Use of GOSU introduces critical CVEs
matt-gribben opened this issue · 2 comments
The use of GOSU introduces critical vulnerabilities that mean this image can't be used in many production environments. The cause is that the current release of GOSU uses Go 1.18.2 and these issues were fixed in 1.19.9
Two of these are 9.8s
[CVE-2023-24540]
[CVE-2023-24538]
This version also causes alerts for another 29 High vulnerabilities in tools like docker scout etc.
gosu is not vulnerable to those CVEs: https://github.com/tianon/gosu/blob/master/SECURITY.md. See also tianon/gosu#136 (comment). TLDR: the industry can and should do better than just spout out perceived CVE's and instead use the available data to see whether they are applicable or not (like govulncheck).
@yosifkit I'm aware that it isn't actually vulnerable to those CVEs but that doesn't change the fact I can't deploy something that's being flagged for critical CVEs. Yes the industry should do better, but the right here and now means this is an issue. IMO