Closed sietzeberends closed 2 years ago
go
isn't in the image https://github.com/docker-library/cassandra/blob/master/4.0/Dockerfile
I think it's seeing gosu
and extrapolating that the image has go
in it
See also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves And https://github.com/docker-library/openjdk/issues/449#issuecomment-763027011, https://github.com/docker-library/postgres/issues/286#issuecomment-302512767 docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.
A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).
We found several vulnerabilities in Cassandra images 4.0.1
They are coming from the Go package
Is there a way you could either upgrade them to newer versions or remove this packages when building Docker image?
The full list of found vulnerabilities:
CVE-2021-38297: go CVE-2021-44716: go CVE-2021-41772: go CVE-2021-41771: go CVE-2021-33198: go CVE-2021-33196: go CVE-2021-33194: go CVE-2021-29923: go CVE-2021-27918: go CVE-2020-28367: go CVE-2020-28366: go CVE-2020-28362: go CVE-2020-16845: go CVE-2021-33195: go