Alpine image vulnerability scan regression

Question

Alpine image vulnerability scan regression

dpodder opened this issue 2 years ago · 6 comments

Possibly as a result of #389, the latest Alpine image tags light up significantly worse than earlier tags when scanned for vulnerabilities. Part of the reason our organization prefers Alpine based images is for its minimal attack surface; the apparent regression is increasing friction for us to adopt the newer builds.

Are additional components really needed in the redis Alpine image? If not, can they be removed again to clean up the scan results?

See for example: https://hub.docker.com/_/redis/tags?page=1&name=7.2.3-alpine3

Answer 1 · 2023-12-21T15:15:32.000Z

These are false positive. https://github.com/tianon/gosu/blob/master/SECURITY.md

Answer 2 · 2024-04-25T18:06:34.000Z

The vulnerabilities are not related to "gosu". It appears to be an outdated stdlib dependency. This is also a problem for me as we block any images with critical vulnerabilities.

Answer 3 · 2024-04-25T18:30:32.000Z

Stdlib is the Golang standard library which gosu used. However, the go compiler only uses what the source code uses so the vulnerable part of the library is not used in the end binary which makes it a false positive.

Answer 4 · 2024-04-25T18:35:25.000Z

ahh I just discovered that. Unfortunately that will not satisfy the powers that be on my end. I can't even pull that image as a base to try and update that library to the suggested version.

Answer 5 · 2024-04-25T18:43:27.000Z

Seems like I'm able to pull redis:7.2.3-alpine3.18 which is much newer than what I had. At least it hasnt been blocked yet...

Answer 6 · 2025-03-26T14:49:50.000Z

This will be resolved in an upcoming release. Please track this from #424