Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Official recommandation to skip "gosu" vulnerabilities #18197

Open
nicolas-albert opened this issue Jan 7, 2025 · 1 comment
Open

Official recommandation to skip "gosu" vulnerabilities #18197

nicolas-albert opened this issue Jan 7, 2025 · 1 comment

Comments

@nicolas-albert
Copy link
Contributor

Hi,
I know it was debated elsewhere but if I use gosu this is because it was recommended here and works fine for years.
But since weeks, build report 56 vulnerabilities from gosu without any change from us.
Previously installed by apt-get, I also try by following the official gosu installation guide to use the released build from its repository.
I saw we could build it with a newer go version but is it the real recommandation of docker-library/official-images?
What guide I have to follow to perform this?
I just want to follow the official recommandation about building an official image (without crit vulnerabilities, even they are fake).

PS: here our internal issue convertigo/convertigo#876

@tianon
Copy link
Member

tianon commented Jan 7, 2025

We're exploring things like VEX statements for official images, but you're correct that they're not currently supported. Ideally tools would be using govulncheck to filter these automatically, and I think the Scout team is working on such functionality, but I'm not certain.

Our advice is currently to point to /~https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves, but we recognize that isn't ideal and are discussing alternatives internally.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants