I was asked to help on an issue today. Our security scanning tool reports a vulnerability, which is a .py file, on CentOS 8 docker image. But when we run the CentOS 8 docker image as a container, we found Python was not even installed. So where is that file from?
I tried it on a new VM instance on Google Cloud with CentOS 8 image. Neither the .py file was there nor Python was installed. But when I installed Python, the .py file showed up. After I uninstalled Python, the file was not removed.
My conclusion was the .py file, which the security scanning tool didn’t like, was a product of installing Python. I think during the process of making the official base Docker image of CentOS 8, Python is installed and later uninstalled. That file is a leftover. I couldn’t find concrete proof but it seems pretty reasonable.
Anyway, that .py file really doesn’t matter since Python is not even installed. We can either delete it or ignore it.