postgis/postgis:15-3.4 has a security issue reported DSA-5532-1

[valentin-nasta]

https://osv.dev/vulnerability/DSA-5532-1

[ImreSamu]

Dear @valentin-nasta ,

Thank you for reaching out. Unfortunately, we are unable to address similar reports and issues without specific suggestions. However, we are open to concrete suggestions related to security.

Upon examining the information provided on https://security-tracker.debian.org/tracker/CVE-2023-5363 , it appears that only the "bookworm" version is affected by the DSA-5532-1 issue, not "bullseye". Currently, our image is based solely on "bullseye" and is very simple, as shown here: https://github.com/postgis/docker-postgis/blob/master/15-3.4/Dockerfile. Therefore, I believe this to be a false positive result, which we cannot act upon.

Please read more :

• this repo README.md "Security scanner information:" for more details:
  • https://github.com/postgis/docker-postgis?tab=readme-ov-file#security-scanner-information
• "Why does my security scanner show that an image has CVEs?"
  • https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves

I tested with the following command: trivy image --ignore-unfixed postgis/postgis:15-3.4 The scan results showed no vulnerabilities (Total: 0 for all severity levels) for the postgis/postgis:15-3.4 (Debian 11.9).

$ trivy image --ignore-unfixed postgis/postgis:15-3.4
2024-03-15T17:40:39.291+0100    INFO    Vulnerability scanning is enabled
2024-03-15T17:40:39.291+0100    INFO    Secret scanning is enabled
2024-03-15T17:40:39.291+0100    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-03-15T17:40:39.291+0100    INFO    Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection
2024-03-15T17:40:39.330+0100    INFO    Detected OS: debian
2024-03-15T17:40:39.330+0100    INFO    Detecting Debian vulnerabilities...
2024-03-15T17:40:39.357+0100    INFO    Number of language-specific files: 1
2024-03-15T17:40:39.357+0100    INFO    Detecting gobinary vulnerabilities...

postgis/postgis:15-3.4 (debian 11.9)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

If you agree that the result on https://osv.dev/vulnerability/DSA-5532-1 is a false positive, please report this feedback on the security scanner’s website you used, in hopes that the issue might be corrected.

Unfortunately, false positive CVE issues are quite common, as evidenced by:

• https://github.com/postgis/docker-postgis/issues/370
• https://github.com/postgis/docker-postgis/issues/368

If the Debian-based image does not meet requirements, it might be worthwhile to consider trying out the Alpine-based Docker images. postgis/postgis:15-3.4-alpine

[valentin-nasta]

@ImreSamu thank you for the quick reply! Indeed looks like a false positive also to me after checking the link you provided - https://security-tracker.debian.org/tracker/CVE-2023-5363

I will check with security admins of the website this was reported and keep this issue updated.

[valentin-nasta]

I learned quite a few tips from your detailed reply. 👍 That is indeed a false positive, therefore I'll close this issue. ℹ️