-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Description
trivy image --scanners vuln
shows that we'll get rid of the following CVE's
usr/local/bin/gosu (gobinary)
Total: 58 (UNKNOWN: 0, LOW: 1, MEDIUM: 23, HIGH: 31, CRITICAL: 3)
gosu security policy https://github.com/tianon/gosu/blob/master/SECURITY.md says they don't update golang for CVE's
So gosu is build with a unsupported version of go (1.20)
The two support go versions that have the most CVE's resolved are 1.23.6 and 1.24.0
I felt using 1.23.6 was a safer upgrade.
Your own documents talk about gosu, and I believe gosu hase a fundamental misunderstanding about what a vulnerability free govulncheck means. I understand it to mean that you don't have any external dependencies with vulnerabilities, not that you shouldn't update compiler versions. They are 2 different things.
This PR removes the CVE caused by gosu by doing a custom build of gosu with a currently supported go version.
And copies it into the final image.
Thanks for your consideration
Activity
tianon commentedon Feb 25, 2025
The CVEs in question specify a particular bit of code which has a defect (some of which exhibit as a "vulnerability", in that they're exploitable). The
govulncheck
tool works by checking whether or not the code in the binary or codebase being tested actually ever invokes those code paths. When coupled with the feature of the compiler where it trims out code that isn't invoked, the binary literally does not contain the "vulnerable" code.