RabbitMQ image 3.9.13-management vulnerabilities

[rakivnenko1994]

RabbitMQ image 3.9.13-management has vulnerabilities related to Go version. Based on https://groups.google.com/g/rabbitmq-users/c/KryKieu4btg/m/w7cjWp2ZAgAJ, it looks like issue is related to base OS which is used for image build.
Is it possible to update the image to resolve the vulnerabilities?

Vulnerabilities:

Summary	CVEs	Severity	Type	Provider	Component
Go net/http HTTP/2 Request Handling Memory Exhaustion Remote DoS	CVE-2021-44716	High	security	JFrog	go://github.com/golang/go:1.13.8
Go math/big/ratconv.go SetString() Function String Unmarshalling Signedness Flaw Memory Exhaustion DoS	CVE-2022-23772	High	security	JFrog	go://github.com/golang/go:1.13.8
Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.	CVE-2021-38297	High	security	JFrog	go://github.com/golang/go:1.13.8
Go archive/zip/reader.go init() Function EOCD Record File Slice Allocation Memory Exhaustion DoS	CVE-2021-33196	High	security	JFrog	go://github.com/golang/go:1.13.8
Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption.	CVE-2022-23772	High	security	JFrog	go://github.com/golang/go:1.13.8
Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format.	CVE-2021-33195	High	security	JFrog	go://github.com/golang/go:1.13.8
Go crypto/elliptic Elliptic Curve Point Negative Coordinate Handling DoS	CVE-2022-23806	High	security	JFrog	go://github.com/golang/go:1.13.8

[wglambert]

go isn't in the image, I imagine the CVE scanner is detecting gosu and extrapolating that to assume go is installed in the image

$ docker run -it --rm rabbitmq:management bash
root@95f118038daf:/# which go
root@95f118038daf:/# apt list | grep -i go

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

gosu/now 1.10-1ubuntu0.20.04.1 amd64 [installed,local]

See https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves
And docker-library/openjdk#449 (comment), docker-library/postgres#286 (comment) docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).

[yosifkit]

Seems the same as docker-library/mongo#523, so the response is the same as docker-library/mongo#523 (comment).

TL;DR: The CVE's in the list that are go and golang related are likely extrapolating that since gosu is compiled with an older Go release that it might be vulnerable. You'd have to check gosu to see if it is using the vulnerable functions; like tianon/gosu#91, tianon/gosu#94, tianon/gosu#97, tianon/gosu#98, and tianon/gosu#99. So essentially they're false positives.