Security vulnerabilities [fedramp] related to redis 7
jaawasth opened this issue · comments
Hello,
We are seeing following vulnerabilities by fedramp scanner, would like to know when can we get a fix for those ?
#table cols="5"
Package Installed_Version Required_Version Language Install_Path
github.com/opencontainers/runc v1.1.0 1.1.2 Go usr/local/bin/gosu
Hash of the image
redis-7@sha256:e1294189c373797fe83307ab82fec233411bb035e1bb75f0dd8946dd08346295
Since this is specifically gosu
related, see https://github.com/tianon/gosu/blob/master/SECURITY.md
(If you run govulncheck
on the gosu
binary, you'll likely see that the reported vulnerabilities don't apply to the built binary, and should be reported to the maintainers/vendor of the fedramp scanner as false positives.)
I'm not sure what sha256:e1294189c373797fe83307ab82fec233411bb035e1bb75f0dd8946dd08346295
is -- it doesn't correspond to any manifest list, image manifest, config blob, or even layer blob that we've ever published. 😕
The only runc
in this image is the library embedded in gosu
(of which no vulnerable code is actually invoked / included / compiled).
Additionally, we've since updated to gosu
version 1.17 which switches from the runc
library to the now-shared github.com/moby/sys/user
(since runc
wasn't actually using this functionality, so it was an odd place for that code to still live), which should help with the false positives in security scanning tools.