When an image include python rpm packages they are also checked against python vulnerabilities databases (pyup.io and SNYK). However, the packages does not reference security patches that rhel provides, creating false positives.

Example: with our registry.redhat.io/ubi8/python-38:1-80 (latest currently in my test), the scan throws 4 high, 6 medium and 2 unkown. One of the high level is:

pyup.io-38834 (CVE-2020-26137)  on the package version 1.24.2. However, doing a rpm search on the image, we get

> rpm -q python3-urllib3
python3-urllib3-1.24.2-5.el8.noarch

The key here is the -5 security patchlevel. As referenced in:

https://access.redhat.com/security/cve/cve-2020-26137

That points to https://access.redhat.com/errata/RHSA-2021:1631, which says the fix is included in python3-urllib3-1.24.2-5.el8.noarch.rpm