Docker Hub - Caddy vulnerabilities are risky?

[RedrootDEV]

All Caddy images in docker have the following vulnerabilities: Is it a false positive or should I really worry about it?

[hairyhenderson]

Hi @redr00t, thanks for reporting this.

for completeness, the screenshot comes from the tag view in DockerHub, like this one: https://hub.docker.com/layers/library/caddy/builder-alpine/images/sha256-4fa7d446d8f18e37cec1fe9b3b9a1e0e93807a3b06dc57ec020888c11d21cf93?context=explore

I'll look into this.

[snieguu]

@hairyhenderson Do You have any more insights or info?

[hairyhenderson]

These are coming from the xcaddy binary, which was built with an older Go binary. It should be re-built with 1.20.3. Same goes for the caddy binary.

@mholt do you know when the next release of xcaddy is happening?

[mholt]

How 'bout now? :grin:

v0.3.3 should be releasing now :crossed_fingers:

[dbrennand]

Hi all,

Should this have been resolved by v0.3.3 of xcaddy?

The version of stdlib is now 1.20 (different from the original screenshot from @redr00t) but Docker Hub is still reporting CVEs, one with a score of 9.8 in stdlib 😞

https://hub.docker.com/layers/library/caddy/latest/images/sha256-b27532c3b8bee89c27501e93b81d69b60f2bab459e9b967f39d2ccec151c93b4?context=explore

[hairyhenderson]

@dbrennand You're looking at a different tag from the original (latest, vs builder-alpine).

As I mentioned in an earlier comment, both xcaddy and caddy needed to be re-built with Go 1.20.3+. There's a new Caddy beta available (2.7.0-beta.1) that you can try out - it scans clean:

https://hub.docker.com/layers/library/caddy/2.7/images/sha256-7951c4c3a58a42562e4cd3ecfb3eb2cef6e072a640d80256c03b009678a8df90?context=explore

Given that this issue was for the builder image originally, I'm going to close it.