yosifkit
commented
1 year ago gosu does not use any of the vulnerable code paths from runc (you can verify by running govulncheck). So any scanner that flags gosu with those CVE's is a false positive; they need to be doing what govulcheck does to verify that it is a true vulnerability.
See also https://github.com/tianon/gosu/blob/bf158f3b52664ba62de0b561a2bff706fa0e9daf/SECURITY.md#cves
Hi is there a timeline for the next updated version of gosu with runc version 1.1.5. There are two CVEs reported in runc, GHSA-g2j6-57v7-gm8c and GHSA-m8cg-xc2p-r3fc, which have been fixed with version 1.1.5.