jrgemignani commented on issue #2357: URL: https://github.com/apache/age/issues/2357#issuecomment-4128304427
@jsell-rh Opus did suggest another option. However, it is not without its own issues - **Option B** (Proactive): Modify the AGE Dockerfile to rebuild gosu from source with Go 1.24.13 (available now). This silences scanners but adds build complexity for a non-exploitable issue. **Reasons NOT to Do This** 1. The CVE is not exploitable here — gosu never performs TLS. This is purely cosmetic scanner appeasement. The actual risk is zero. 2. The issue itself is misleading — The CVSS is 4.8, not 10.0, and is unreviewed. 3. It's the upstream's responsibility — The postgres:18 image is maintained by the Docker Library team. Every project that uses postgres:18 as a base has this same "issue." The fix belongs upstream, not in every downstream consumer. 4. Maintenance burden — Someone has to remember to revert this once upstream catches up. In practice, these "temporary" workarounds tend to persist indefinitely. 5. Non-reproducible builds — The @latest tag means the same Dockerfile can produce different results on different days. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
