Question on issue 241

[peterwvz]

Issue 241 (https://github.com/docker-library/cassandra/issues/241) noted:

We found several vulnerabilities in Cassandra images 4.0.1 They are coming from the Go package

The comment in that issue noted:

I think it's seeing gosu and extrapolating that the image has go in it

That is exactly correct. The Cassandra image ships the "gosu" binary which has Go "in it" since Go is statically linked. For example, the same thing is still true today for Cassandra 4.1.5. Docker reports 40+ CVEs in the Cassanda image against the Go standard libraries all because of this single Go-based binary. The root cause is that gosu itself doesn't seem to updating/recompiling with the latest Go: https://github.com/tianon/gosu

Their released version is 1.17 which hasn't recompiled since Nov of last year and is using Go V1.20.5 (from mid 2023).

[tianon]

Please (re-)read https://github.com/tianon/gosu/blob/052c5c2b186b84c4d9a41ed4f327490ef8d746fe/SECURITY.md

(The binary has parts of Go in it, but only the used parts, which is what govulncheck tests for and other CVE scanners need to learn how to do.)