Docker images contain google golang protobuf 1.26 w/ high severity vuln

[mbravorus]

~$ grype spx01/blocky:latest
 ✔ Vulnerability DB        [no update available]
 ✔ Loaded image            
 ✔ Parsed image            
 ✔ Cataloged packages      [71 packages]
 ✔ Scanned image           [1 vulnerabilities]
NAME                        INSTALLED  FIXED-IN  VULNERABILITY  SEVERITY 
google.golang.org/protobuf  v1.26.0              CVE-2015-5237  High      

Mind you, there's also the github protobuf version which is newer and doesn't have this problem, so I am not sure which one is getting used, but it wouldn't hurt to check.

[0xERR0R]

Thanks for pointing to this problem. protobuf is an indirect dependency, which comes from prometheus/client_golang. There is currently the latest version in go.mod

[0xERR0R]

Looks like it is a bug in grype: anchore/grype#558

[mbravorus]

Indeed, seems so. We can close this then, or wait until they fix the false positive - your choice. Thanks for staying on top of this!