I run trivy for vulnerability scan on the python image. After upgrade from python:3.11.3-slim to python:3.11.4-slim, it started to report on vulnerabilities in Linux kernel due to linux-libc-dev.

It seems to contain upgrade from bullseye to bookworm. The base debian:bookworm-slim does not add the dev packages, but they seem to be added during Python build.

The added packages are these:

libc-dev-bin
libc6-dev
libcrypt-dev
libnsl-dev
libtirpc-dev
linux-libc-dev
rpcsvc-proto

These total about 20 MB of unnecessary packages.

I traced the problem into libc6-dev containing file paths that embed the searched library path

$ docker run --rm python:3.11.4-slim dpkg-query --search lib/x86_64-linux-gnu/libc.so.6
libc6-dev:amd64: /usr/share/gdb/auto-load/lib/x86_64-linux-gnu/libc.so.6-gdb.py
libc6:amd64: /lib/x86_64-linux-gnu/libc.so.6

Therefore it thinks libc6-dev is needed and marks it manually installed to be saved on the image.