whalelines
commented
3 months ago The CVEs associated with gosu are false positives. See https://github.com/tianon/gosu/blob/master/SECURITY.md . https://github.com/docker-library/faq?tab=readme-ov-file#why-does-my-security-scanner-show-that-an-image-has-cves may also be helpful.
logidru
I just installed the latest harbor registry today with (2.11.0 rc2) in order to test the SBOM feature. I noticed that trivy is reporting much more vulnerabilites (v0.51.2) than on our regular registry (v0.50.1). Acutally i dont understand why there is a diff.
But all these cves are related to the package 'stdlib' that seems to be really there according sbom (related to GOSU). It this really an issue?
the cves are shown on all the latest jammy based images, 5.0.26, 6.0.15, 7.0.11, 8.0.0-rc6
