Alpine image vulnerability scan regression

[dpodder]

Possibly as a result of #389, the latest Alpine image tags light up significantly worse than earlier tags when scanned for vulnerabilities. Part of the reason our organization prefers Alpine based images is for its minimal attack surface; the apparent regression is increasing friction for us to adopt the newer builds.

Are additional components really needed in the redis Alpine image? If not, can they be removed again to clean up the scan results?

See for example: https://hub.docker.com/_/redis/tags?page=1&name=7.2.3-alpine3

[LaurentGoderre]

These are false positive. https://github.com/tianon/gosu/blob/master/SECURITY.md

[bgrimm1]

The vulnerabilities are not related to "gosu". It appears to be an outdated stdlib dependency. This is also a problem for me as we block any images with critical vulnerabilities.

[LaurentGoderre]

Stdlib is the Golang standard library which gosu used. However, the go compiler only uses what the source code uses so the vulnerable part of the library is not used in the end binary which makes it a false positive.

[bgrimm1]

ahh I just discovered that. Unfortunately that will not satisfy the powers that be on my end. I can't even pull that image as a base to try and update that library to the suggested version.

[bgrimm1]

Seems like I'm able to pull redis:7.2.3-alpine3.18 which is much newer than what I had. At least it hasnt been blocked yet...