python3 packages remain installed

Feature description

By installing crypto-policies-scripts in the Dockerfile, and not uninstalling it and any dependencies which it pulls in, the resulting images contains a number of packages which are not present in the RHEL 9 UBI image. These include:

crypto-policies-scripts-20240202-1.git283706d.el9.noarch expat-2.5.0-2.el9_4.x86_64
libxcrypt-compat-4.4.18-3.el9.x86_64 python-unversioned-command-3.9.18-3.el9_4.3.noarch python3-3.9.18-3.el9_4.3.x86_64 python3-libs-3.9.18-3.el9_4.3.x86_64 python3-pip-wheel-21.2.3-8.el9.noarch python3-setuptools-wheel-53.0.0-12.el9.noarch

These may not be needed post-install of crypto-policies-scripts, yet are now present in every downstream container built from this base image. These libraries occasionally, (and for python3, somewhat frequently), have CVEs reported against them as it's a fairly large runtime language that's included in these images now. Downstream container images can't remove these from the base layer, thus scanning tools may still find them, even if a downstream image removes them itself.

Please uninstall crypto-policies-scripts and all its newly installed dependencies before generating the final image, to prevent them from being included in the final image.

Use cases

Downstream containers built from Iron Bank UBI 9 may have no need for the python3 runtime or other libraries installed as dependencies of crypto-policies-scripts.

Benefits

Packages needed only at build time are not present in the final runtime image, saving both disk space, and reducing the footprint of possible vulnerabilities being reported on the container or any downstream containers.

Requirements

Uninstall crypto-policies-scripts and any dependent packages installed for it, before creating the final image, and ensure they are not present in any intermediate retained layers.

Tasks

• Feature has been implemented

Please read the Iron Bank Documentation for more info