Skip to content

Remediate CVEs flagged by the Trivy container scan (transformers RCE, zlib1g, util-linux) #173

Description

@m-khan-97

Objective

The Trivy container scan added in #156/#171 is working correctly and currently fails on every PR — but nobody has fixed what it's finding yet, so it's effectively a permanent red X contributors learn to ignore. Confirmed on #172's CI run that these findings are real and unrelated to that PR's changes.

Findings (from the current image scan)

  • transformers 4.57.6 — CVE-2026-4372, HuggingFace transformers remote code execution, fixed in 5.3.0. Pulled in transitively via sentence-transformers in requirements.txt. This is the one worth prioritising — RCE in a dependency that's already in the API image.
  • zlib1g 1:1.2.13.dfsg-1 — CVE-2023-45853, CRITICAL, base OS package, marked will_not_fix upstream (Debian) — likely needs a newer base image, not a package bump.
  • util-linux / util-linux-extra — CVE-2026-53615, base OS package.
  • jaraco.context 5.3.0 — CVE-2026-23949, path traversal via malicious tar archives, fixed in 6.1.0.
  • wheel 0.45.1 — CVE-2026-24049, fixed in 0.46.2.

Scope

  • Bump sentence-transformers/transformers to a version pulling in transformers>=5.3.0; confirm the RAG pipeline (ai/embed.py, ai/retriever.py) still works against the bumped version
  • Bump jaraco.context, wheel pins (or their parent packages) past the fixed versions
  • For the base-image CVEs (zlib1g, util-linux), evaluate moving to a newer python:3.11-slim base or an explicit apt-get upgrade layer, since the Debian package is marked won't-fix at the pinned version
  • Re-run Trivy locally against the built image to confirm each finding clears
  • CI passes (including Container Scan), base branch dev

Category

Infrastructure / Security

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workinginfraInfrastructure, CI/CD, deployment, and platform engineeringpriority: highImportant, should be fixed in the current sprint

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    📋 Backlog

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions