Posting this here in reference to the Azure AI Services Text Translation image, as documented: https://hub.docker.com/r/microsoft/azure-cognitive-services-translator-text-translation
If anyone knows how to more directly reach the team managing this image, please let me know.
The Azure Cognitive Services container images appear to be based on a distroless build of CBL-Mariner 2.0 (Azure Linux).
While Mariner does backport security fixes to its packages, it's still important to know which version of a package is installed to determine whether a specific vulnerability has been addressed.
Normally, Mariner uses tdnf as its package manager. In distroless builds, tdnf is removed, but installed packages are still listed in /var/lib/rpmmanifest/container-manifest-*, which allows security scanners to identify what's installed.
However, the Azure Cognitive Services images seem to bypass tdnf entirely, copying package contents directly into the image. This breaks the package manifest, making it difficult or impossible for scanners to detect vulnerable software correctly.
For example, this issue came up in a recent Trivy discussion.
Personally, I would recommend avoiding distroless builds for this kind of use case — they tend to increase the difficulty of maintaining good security visibility.