Is it possible to remove the private keys from AWX Images?

Archives AWX Project
1

Hello All,

I could see the following Private Keys in AWX Images. Could anyone please suggest what are these used for and is it possible to remove them from build since these are marked as vulnerable for some reason in our scan.

/var/lib/awx/venv/ansible/lib/python3.6/site-packages/libcloud/test/common/fixtures/google/pkey.pem | [type:“RSA PRIVATE KEY” ] |

  • | - |
    /var/lib/awx/venv/ansible/lib/python3.6/site-packages/libcloud/test/compute/fixtures/misc/dummy_rsa | [type:“RSA PRIVATE KEY” ] |
    /var/lib/awx/venv/ansible/lib/python3.6/site-packages/libcloud/test/loadbalancer/fixtures/nttcis/alice.key | [type:“PRIVATE KEY” ] |
    /var/lib/awx/venv/ansible/lib/python3.6/site-packages/libcloud/test/loadbalancer/fixtures/nttcis/denis.key | [type:“RSA PRIVATE KEY” ] |
    /var/lib/awx/venv/awx/lib/python3.6/site-packages/future/backports/test/keycert.passwd.pem | [type:“RSA PRIVATE KEY” ] |
    /var/lib/awx/venv/awx/lib/python3.6/site-packages/future/backports/test/badcert.pem | [type:“RSA PRIVATE KEY” ] |
    /var/lib/awx/venv/awx/lib/python3.6/site-packages/future/backports/test/keycert2.pem | [type:“PRIVATE KEY” ] |
    /var/lib/awx/venv/awx/lib/python3.6/site-packages/future/backports/test/keycert.pem | [type:“PRIVATE KEY” ] |
    /var/lib/awx/venv/awx/lib/python3.6/site-packages/future/backports/test/ssl_key.passwd.pem | [type:“RSA PRIVATE KEY” ] |
    /var/lib/awx/venv/awx/lib/python3.6/site-packages/future/backports/test/ssl_key.pem | [type:“PRIVATE KEY” ] |
    /var/lib/awx/venv/awx/lib/python3.6/site-packages/slapdtest/certs/server.key | [type:“PRIVATE KEY” ] |
    /var/lib/awx/venv/awx/lib/python3.6/site-packages/slapdtest/certs/client.key | [type:“PRIVATE KEY” ] |
    /var/lib/awx/venv/awx/lib/python3.6/site-packages/social_core/tests/testkey.pem | [type:“RSA PRIVATE KEY” ] |
    /var/lib/awx/venv/awx/lib/python3.6/site-packages/twisted/test/key.pem.no_trailing_newline | [type:“PRIVATE KEY” ] |
    /var/lib/awx/venv/awx/lib/python3.6/site-packages/twisted/test/server.pem | [type:“PRIVATE KEY” ] |

Regards,
Ankit

2

These are all test data included with the tests of the Python modules. If you want to, you can probably just make a new container image that deletes them all. But there’s no actual security vulnerability here.

3

Thanks Graham for the confirmation and response on this.

Regards,
Ankit