Docker Image vulnerabilities being reported
vsur06 opened this issue · 1 comments
I am using mongo 4.4.19, and see some vulnerabilities cropping up during an image scan. Upgrading to 4.4.20 doesn't remove these vulnerabilities. Can you please let me know when we expect to have a fix for GHSA-g2j6-57v7-gm8c and GHSA-m8cg-xc2p-r3fc issues.
CVE-2023-28642 CVE-2023-25809: Since these are both likely being detected because of gosu, I will point you to https://github.com/tianon/gosu/blob/6a1967c98c3d1854dd29f32433f1e0c59b244c5f/SECURITY.md (and this issue leading up to that policy tianon/gosu#104).
This project does not rebuild/release to "fix" CVEs which do not apply to actual builds of
gosu.
So, unless those CVEs appear when running govulncheck the gosu binary will not be updated to a newer dependency just to satisfy a scanner.
$ docker run -it --rm golang bash
root@e36259565d3f:/go# go install golang.org/x/vuln/cmd/govulncheck@latest
...
root@e36259565d3f:/go# export GOSU_VERSION=1.16
root@e36259565d3f:/go# export dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"
root@e36259565d3f:/go# wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"
...
root@e36259565d3f:/go# govulncheck --mode=binary /usr/local/bin/gosu
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
Using govulncheck@v0.0.0 with
vulnerability data from https://vuln.go.dev (last modified 2023-04-12 21:45:55 +0000 UTC).
Scanning your binary for known vulnerabilities...
No vulnerabilities found.