Trivy Scan reports CVE-2021-33026 vulnerability in Flask-Caching v1.10.1

[nabz09]

When running a Trivy scan on a Docker image which uses the Flask Caching dependency downloaded by pip, a critical vulnerability is thrown by the scan: https://nvd.nist.gov/vuln/detail/CVE-2021-33026
This is due to the use of the Pickle dependency.

Steps to reproduce:

• Install Trivy following these steps: https://aquasecurity.github.io/trivy/v0.18.3/installation/

• Create a new Docker image with flask caching, contents of Dockerfile
  FROM python:3.10
RUN pip install flask-caching

• Build the docker image:
  docker build -t flask-caching-image .

• Run the Trivy security scan:
  trivy flask-caching-image

The output will list CVE-2021-33026 as a vulnerability of flask-caching

Expected Behaviour:

The scan should not pick up any CVEs for this project

Environment:

• Python version: 3.10
• Flask-Caching version: 1.10.1

[northernSage]

Thanks for the heads up. This is a well known hassle of using pickle protocol as warned in python official docs and it has been extensively discussed in #209, so I won't get into it again. Since means of avoiding pickle have being added in pallets-eco/cachelib#63, considering the incoming integration with cachelib, I'll be closing this for now. Once again, thanks for letting us know.