antoinecaputo opened a new issue, #6508: URL: https://github.com/apache/incubator-devlake/issues/6508
### Search before asking - [X] I had searched in the [issues](https://github.com/apache/incubator-devlake/issues?q=is%3Aissue) and found no similar issues. ### What happened Image vulnerability scan from docker and AWS Inspector has detected a critical CVE on the python package sub-dependency `certifi`. ``` Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. ``` See [CVE-2023-37920](https://nvd.nist.gov/vuln/detail/CVE-2023-37920) for more details. #### Docker vulnerability scan result <img width="300" alt="docker-scan-with-vulnerability" src="https://github.com/apache/incubator-devlake/assets/44469196/388de92d-93a5-439a-b18a-e519fa9631d1";> #### AWS Inspector scan result : <img width="1000" alt="aws-inspector-with-vulnerability" src="https://github.com/apache/incubator-devlake/assets/44469196/d10d2ad5-2806-4af1-bacb-d4b544715a29";> ### What do you expect to happen The vulnerability should not appear anymore in the scan results once the package has been fixed. #### Docker vulnerability scan result <img width="300" alt="docker-scan-with-no-vulnerability" src="https://github.com/apache/incubator-devlake/assets/44469196/478ee411-afb0-4a18-a311-419222f3a374";> #### AWS Inspector scan result : <img width="1000" alt="aws-inspector-with-no-vulnerability" src="https://github.com/apache/incubator-devlake/assets/44469196/75a81aec-52c7-4c52-9b88-cc81a1626325";> ### How to reproduce Build or pull the docker image using `docker pull apache/devlake:v0.20.0-beta2` From Docker Desktop you can retrieve the `Vulnerabilities`panel in the image details After the analysis is done, type `CVE-2023-37920` in the search input  ### Anything else _No response_ ### Version v0.20.0-beta2 ### Are you willing to submit PR? - [X] Yes I am willing to submit a PR! ### Code of Conduct - [X] I agree to follow this project's [Code of Conduct](https://www.apache.org/foundation/policies/conduct) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
