hundreds of vulnerabilities reported in images

[mcandre]

Docker Scout identifies hundreds of CVE's in the xgo images, including critical severity vulnerabilities.

docker-scout-vulnerability-report.txt

What if we published xgo atop Fedora (41), which often acts as a more secure base image than Debian/Ubuntu family?

[kolaente]

The reported cves from your report are all go cves, not ones based on the os. It seems like the go version it reported (1.17) is either wrongly detected or the docker image is out of date.

[mcandre]

Updated to the go-1.24.x tag. Still hundreds of CVE.s

docker-scout.txt