Closed peterwvz closed 1 month ago
Please (re-)read https://github.com/tianon/gosu/blob/052c5c2b186b84c4d9a41ed4f327490ef8d746fe/SECURITY.md
(The binary has parts of Go in it, but only the used parts, which is what govulncheck
tests for and other CVE scanners need to learn how to do.)
Issue 241 (https://github.com/docker-library/cassandra/issues/241) noted:
The comment in that issue noted:
That is exactly correct. The Cassandra image ships the "gosu" binary which has Go "in it" since Go is statically linked. For example, the same thing is still true today for Cassandra 4.1.5. Docker reports 40+ CVEs in the Cassanda image against the Go standard libraries all because of this single Go-based binary. The root cause is that gosu itself doesn't seem to updating/recompiling with the latest Go: https://github.com/tianon/gosu
Their released version is 1.17 which hasn't recompiled since Nov of last year and is using Go V1.20.5 (from mid 2023).