I am using spring boot v3.1.5 and using bootBuildImage to build my image. After scanning my images, I found a lot of CVEs related to golang. As far as I understand, multiple golang build packages are used during the image building process.
Is there a way to solve this problem? Can I configure spring to avoid using these packages?
I tried configuring the used buildpack without success. I want to have zero golang related files in the image I create.
Correct answer
Very good!
No, that's incorrect. When you build a Java application, it uses only Java-related build packages. It doesn't use any Go buildpacks. You can see the list of build packages it uses in the build's output. It looks like this. The buildpacks listed in the instrumentation are the only ones called.
===> DETECTING 6 of 26 buildpacks participating paketo-buildpacks/ca-certificates 3.6.6 paketo-buildpacks/bellsoft-liberica 10.4.2 paketo-buildpacks/syft 1.39.0 paketo-buildpacks/executable-jar 6.8.2 paketo-buildpacks/dist-zip 5.6.7 paketo-buildpacks/spring-boot 5.27.5
What may confuse you is that All Paketo buildpacks themselves are written in Golang. So if you were to select a buildpack image such as gcr.io/paketo-buildpacks/bellsoft-liberica, you would see /cnb/buildpacks/paketo-buildpacks_bellsoft-liberica/10.4. There is a Go binary at 2/bin /main. This is what is called during instrumentation and building, and what actually does the work of building the package.
Additionally, the buildpack performs some operations before the application runtime is started, such as configuring JVM settings, which are performed by a separate binary named helper (in the same directory as the buildpack image). Unlike main, this binary is copied into the final image, so your scanner correctly thinks that the Go binary is present in the image. It is the helper binary. If you view the application image using dive you can see the layer adding the helper binary and confirm this.
Your scanner will see this binary and scan it like anything else. It's able to tell from a binary which version of Golang created that binary, and from there it tells you that the binary may be vulnerable to any known CVEs for that version of Go or higher. The scanner has zero knowledge about the purpose of the binary or whether it is actually vulnerable to any CVEs. I don't know what CVEs you are referring to, but I can tell you that given the context of the Paketo buildpack
helper binary, most of the CVEs will not apply. For example, anything related to servers, networking, or HTTP is irrelevant. helper The binary is a CLI that runs and usually reads arguments/environment variables and then prints out some structured text. That's it, usually no server, network, or HTTP required.
specific questions about CVEs and their impact, you can ask on the Paketo Slack, but don't just dump the CVE list in the scanner there and expect someone to double check everything. you. Please note that this project is an OSS project and people respond in good faith and as time permits. If you need more help or want a guaranteed response time, then you'll want to consider contracting with a commercial build package provider.
Golang files cannot be deleted, they are essentially build packages.what can you do:
- Keep your builders and buildpacks updated. The Paketo project cuts new releases every week, and we actively keep Go up to date so that new releases contain all the latest fixes.
- Check for reported CVEs, if you keep up to date there shouldn't be many. Given the context in which the package binaries are built (see above), they are most likely irrelevant, and you can then tell the scanner to ignore them. They should be leaving soon because 1. )
- Since you are using the Spring Boot build tools, please make sure you have seen
this announcement and have applied the required changes. If you don't do this, you will definitely get a lot of CVEs because you will have very old build packages.
The above is the detailed content of Building Golang packages using Spring Boot 3 bootBuildImage?. For more information, please follow other related articles on the PHP Chinese website!
Linux下查看内存使用情况方法总结Feb 05, 2024 am 11:45 AMQ:我有一个问题,我想要监视Linux系统的内存使用情况。在Linux下有哪些可用的视图或命令行工具可以使用呢?A:在Linux系统中,有多种方法可以监视内存使用情况。下面是一些通过视图工具或命令行来查看内存使用情况的方法。/proc/meminfo:最简单的方法是查看/proc/meminfo文件。这个虚拟文件会动态更新,并提供了关于内存使用情况的详细信息。它列出了各种内存指标,可以满足你对内存使用情况的大部分需求。另外,你还可以通过/proc//statm和/proc//status来查看进
揭秘NVIDIA大模型推理框架:TensorRT-LLMFeb 01, 2024 pm 05:24 PM一、TensorRT-LLM的产品定位TensorRT-LLM是NVIDIA为大型语言模型(LLM)开发的可扩展推理方案。它基于TensorRT深度学习编译框架构建、编译和执行计算图,并借鉴了FastTransformer中高效的Kernels实现。此外,它还利用NCCL实现设备间的通信。开发者可以根据技术发展和需求差异,定制算子以满足特定需求,例如基于cutlass开发定制的GEMM。TensorRT-LLM是NVIDIA官方推理方案,致力于提供高性能并不断完善其实用性。TensorRT-LL
Linux 上的最佳白板应用程序Feb 05, 2024 pm 12:48 PM“我们将介绍几款适用于Linux系统的白板应用程序,相信这些信息对您会非常有帮助。请继续阅读!”一般来说,数字白板是一种用于大型互动显示面板的工具,常见的设备类型包括平板电脑、大屏手机、触控笔记本和表面显示设备等。当教师使用白板时,您可以使用触控笔、手写笔、手指甚至鼠标在设备屏幕上进行绘画、书写或操作元素。这意味着您可以在白板上拖动、点击、删除和绘画,就像在纸上使用笔一样。然而,要实现这一切,需要有一款软件来支持这些功能,并实现触控和显示之间的精细协调。目前市面上有许多商业应用可以完成这项工作。
ZR币升值空间大吗? ZR币在哪里购买交易?Feb 01, 2024 pm 08:09 PMZRX(0x)是一个基于以太坊区块链的开放协议,用于实现分布式交易和去中心化交易所(DEX)功能。作为0x协议的原生代币,ZRX可用于支付交易费用、治理协议变更和获取平台优惠。1.ZRX币升值空间展望:从技术角度来看,ZRX作为0x协议的核心代币,在去中心化交易所的应用逐渐增多,市场对其认可度也在增加。以下是几个关键因素,有助于提升ZRX币的价值空间:市场需求潜力大、社区活跃度高、开发者生态繁荣等。这些因素共同促进了ZRX的广泛应用和使用,进而推动了其市场价格的上升。市场需求的增长潜力,意味着更
BOSS直聘怎么创建多个简历Feb 05, 2024 pm 02:18 PMBOSS直聘怎么创建多个简历?BOSS直聘是很多小伙伴找工作的一大招聘平台,为用户们提供了非常多便利的求职服务。各位在使用BOSS直聘的时候,可以创建多个不同的简历,以便投送到不同的工作岗位上,获取到更高成功率的求职操作,各位如果对此感兴趣的话,就随小编一起来看看BOSS直聘双简历创建教程吧。BOSS直聘怎么创建多个简历1.登录Boss直聘:在您的电脑或手机上,登录您的Boss直聘账户。2.进入简历管理:在Boss直聘首页,点击“简历管理”,进入简历管理页面。3.创建新简历:在简历管理页面,点击
手把手教你构建linux rootfsFeb 05, 2024 pm 03:51 PMbusybox概述众所周知,在Linux环境下,一切皆文件,文件可以表示一切。而文件系统则是这些普通组件的集合。在嵌入式领域中,常常使用基于busybox构建的rootfs来构建文件系统。busybox诞生至今已有近20年的历史,如今已成为嵌入式行业中主流的rootfs构建工具。busybox的代码是完全开源的。你可以进入官方网站,点击”GetBusyBox”下面的”DownloadSource”进入源码下载界面。“官方网站链接:https://busybox.net/”2.busybox的配置
Linux字节对齐的那些事Feb 05, 2024 am 11:06 AM最近,我正在进行一个项目,遇到了一个问题。在ARM上运行的ThreadX与DSP通信时采用了消息队列的方式传递消息(最终实现使用了中断和共享内存的方法)。然而,在实际的操作过程中,发现ThreadX经常崩溃。经过排查,发现问题出在传递消息的结构体没有考虑字节对齐的问题上。我想顺便整理一下关于C语言中字节对齐的问题,并与大家分享。一、概念字节对齐与数据在内存中的位置有关。如果一个变量的内存地址恰好是它长度的整数倍,那么它就被称为自然对齐。例如,在32位CPU下,假设一个整型变量的地址为0x0000
比 Vim 更现代直观的 Linux 文本编辑器Feb 05, 2024 pm 02:00 PM如果你厌倦了Vi和Vim的奇怪界面和繁琐的键绑定,为什么不试试Micro编辑器呢?命令行文本编辑器证明了Linux终端的实用性,让您可以在不离开终端的情况下进行文件编辑。这些编辑器使用的资源更少,速度也非常快,非常适合进行一些快速编辑。一些流行的命令行文本编辑器包括Vi、Vim和Nano。它们在大多数Linux发行版中都预装了。然而,对于初学者来说,学习Vi或Vim的曲线和键绑定可能有些困难。这时,Micro文本编辑器就成为了一个更简单的选择。Micro与其他编辑相比的表现如何Micro宣称自己
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
MantisBT
Mantis is an easy-to-deploy web-based defect tracking tool designed to aid in product defect tracking. It requires PHP, MySQL and a web server. Check out our demo and hosting services.
mPDF
mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
Safe Exam Browser
Safe Exam Browser is a secure browser environment for taking online exams securely. This software turns any computer into a secure workstation. It controls access to any utility and prevents students from using unauthorized resources.
