security issues with stdlib
Closed this issue · 2 comments
I just installed the latest harbor registry today with (2.11.0 rc2) in order to test the SBOM feature. I noticed that trivy is reporting much more vulnerabilites (v0.51.2) than on our regular registry (v0.50.1). Acutally i dont understand why there is a diff.
But all these cves are related to the package 'stdlib' that seems to be really there according sbom (related to GOSU). It this really an issue?
the cves are shown on all the latest jammy based images, 5.0.26, 6.0.15, 7.0.11, 8.0.0-rc6
The CVEs associated with gosu
are false positives. See https://github.com/tianon/gosu/blob/master/SECURITY.md . https://github.com/docker-library/faq?tab=readme-ov-file#why-does-my-security-scanner-show-that-an-image-has-cves may also be helpful.
thx for clarification....