security issues with stdlib

Question

security issues with stdlib

Closed this issue 4 months ago · 2 comments

I just installed the latest harbor registry today with (2.11.0 rc2) in order to test the SBOM feature. I noticed that trivy is reporting much more vulnerabilites (v0.51.2) than on our regular registry (v0.50.1). Acutally i dont understand why there is a diff.

But all these cves are related to the package 'stdlib' that seems to be really there according sbom (related to GOSU). It this really an issue?

the cves are shown on all the latest jammy based images, 5.0.26, 6.0.15, 7.0.11, 8.0.0-rc6

Answer 1 · 2024-06-05T12:49:55.000Z

The CVEs associated with gosu are false positives. See https://github.com/tianon/gosu/blob/master/SECURITY.md . https://github.com/docker-library/faq?tab=readme-ov-file#why-does-my-security-scanner-show-that-an-image-has-cves may also be helpful.

Answer 2 · 2024-06-05T13:19:00.000Z

thx for clarification....