Security vulnerability found in postgres:alpine 'gosu' appliciation #1271
Comments
|
This is a false positive. See https://github.com/tianon/gosu/blob/master/SECURITY.md |
|
For the avoidance of doubt, here's the full results of running the latest FROM golang
RUN --mount=type=bind,from=postgres:alpine,src=/usr/local/bin/gosu,dst=/tmp/gosu \
go run golang.org/x/vuln/cmd/govulncheck@latest -mode=binary /tmp/gosu$ docker buildx build --pull .
#0 building with "default" instance using docker driver
#1 [internal] load .dockerignore
#1 transferring context: 2B done
#1 DONE 0.0s
#2 [internal] load build definition from Dockerfile
#2 transferring dockerfile: 207B done
#2 DONE 0.0s
#3 [internal] load metadata for docker.io/library/golang:latest
#3 ...
#4 [internal] load metadata for docker.io/library/postgres:alpine
#4 DONE 0.5s
#3 [internal] load metadata for docker.io/library/golang:latest
#3 DONE 0.5s
#5 FROM docker.io/library/postgres:alpine@sha256:d898b0b78a2627cb4ee63464a14efc9d296884f1b28c841b0ab7d7c42f1fffdf
#5 CACHED
#6 [stage-0 1/2] FROM docker.io/library/golang@sha256:2fe82a3f3e006b4f2a316c6a21f62b66e1330ae211d039bb8d1128e12ed57bf1
#6 CACHED
#7 [stage-0 2/2] RUN --mount=type=bind,from=postgres:alpine,src=/usr/local/bin/gosu,dst=/tmp/gosu go run golang.org/x/vuln/cmd/govulncheck@latest -mode=binary /tmp/gosu
go: downloading golang.org/x/vuln v1.1.3
go: downloading golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7
go: downloading golang.org/x/mod v0.19.0
go: downloading golang.org/x/tools v0.23.0
go: downloading golang.org/x/sync v0.7.0
=== Symbol Results ===
Vulnerability #1: GO-2023-1840
Unsafe behavior in setuid/setgid binaries in runtime
More info: https://pkg.go.dev/vuln/GO-2023-1840
Standard library
Found in: [email protected]
Fixed in: [email protected]
Vulnerable symbols found:
#1: runtime.Caller
#2: runtime.CallersFrames
#3: runtime.Frames.Next
#4: runtime.Func.Entry
#5: runtime.Func.Name
Use '-show traces' to see the other 20 found symbols
Your code is affected by 1 vulnerability from the Go standard library.
This scan also found 3 vulnerabilities in packages you import and 44
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
exit status 3
#7 ERROR: process "/bin/sh -c go run golang.org/x/vuln/cmd/govulncheck@latest -mode=binary /tmp/gosu" did not complete successfully: exit code: 1The only actual result is https://pkg.go.dev/vuln/GO-2023-1840 (alias CVE-2023-29403), and as noted in https://github.com/tianon/gosu/blob/052c5c2b186b84c4d9a41ed4f327490ef8d746fe/govulncheck-with-excludes.sh#L9-L13 (per that upstream documentation) this is already mitigated in See also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves for more general guidance around CVEs and scanning tools. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The Dockerfile for Postgres downloads an opensource program named 'gosu', which was build using golang 1.18.2. The stdlib library in this version of GOLANG contains a critical vulnerability. These issues have been resolved in GOLANG version 1.21.8 and 1.22.1.
If the maintainer is not updating this application any longer, is there another alternative that has been patched which can be used in its place or can your team fork this repo to keep this application up to date?
The text was updated successfully, but these errors were encountered: