LaurentGoderre
commented
6 months ago These are false positive. https://github.com/tianon/gosu/blob/master/SECURITY.md
Open dpodder opened 6 months ago
LaurentGoderre
commented
6 months ago These are false positive. https://github.com/tianon/gosu/blob/master/SECURITY.md
bgrimm1
commented
2 months ago The vulnerabilities are not related to "gosu". It appears to be an outdated stdlib dependency. This is also a problem for me as we block any images with critical vulnerabilities.
LaurentGoderre
commented
2 months ago Stdlib is the Golang standard library which gosu used. However, the go compiler only uses what the source code uses so the vulnerable part of the library is not used in the end binary which makes it a false positive.
bgrimm1
commented
2 months ago ahh I just discovered that. Unfortunately that will not satisfy the powers that be on my end. I can't even pull that image as a base to try and update that library to the suggested version.
bgrimm1
commented
2 months ago Seems like I'm able to pull redis:7.2.3-alpine3.18 which is much newer than what I had. At least it hasnt been blocked yet...
Possibly as a result of #389, the latest Alpine image tags light up significantly worse than earlier tags when scanned for vulnerabilities. Part of the reason our organization prefers Alpine based images is for its minimal attack surface; the apparent regression is increasing friction for us to adopt the newer builds.
Are additional components really needed in the redis Alpine image? If not, can they be removed again to clean up the scan results?
See for example: https://hub.docker.com/_/redis/tags?page=1&name=7.2.3-alpine3