Multiple CVEs flagged by JFrog for postgres:14

eldamir commented 5 months ago

I'm shopping around different images for Postgres 14 to see if there is one that doesn't make JFrog panic, but so far, I've had no luck...

Building on postgres:14, I get this:

Vulnerable Components
┌────────────┬──────────────────────────────────┬─────────┬──────────────────────────────────┬─────────────────────────┬────────────────────┬────────┬──────────────────┐
│ SEVERITY   │ DIRECT                           │ DIRECT  │ IMPACTED                         │ IMPACTED                │ FIXED              │ TYPE   │ CVE              │
│            │ PACKAGE                          │ PACKAGE │ PACKAGE                          │ PACKAGE                 │ VERSIONS           │        │                  │
│            │                                  │ VERSION │ NAME                             │ VERSION                 │                    │        │                  │
├────────────┼──────────────────────────────────┼─────────┼──────────────────────────────────┼─────────────────────────┼────────────────────┼────────┼──────────────────┤
│ 💀Critical │ sha256__123904d2d76a7dbec0fef121 │         │ github.com/golang/go             │ 1.18.2                  │ [1.19.10]          │ Go     │ CVE-2023-29404   │
│            │ 90f800f6e0f11fdd9ee64ba66aa368d2 │         │                                  │                         │ [1.20.5]           │        │                  │
│            │ c544122a.tar                     │         │                                  │                         │                    │        │                  │
│            │                                  │         │                                  │                         │                    │        │                  │
├────────────┼──────────────────────────────────┼─────────┼──────────────────────────────────┼─────────────────────────┼────────────────────┼────────┼──────────────────┤
│ 💀Critical │ sha256__123904d2d76a7dbec0fef121 │         │ github.com/golang/go             │ 1.18.2                  │ [1.19.10]          │ Go     │ CVE-2023-29402   │
│            │ 90f800f6e0f11fdd9ee64ba66aa368d2 │         │                                  │                         │ [1.20.5]           │        │                  │
│            │ c544122a.tar                     │         │                                  │                         │                    │        │                  │
│            │                                  │         │                                  │                         │                    │        │                  │
├────────────┼──────────────────────────────────┼─────────┼──────────────────────────────────┼─────────────────────────┼────────────────────┼────────┼──────────────────┤
│ 💀Critical │ sha256__123904d2d76a7dbec0fef121 │         │ github.com/golang/go             │ 1.18.2                  │ [1.19.9]           │ Go     │ CVE-2023-24540   │
│            │ 90f800f6e0f11fdd9ee64ba66aa368d2 │         │                                  │                         │ [1.20.4]           │        │                  │
│            │ c544122a.tar                     │         │                                  │                         │                    │        │                  │
│            │                                  │         │                                  │                         │                    │        │                  │
├────────────┼──────────────────────────────────┼─────────┼──────────────────────────────────┼─────────────────────────┼────────────────────┼────────┼──────────────────┤
│ 💀Critical │ sha256__123904d2d76a7dbec0fef121 │         │ github.com/golang/go             │ 1.18.2                  │ [1.19.10]          │ Go     │ CVE-2023-29405   │
│            │ 90f800f6e0f11fdd9ee64ba66aa368d2 │         │                                  │                         │ [1.20.5]           │        │                  │
│            │ c544122a.tar                     │         │                                  │                         │                    │        │                  │
│            │                                  │         │                                  │                         │                    │        │                  │
├────────────┼──────────────────────────────────┼─────────┼──────────────────────────────────┼─────────────────────────┼────────────────────┼────────┼──────────────────┤
│ 💀Critical │ sha256__123904d2d76a7dbec0fef121 │         │ github.com/golang/go             │ 1.18.2                  │ [1.19.8]           │ Go     │ CVE-2023-24538   │
│            │ 90f800f6e0f11fdd9ee64ba66aa368d2 │         │                                  │                         │ [1.20.3]           │        │                  │
│            │ c544122a.tar                     │         │                                  │                         │                    │        │                  │
│            │                                  │         │                                  │                         │                    │        │                  │
├────────────┼──────────────────────────────────┼─────────┼──────────────────────────────────┼─────────────────────────┼────────────────────┼────────┼──────────────────┤
│ 💀Critical │ sha256__a483da8ab3e941547542718c │         │ debian:bookworm:zlib1g:1         │ 1.2.13.dfsg-1           │                    │ Debian │ CVE-2023-45853   │
│            │ acd3258c6c705a63e94183c837c9bc44 │         │                                  │                         │                    │        │                  │
│            │ eb608999.tar                     │         │                                  │                         │                    │        │                  │
│            │                                  │         │                                  │                         │                    │        │                  │
├────────────┼──────────────────────────────────┼─────────┼──────────────────────────────────┼─────────────────────────┼────────────────────┼────────┼──────────────────┤
│ 💀Critical │ sha256__f12e2203a1b6a1977d7b9eaa │         │ debian:bookworm:libaom3          │ 3.6.0-1                 │                    │ Debian │ CVE-2023-6879    │
│            │ 65a131afa30362d6701893968b5ee186 │         │                                  │                         │                    │        │                  │
│            │ 07d25cbd.tar                     │         │                                  │                         │                    │        │                  │
│            │                                  │         │                                  │                         │                    │        │                  │

Basically, the version of gosu that is being used is installing a version of golang that had numerous CVEs attached...

Is that something this repository is concerned with, or who should I bother about it? 😉

LaurentGoderre commented 5 months ago

Basically, these are false positive: https://github.com/tianon/gosu/blob/master/SECURITY.md

Those CVE are part of the Golang library but the Go compiler only include the part of the library that are used.

eldamir commented 5 months ago

Ah, sorry, seems I jumped into a well documented problem... Sorry I didn't find the security.md you linked to... I suppose this issue will just point there from now on... thanks for your feedback

LaurentGoderre commented 5 months ago

@eldamir thank you for raising the issue, it's always nice to have support from the community!

docker-library / postgres

Multiple CVEs flagged by JFrog for postgres:14 #1223