GO vulnerabilities found in Cassandra 4.0.1 image

[sietzeberends]

We found several vulnerabilities in Cassandra images 4.0.1

They are coming from the Go package

Is there a way you could either upgrade them to newer versions or remove this packages when building Docker image?

The full list of found vulnerabilities:

CVE-2021-38297: go CVE-2021-44716: go CVE-2021-41772: go CVE-2021-41771: go CVE-2021-33198: go CVE-2021-33196: go CVE-2021-33194: go CVE-2021-29923: go CVE-2021-27918: go CVE-2020-28367: go CVE-2020-28366: go CVE-2020-28362: go CVE-2020-16845: go CVE-2021-33195: go

[wglambert]

go isn't in the image https://github.com/docker-library/cassandra/blob/master/4.0/Dockerfile

I think it's seeing gosu and extrapolating that the image has go in it

See also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves And https://github.com/docker-library/openjdk/issues/449#issuecomment-763027011, https://github.com/docker-library/postgres/issues/286#issuecomment-302512767 docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).