We just started looking into gryp to scan our docker images and for a ruby-on-rails project running on Ubuntu Jammy we get a lot of go-related vulnerabilities shown:
stdlib go1.18.5 1.21.11, 1.22.4 go-module CVE-2024-24790 Critical
stdlib go1.18.5 1.19.10, 1.20.5 go-module CVE-2023-29405 Critical
stdlib go1.18.5 1.19.10, 1.20.5 go-module CVE-2023-29404 Critical
stdlib go1.18.5 1.19.10, 1.20.5 go-module CVE-2023-29402 Critical
stdlib go1.18.5 1.19.9, 1.20.4 go-module CVE-2023-24540 Critical
stdlib go1.18.5 1.19.8, 1.20.3 go-module CVE-2023-24538 Critical
stdlib go1.18.5 1.21.0-0 go-module CVE-2023-24531 Critical
stdlib go1.18.5 1.22.7, 1.23.1 go-module CVE-2024-34158 High
stdlib go1.18.5 1.22.7, 1.23.1 go-module CVE-2024-34156 High
stdlib go1.18.5 1.21.12, 1.22.5 go-module CVE-2024-24791 High
stdlib go1.18.5 1.21.8, 1.22.1 go-module CVE-2024-24784 High
stdlib go1.18.5 1.21.9, 1.22.2 go-module CVE-2023-45288 High
stdlib go1.18.5 1.20.0 go-module CVE-2023-45287 High
stdlib go1.18.5 1.20.12, 1.21.5 go-module CVE-2023-45285 High
stdlib go1.18.5 1.20.10, 1.21.3 go-module CVE-2023-44487 High
stdlib go1.18.5 1.20.9, 1.21.2 go-module CVE-2023-39323 High
stdlib go1.18.5 1.19.10, 1.20.5 go-module CVE-2023-29403 High
stdlib go1.18.5 1.19.9, 1.20.4 go-module CVE-2023-29400 High
stdlib go1.18.5 1.19.9, 1.20.4 go-module CVE-2023-24539 High
stdlib go1.18.5 1.19.8, 1.20.3 go-module CVE-2023-24537 High
stdlib go1.18.5 1.19.8, 1.20.3 go-module CVE-2023-24536 High
stdlib go1.18.5 1.19.8, 1.20.3 go-module CVE-2023-24534 High
stdlib go1.18.5 1.19.6 go-module CVE-2022-41725 High
stdlib go1.18.5 1.19.6 go-module CVE-2022-41724 High
stdlib go1.18.5 1.19.6 go-module CVE-2022-41723 High
stdlib go1.18.5 1.18.7, 1.19.2 go-module CVE-2022-41715 High
stdlib go1.18.5 1.18.7, 1.19.2 go-module CVE-2022-2880 High
stdlib go1.18.5 1.18.7, 1.19.2 go-module CVE-2022-2879 High
stdlib go1.18.5 1.18.6 go-module CVE-2022-27664 High
stdlib go1.18.5 1.21.11, 1.22.4 go-module CVE-2024-24789 Medium
stdlib go1.18.5 1.21.10, 1.22.3 go-module CVE-2024-24787 Medium
stdlib go1.18.5 1.20.12, 1.21.5 go-module CVE-2023-39326 Medium
stdlib go1.18.5 1.20.8, 1.21.1 go-module CVE-2023-39319 Medium
stdlib go1.18.5 1.20.8, 1.21.1 go-module CVE-2023-39318 Medium
stdlib go1.18.5 1.19.12, 1.20.7 go-module CVE-2023-29409 Medium
stdlib go1.18.5 1.19.11, 1.20.6 go-module CVE-2023-29406 Medium
stdlib go1.18.5 1.19.7, 1.20.2 go-module CVE-2023-24532 Medium
stdlib go1.18.5 1.18.9, 1.19.4 go-module CVE-2022-41717 Medium
stdlib go1.18.5 1.22.7, 1.23.1 go-module CVE-2024-34155 Unknown
stdlib go1.18.5 1.21.8, 1.22.1 go-module CVE-2024-24785 Unknown
stdlib go1.18.5 1.21.8, 1.22.1 go-module CVE-2024-24783 Unknown
stdlib go1.18.5 1.21.8, 1.22.1 go-module CVE-2023-45290 Unknown
stdlib go1.18.5 1.21.8, 1.22.1 go-module CVE-2023-45289 Unknown
To our understanding so far, this probably means that something was built using go 1.18.5 compiler, because we don’t have the go compiler installed in the docker image.
What we don’t get yet is, can we do anything about it?