu/libc.so.6

Therefore it thinks libc6-dev is needed and marks it manually installed to be saved on the image.

[kohtala]

A solution could be to prepend '*' into the search string:

$ docker run --rm python:3.11.4-slim dpkg-query --search '*lib/x86_64-linux-gnu/libc.so.6'
libc6:amd64: /lib/x86_64-linux-gnu/libc.so.6

[kinoute]

I'm very interested in this. Trivy reports so many CVE regarding linux-libc-dev, even after upgrading the package manually. I will try to build my own Python Docker image with your fix @kohtala.

[kohtala]

@kinoute, please report back your result.

I'm curious how often the maintainers pay attention to issues and how long this needs to wait for attention.

[yosifkit]

Apologies for the delay. I should hopefully be able to look at this tomorrow.

[kinoute]

@kohtala Your version worked great regarding linux-libc-dev. Unfortunately, another vulnerability showed up (related to perl IIRC) so we temporarily built a custom image based on Ubuntu 22.04 which removed drastically the number of vulnerabilities and made it to "Medium" on Trivy.