Closed
Description
Hello,
I'm looking for the latest image to have less vulnerabilities in it.
If I use postgresql:17.4-standard-bookworm or postgresql:17.4-standard-bookworm I have the following vulnerabilities:
❯ grype --by-cve ghcr.io/cloudnative-pg/postgresql:17.4-standard-bookworm | grep -E "High|Critical"
✔ Loaded image ghcr.io/cloudnative-pg/postgresql:17.4-standard-bookworm
✔ Parsed image sha256:f99d01ce97e8ab542971b4a0dffe5da9907332d644f94c45b4477608b7fb8217
✔ Cataloged contents 0a90aedaea6d3264fc062b4d5eb4da4a4359678935cea077b2b2398f6336eda8
├── ✔ Packages [148 packages]
├── ✔ Executables [934 executables]
├── ✔ File metadata [10,245 locations]
└── ✔ File digests [10,245 files]
✔ Scanned for vulnerabilities [165 vulnerability matches]
├── by severity: 0 critical, 12 high, 28 medium, 17 low, 104 negligible (4 unknown)
└── by status: 0 fixed, 165 not-fixed, 0 ignored (1 dropped)
libldap-2.5-0 2.5.13+dfsg-5 (won't fix) deb CVE-2023-2953 High
libperl5.36 5.36.0-7+deb12u2 (won't fix) deb CVE-2023-31484 High
libxml2 2.9.14+dfsg-1.3~deb12u1 deb CVE-2022-49043 High
libxml2 2.9.14+dfsg-1.3~deb12u1 (won't fix) deb CVE-2024-25062 High
libxml2 2.9.14+dfsg-1.3~deb12u1 deb CVE-2024-56171 High
libxml2 2.9.14+dfsg-1.3~deb12u1 deb CVE-2025-24928 High
libxml2 2.9.14+dfsg-1.3~deb12u1 deb CVE-2025-27113 High
libxml2 2.9.14+dfsg-1.3~deb12u1 (won't fix) deb CVE-2025-32414 High
libxml2 2.9.14+dfsg-1.3~deb12u1 deb CVE-2025-32415 High
perl 5.36.0-7+deb12u2 (won't fix) deb CVE-2023-31484 High
perl-base 5.36.0-7+deb12u2 (won't fix) deb CVE-2023-31484 High
perl-modules-5.36 5.36.0-7+deb12u2 (won't fix) deb CVE-2023-31484 High However there are no minimal nor standard images for 17.5, only postgresql:17.5-1-bookworm, with a lot more vulnerabilities, with critical ones:
❯ grype --by-cve ghcr.io/cloudnative-pg/postgresql:17.5-1-bookworm | grep -E "High|Critical"
✔ Loaded image ghcr.io/cloudnative-pg/postgresql:17.5-1-bookworm
✔ Parsed image sha256:844e79e6bd624c302bd29b8dcd946573e8450e23f80a154f46683b7513a99884
✔ Cataloged contents 47dccb4afee948558efa40141eb93c173efd9812cb9774866dc696ed45b76c23
├── ✔ Packages [219 packages]
├── ✔ File metadata [9,642 locations]
├── ✔ Executables [1,014 executables]
└── ✔ File digests [9,642 files]
✔ Scanned for vulnerabilities [232 vulnerability matches]
├── by severity: 8 critical, 44 high, 53 medium, 23 low, 100 negligible (4 unknown)
└── by status: 59 fixed, 173 not-fixed, 0 ignored (1 dropped)
libexpat1 2.5.0-1+deb12u1 (won't fix) deb CVE-2023-52425 High
libexpat1 2.5.0-1+deb12u1 (won't fix) deb CVE-2024-8176 High
libldap-2.5-0 2.5.13+dfsg-5 (won't fix) deb CVE-2023-2953 High
libperl5.36 5.36.0-7+deb12u2 (won't fix) deb CVE-2023-31484 High
libxml2 2.9.14+dfsg-1.3~deb12u1 deb CVE-2022-49043 High
libxml2 2.9.14+dfsg-1.3~deb12u1 (won't fix) deb CVE-2024-25062 High
libxml2 2.9.14+dfsg-1.3~deb12u1 deb CVE-2024-56171 High
libxml2 2.9.14+dfsg-1.3~deb12u1 deb CVE-2025-24928 High
libxml2 2.9.14+dfsg-1.3~deb12u1 deb CVE-2025-27113 High
libxml2 2.9.14+dfsg-1.3~deb12u1 (won't fix) deb CVE-2025-32414 High
libxml2 2.9.14+dfsg-1.3~deb12u1 deb CVE-2025-32415 High
perl 5.36.0-7+deb12u2 (won't fix) deb CVE-2023-31484 High
perl-base 5.36.0-7+deb12u2 (won't fix) deb CVE-2023-31484 High
perl-modules-5.36 5.36.0-7+deb12u2 (won't fix) deb CVE-2023-31484 High
stdlib go1.18.2 1.21.0-0 go-module CVE-2023-24531 Critical
stdlib go1.18.2 *1.19.8, 1.20.3 go-module CVE-2023-24538 Critical
stdlib go1.18.2 *1.19.9, 1.20.4 go-module CVE-2023-24540 Critical
stdlib go1.18.2 *1.19.10, 1.20.5 go-module CVE-2023-29402 Critical
stdlib go1.18.2 *1.19.10, 1.20.5 go-module CVE-2023-29404 Critical
stdlib go1.18.2 *1.19.10, 1.20.5 go-module CVE-2023-29405 Critical
stdlib go1.18.2 *1.21.11, 1.22.4 go-module CVE-2024-24790 Critical
stdlib go1.18.2 *1.23.8, 1.24.2 go-module CVE-2025-22871 Critical
stdlib go1.18.2 1.18.6 go-module CVE-2022-27664 High
stdlib go1.18.2 1.17.12, *1.18.4 go-module CVE-2022-28131 High
stdlib go1.18.2 *1.18.7, 1.19.2 go-module CVE-2022-2879 High
stdlib go1.18.2 *1.18.7, 1.19.2 go-module CVE-2022-2880 High
stdlib go1.18.2 1.17.11, *1.18.3 go-module CVE-2022-30580 High
stdlib go1.18.2 1.17.12, *1.18.4 go-module CVE-2022-30630 High
stdlib go1.18.2 1.17.12, *1.18.4 go-module CVE-2022-30631 High
stdlib go1.18.2 1.17.12, *1.18.4 go-module CVE-2022-30632 High
stdlib go1.18.2 1.17.12, *1.18.4 go-module CVE-2022-30633 High
stdlib go1.18.2 1.17.12, *1.18.4 go-module CVE-2022-30635 High
stdlib go1.18.2 1.17.13, *1.18.5 go-module CVE-2022-32189 High
stdlib go1.18.2 *1.18.7, 1.19.2 go-module CVE-2022-41715 High
stdlib go1.18.2 1.19.6 go-module CVE-2022-41723 High
stdlib go1.18.2 1.19.6 go-module CVE-2022-41724 High
stdlib go1.18.2 1.19.6 go-module CVE-2022-41725 High
stdlib go1.18.2 *1.19.8, 1.20.3 go-module CVE-2023-24534 High
stdlib go1.18.2 *1.19.8, 1.20.3 go-module CVE-2023-24536 High
stdlib go1.18.2 *1.19.8, 1.20.3 go-module CVE-2023-24537 High
stdlib go1.18.2 *1.19.9, 1.20.4 go-module CVE-2023-24539 High
stdlib go1.18.2 *1.19.9, 1.20.4 go-module CVE-2023-29400 High
stdlib go1.18.2 *1.19.10, 1.20.5 go-module CVE-2023-29403 High
stdlib go1.18.2 *1.20.9, 1.21.2 go-module CVE-2023-39323 High
stdlib go1.18.2 *1.20.10, 1.21.3 go-module CVE-2023-44487 High
stdlib go1.18.2 *1.20.12, 1.21.5 go-module CVE-2023-45285 High
stdlib go1.18.2 1.20.0 go-module CVE-2023-45287 High
stdlib go1.18.2 *1.21.9, 1.22.2 go-module CVE-2023-45288 High
stdlib go1.18.2 *1.21.8, 1.22.1 go-module CVE-2024-24784 High
stdlib go1.18.2 *1.21.12, 1.22.5 go-module CVE-2024-24791 High
stdlib go1.18.2 *1.22.7, 1.23.1 go-module CVE-2024-34156 High
stdlib go1.18.2 *1.22.7, 1.23.1 go-module CVE-2024-34158 HighI found postgresql:17.5-1-bookworm from https://raw.githubusercontent.com/cloudnative-pg/postgres-containers/main/Debian/ClusterImageCatalog-bookworm.yaml.
Maybe the process for minimal and standard images is using a newer golang to create them, resulting removing all golang vulnerabilities, probably related to #126 and #132.
Any thoughts or direction ?
Thanks.