Multiple CVEs flagged by JFrog for postgres:14
eldamir opened this issue · comments
I'm shopping around different images for Postgres 14 to see if there is one that doesn't make JFrog panic, but so far, I've had no luck...
Building on postgres:14, I get this:
Vulnerable Components
┌────────────┬──────────────────────────────────┬─────────┬──────────────────────────────────┬─────────────────────────┬────────────────────┬────────┬──────────────────┐
│ SEVERITY │ DIRECT │ DIRECT │ IMPACTED │ IMPACTED │ FIXED │ TYPE │ CVE │
│ │ PACKAGE │ PACKAGE │ PACKAGE │ PACKAGE │ VERSIONS │ │ │
│ │ │ VERSION │ NAME │ VERSION │ │ │ │
├────────────┼──────────────────────────────────┼─────────┼──────────────────────────────────┼─────────────────────────┼────────────────────┼────────┼──────────────────┤
│ 💀Critical │ sha256__123904d2d76a7dbec0fef121 │ │ github.com/golang/go │ 1.18.2 │ [1.19.10] │ Go │ CVE-2023-29404 │
│ │ 90f800f6e0f11fdd9ee64ba66aa368d2 │ │ │ │ [1.20.5] │ │ │
│ │ c544122a.tar │ │ │ │ │ │ │
│ │ │ │ │ │ │ │ │
├────────────┼──────────────────────────────────┼─────────┼──────────────────────────────────┼─────────────────────────┼────────────────────┼────────┼──────────────────┤
│ 💀Critical │ sha256__123904d2d76a7dbec0fef121 │ │ github.com/golang/go │ 1.18.2 │ [1.19.10] │ Go │ CVE-2023-29402 │
│ │ 90f800f6e0f11fdd9ee64ba66aa368d2 │ │ │ │ [1.20.5] │ │ │
│ │ c544122a.tar │ │ │ │ │ │ │
│ │ │ │ │ │ │ │ │
├────────────┼──────────────────────────────────┼─────────┼──────────────────────────────────┼─────────────────────────┼────────────────────┼────────┼──────────────────┤
│ 💀Critical │ sha256__123904d2d76a7dbec0fef121 │ │ github.com/golang/go │ 1.18.2 │ [1.19.9] │ Go │ CVE-2023-24540 │
│ │ 90f800f6e0f11fdd9ee64ba66aa368d2 │ │ │ │ [1.20.4] │ │ │
│ │ c544122a.tar │ │ │ │ │ │ │
│ │ │ │ │ │ │ │ │
├────────────┼──────────────────────────────────┼─────────┼──────────────────────────────────┼─────────────────────────┼────────────────────┼────────┼──────────────────┤
│ 💀Critical │ sha256__123904d2d76a7dbec0fef121 │ │ github.com/golang/go │ 1.18.2 │ [1.19.10] │ Go │ CVE-2023-29405 │
│ │ 90f800f6e0f11fdd9ee64ba66aa368d2 │ │ │ │ [1.20.5] │ │ │
│ │ c544122a.tar │ │ │ │ │ │ │
│ │ │ │ │ │ │ │ │
├────────────┼──────────────────────────────────┼─────────┼──────────────────────────────────┼─────────────────────────┼────────────────────┼────────┼──────────────────┤
│ 💀Critical │ sha256__123904d2d76a7dbec0fef121 │ │ github.com/golang/go │ 1.18.2 │ [1.19.8] │ Go │ CVE-2023-24538 │
│ │ 90f800f6e0f11fdd9ee64ba66aa368d2 │ │ │ │ [1.20.3] │ │ │
│ │ c544122a.tar │ │ │ │ │ │ │
│ │ │ │ │ │ │ │ │
├────────────┼──────────────────────────────────┼─────────┼──────────────────────────────────┼─────────────────────────┼────────────────────┼────────┼──────────────────┤
│ 💀Critical │ sha256__a483da8ab3e941547542718c │ │ debian:bookworm:zlib1g:1 │ 1.2.13.dfsg-1 │ │ Debian │ CVE-2023-45853 │
│ │ acd3258c6c705a63e94183c837c9bc44 │ │ │ │ │ │ │
│ │ eb608999.tar │ │ │ │ │ │ │
│ │ │ │ │ │ │ │ │
├────────────┼──────────────────────────────────┼─────────┼──────────────────────────────────┼─────────────────────────┼────────────────────┼────────┼──────────────────┤
│ 💀Critical │ sha256__f12e2203a1b6a1977d7b9eaa │ │ debian:bookworm:libaom3 │ 3.6.0-1 │ │ Debian │ CVE-2023-6879 │
│ │ 65a131afa30362d6701893968b5ee186 │ │ │ │ │ │ │
│ │ 07d25cbd.tar │ │ │ │ │ │ │
│ │ │ │ │ │ │ │ │
Basically, the version of gosu that is being used is installing a version of golang that had numerous CVEs attached...
Is that something this repository is concerned with, or who should I bother about it? 😉
Basically, these are false positive: https://github.com/tianon/gosu/blob/master/SECURITY.md
Those CVE are part of the Golang library but the Go compiler only include the part of the library that are used.
Ah, sorry, seems I jumped into a well documented problem... Sorry I didn't find the security.md you linked to... I suppose this issue will just point there from now on... thanks for your feedback
@eldamir thank you for raising the issue, it's always nice to have support from the community!