Security vulnerabilities [fedramp] related to redis 7

Question

Security vulnerabilities [fedramp] related to redis 7

jaawasth opened this issue 2 years ago · comments

Hello,

We are seeing following vulnerabilities by fedramp scanner, would like to know when can we get a fix for those ?

#table cols="5"
Package Installed_Version Required_Version Language Install_Path
github.com/opencontainers/runc v1.1.0 1.1.2 Go usr/local/bin/gosu

Hash of the image

redis-7@sha256:e1294189c373797fe83307ab82fec233411bb035e1bb75f0dd8946dd08346295

Tianon Gravi · Answer 1 · Sat Feb 18 2023 08:25:43 GMT+0800 (China Standard Time)

Since this is specifically gosu related, see https://github.com/tianon/gosu/blob/master/SECURITY.md

(If you run govulncheck on the gosu binary, you'll likely see that the reported vulnerabilities don't apply to the built binary, and should be reported to the maintainers/vendor of the fedramp scanner as false positives.)

I'm not sure what sha256:e1294189c373797fe83307ab82fec233411bb035e1bb75f0dd8946dd08346295 is -- it doesn't correspond to any manifest list, image manifest, config blob, or even layer blob that we've ever published. 😕

Anand Sanmukhani · Answer 2 · Thu May 25 2023 02:25:16 GMT+0800 (China Standard Time)

@tianon docker hub analysis is also complaining about the runc version here. This is along with other critical and high warnings.

Tianon Gravi · Answer 3 · Tue Dec 19 2023 07:50:57 GMT+0800 (China Standard Time)

The only runc in this image is the library embedded in gosu (of which no vulnerable code is actually invoked / included / compiled).

Additionally, we've since updated to gosu version 1.17 which switches from the runc library to the now-shared github.com/moby/sys/user (since runc wasn't actually using this functionality, so it was an odd place for that code to still live), which should help with the false positives in security scanning tools.