Security vulnerability found in postgres:alpine 'gosu' appliciation

[bdealey]

The Dockerfile for Postgres downloads an opensource program named 'gosu', which was build using golang 1.18.2. The stdlib library in this version of GOLANG contains a critical vulnerability. These issues have been resolved in GOLANG version 1.21.8 and 1.22.1.

If the maintainer is not updating this application any longer, is there another alternative that has been patched which can be used in its place or can your team fork this repo to keep this application up to date?

[LaurentGoderre]

This is a false positive. See https://github.com/tianon/gosu/blob/master/SECURITY.md

[tianon]

For the avoidance of doubt, here's the full results of running the latest govulncheck on the /usr/local/bin/gosu binary from the current postgres:alpine image:

FROM golang
RUN --mount=type=bind,from=postgres:alpine,src=/usr/local/bin/gosu,dst=/tmp/gosu \
	go run golang.org/x/vuln/cmd/govulncheck@latest -mode=binary /tmp/gosu

$ docker buildx build --pull .
#0 building with "default" instance using docker driver

#1 [internal] load .dockerignore
#1 transferring context: 2B done
#1 DONE 0.0s

#2 [internal] load build definition from Dockerfile
#2 transferring dockerfile: 207B done
#2 DONE 0.0s

#3 [internal] load metadata for docker.io/library/golang:latest
#3 ...

#4 [internal] load metadata for docker.io/library/postgres:alpine
#4 DONE 0.5s

#3 [internal] load metadata for docker.io/library/golang:latest
#3 DONE 0.5s

#5 FROM docker.io/library/postgres:alpine@sha256:d898b0b78a2627cb4ee63464a14efc9d296884f1b28c841b0ab7d7c42f1fffdf
#5 CACHED

#6 [stage-0 1/2] FROM docker.io/library/golang@sha256:2fe82a3f3e006b4f2a316c6a21f62b66e1330ae211d039bb8d1128e12ed57bf1
#6 CACHED

#7 [stage-0 2/2] RUN --mount=type=bind,from=postgres:alpine,src=/usr/local/bin/gosu,dst=/tmp/gosu 	go run golang.org/x/vuln/cmd/govulncheck@latest -mode=binary /tmp/gosu
go: downloading golang.org/x/vuln v1.1.3
go: downloading golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7
go: downloading golang.org/x/mod v0.19.0
go: downloading golang.org/x/tools v0.23.0
go: downloading golang.org/x/sync v0.7.0
=== Symbol Results ===

Vulnerability #1: GO-2023-1840
    Unsafe behavior in setuid/setgid binaries in runtime
  More info: https://pkg.go.dev/vuln/GO-2023-1840
  Standard library
    Found in: runtime@go1.18.2
    Fixed in: runtime@go1.19.10
    Vulnerable symbols found:
      #1: runtime.Caller
      #2: runtime.CallersFrames
      #3: runtime.Frames.Next
      #4: runtime.Func.Entry
      #5: runtime.Func.Name
      Use '-show traces' to see the other 20 found symbols

Your code is affected by 1 vulnerability from the Go standard library.
This scan also found 3 vulnerabilities in packages you import and 44
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
exit status 3
#7 ERROR: process "/bin/sh -c go run golang.org/x/vuln/cmd/govulncheck@latest -mode=binary /tmp/gosu" did not complete successfully: exit code: 1

The only actual result is https://pkg.go.dev/vuln/GO-2023-1840 (alias CVE-2023-29403), and as noted in https://github.com/tianon/gosu/blob/052c5c2b186b84c4d9a41ed4f327490ef8d746fe/govulncheck-with-excludes.sh#L9-L13 (per that upstream documentation) this is already mitigated in gosu itself.

See also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves for more general guidance around CVEs and scanning tools.