Official recommandation to skip "gosu" vulnerabilities

[nicolas-albert]

Hi,
I know it was debated elsewhere but if I use gosu this is because it was recommended here and works fine for years.
But since weeks, build report 56 vulnerabilities from gosu without any change from us.
Previously installed by apt-get, I also try by following the official gosu installation guide to use the released build from its repository.
I saw we could build it with a newer go version but is it the real recommandation of docker-library/official-images?
What guide I have to follow to perform this?
I just want to follow the official recommandation about building an official image (without crit vulnerabilities, even they are fake).

PS: here our internal issue convertigo/convertigo#876

[tianon]

We're exploring things like VEX statements for official images, but you're correct that they're not currently supported. Ideally tools would be using govulncheck to filter these automatically, and I think the Scout team is working on such functionality, but I'm not certain.

Our advice is currently to point to https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves, but we recognize that isn't ideal and are discussing alternatives internally.

[grooverdan]

This is still a big pain point than ends in the same conversation every month or so:

• Vendors to deal with vulnerabilties on Docker Hub docker/roadmap#750
• Remedy Docker Scout false postive reports of golang based vulnerabilties using govulnchecker docker/roadmap#749