2

I was trying to run DeepFace in docker and when I ran the container I got an error related to OpenCV.

Following online suggestions, I downloaded the FFmpeg package and it resolved the OpenCV error and everything was working fine inside the container.

I ran a docker scan for checking the security issues and it highlighted 4 critical severity issues introduced through FFmpeg package

Can anyone help me how to avoid these security issues?

Below is the content of the docker file:


RUN apt-get update
RUN apt-get install ffmpeg  -y

RUN pip install flask flask_cors deepface numpy pillow flask_wtf

WORKDIR /app
COPY . /app

EXPOSE 84
CMD ["python","app.py"]

Below is the result of the docker scan which uses snyk, NOTE: I am just providing High and Critical Severity issues.

  Description: Out-of-bounds Write
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-GDKPIXBUF-2960116
  Introduced through: ffmpeg@7:4.3.4-0+deb11u1, gdk-pixbuf/libgdk-pixbuf2.0-bin@2.42.2+dfsg-1, librsvg/librsvg2-common@2.50.3+dfsg-1
  From: ffmpeg@7:4.3.4-0+deb11u1 > ffmpeg/libavcodec58@7:4.3.4-0+deb11u1 > librsvg/librsvg2-2@2.50.3+dfsg-1 > gdk-pixbuf/libgdk-pixbuf-2.0-0@2.42.2+dfsg-1 > gdk-pixbuf/libgdk-pixbuf2.0-common@2.42.2+dfsg-1
  From: gdk-pixbuf/libgdk-pixbuf2.0-bin@2.42.2+dfsg-1 > gdk-pixbuf/libgdk-pixbuf-2.0-0@2.42.2+dfsg-1
  From: librsvg/librsvg2-common@2.50.3+dfsg-1 > gdk-pixbuf/libgdk-pixbuf-2.0-0@2.42.2+dfsg-1
  and 2 more...
  Image layer: 'apt-get install ffmpeg -y'

✗ High severity vulnerability found in aom/libaom0
  Description: Out-of-bounds Write
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-AOM-1085722
  Introduced through: ffmpeg@7:4.3.4-0+deb11u1
  From: ffmpeg@7:4.3.4-0+deb11u1 > ffmpeg/libavcodec58@7:4.3.4-0+deb11u1 > aom/libaom0@1.0.0.errata1-3
  Image layer: 'apt-get install ffmpeg -y'

✗ Critical severity vulnerability found in zlib/zlib1g
  Description: Out-of-bounds Write
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-ZLIB-2976151
  Introduced through: meta-common-packages@meta
  From: meta-common-packages@meta > zlib/zlib1g@1:1.2.11.dfsg-2+deb11u1
  Image layer: Introduced by your base image (python:3.9.13-slim)

✗ Critical severity vulnerability found in aom/libaom0
  Description: Release of Invalid Pointer or Reference
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-AOM-1290331
  Introduced through: ffmpeg@7:4.3.4-0+deb11u1
  From: ffmpeg@7:4.3.4-0+deb11u1 > ffmpeg/libavcodec58@7:4.3.4-0+deb11u1 > aom/libaom0@1.0.0.errata1-3
  Image layer: 'apt-get install ffmpeg -y'

✗ Critical severity vulnerability found in aom/libaom0
  Description: Use After Free
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-AOM-1298721
  Introduced through: ffmpeg@7:4.3.4-0+deb11u1
  From: ffmpeg@7:4.3.4-0+deb11u1 > ffmpeg/libavcodec58@7:4.3.4-0+deb11u1 > aom/libaom0@1.0.0.errata1-3
  Image layer: 'apt-get install ffmpeg -y'

✗ Critical severity vulnerability found in aom/libaom0
  Description: Buffer Overflow
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-AOM-1300249
  Introduced through: ffmpeg@7:4.3.4-0+deb11u1
  From: ffmpeg@7:4.3.4-0+deb11u1 > ffmpeg/libavcodec58@7:4.3.4-0+deb11u1 > aom/libaom0@1.0.0.errata1-3
  Image layer: 'apt-get install ffmpeg -y'



Organization:      16082204
Package manager:   deb
Target file:       Dockerfile
Project name:      docker-image|face-verification-v2
Docker image:      face-verification-v2
Platform:          linux/amd64
Base image:        python:3.9.13-slim
Licenses:          enabled

Tested 314 dependencies for known issues, found 120 issues.

According to our scan, you are currently using the most secure version of the selected base image```
Shubham Patel
  • 21
  • 2

0 Answers0