Building Golang packages using Spring Boot 3 bootBuildImage?
I am using spring boot v3.1.5 and using bootBuildImage to build my image. After scanning my images, I found a lot of CVEs related to golang. As far as I understand, multiple golang build packages are used during the image building process.
Is there a way to solve this problem? Can I configure spring to avoid using these packages?
I tried configuring the used buildpack without success. I want to have zero golang related files in the image I create.
Correct answer
Very good!
No, that's incorrect. When you build a Java application, it uses only Java-related build packages. It doesn't use any Go buildpacks. You can see the list of build packages it uses in the build's output. It looks like this. The buildpacks listed in the instrumentation are the only ones called.
===> DETECTING 6 of 26 buildpacks participating paketo-buildpacks/ca-certificates 3.6.6 paketo-buildpacks/bellsoft-liberica 10.4.2 paketo-buildpacks/syft 1.39.0 paketo-buildpacks/executable-jar 6.8.2 paketo-buildpacks/dist-zip 5.6.7 paketo-buildpacks/spring-boot 5.27.5
What may confuse you is that All Paketo buildpacks themselves are written in Golang. So if you were to select a buildpack image such as gcr.io/paketo-buildpacks/bellsoft-liberica, you would see /cnb/buildpacks/paketo-buildpacks_bellsoft-liberica/10.4. There is a Go binary at 2/bin /main. This is what is called during instrumentation and building, and what actually does the work of building the package.
Additionally, the buildpack performs some operations before the application runtime is started, such as configuring JVM settings, which are performed by a separate binary named helper (in the same directory as the buildpack image). Unlike main, this binary is copied into the final image, so your scanner correctly thinks that the Go binary is present in the image. It is the helper binary. If you view the application image using dive you can see the layer adding the helper binary and confirm this.
Your scanner will see this binary and scan it like anything else. It's able to tell from a binary which version of Golang created that binary, and from there it tells you that the binary may be vulnerable to any known CVEs for that version of Go or higher. The scanner has zero knowledge about the purpose of the binary or whether it is actually vulnerable to any CVEs. I don't know what CVEs you are referring to, but I can tell you that given the context of the Paketo buildpack
helper binary, most of the CVEs will not apply. For example, anything related to servers, networking, or HTTP is irrelevant. helper The binary is a CLI that runs and usually reads arguments/environment variables and then prints out some structured text. That's it, usually no server, network, or HTTP required.
specific questions about CVEs and their impact, you can ask on the Paketo Slack, but don't just dump the CVE list in the scanner there and expect someone to double check everything. you. Please note that this project is an OSS project and people respond in good faith and as time permits. If you need more help or want a guaranteed response time, then you'll want to consider contracting with a commercial build package provider.
Golang files cannot be deleted, they are essentially build packages.what can you do:
- Keep your builders and buildpacks updated. The Paketo project cuts new releases every week, and we actively keep Go up to date so that new releases contain all the latest fixes.
- Check for reported CVEs, if you keep up to date there shouldn't be many. Given the context in which the package binaries are built (see above), they are most likely irrelevant, and you can then tell the scanner to ignore them. They should be leaving soon because 1. )
- Since you are using the Spring Boot build tools, please make sure you have seen
this announcement and have applied the required changes. If you don't do this, you will definitely get a lot of CVEs because you will have very old build packages.
The above is the detailed content of Building Golang packages using Spring Boot 3 bootBuildImage?. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
The price of Bitcoin since its birth 2009-2025 The most complete summary of BTC historical prices
Jan 15, 2025 pm 08:11 PM
Since its inception in 2009, Bitcoin has become a leader in the cryptocurrency world and its price has experienced huge fluctuations. To provide a comprehensive historical overview, this article compiles Bitcoin price data from 2009 to 2025, covering major market events, changes in market sentiment, and important factors influencing price movements.
What to do if the time is gone in the lower right corner of Windows 11_What to do if the time is gone in the lower right corner of Windows 11
May 06, 2024 pm 01:20 PM
1. First, right-click on the blank space of the taskbar at the bottom of Windows 11 and select [Taskbar Settings]. 2. Find [taskbarcorneroverflow] on the right in the taskbar settings. 3. Then find [clock] or [Clock] above it and select to turn it on. Method 2: 1. Press the keyboard shortcut [win+r] to call up run, enter [regedit] and press Enter to confirm. 2. Open the registry editor, find [HKEY_CURRENT_USERControlPanel] in it, and delete it. 3. After deletion, restart the computer and you will be prompted for configuration. When you return to the system, the time will be displayed.
Are there any community forums or discussion groups for Java functions where I can ask questions and discuss them?
Apr 28, 2024 pm 02:12 PM
Answer: The following community forums and discussion groups are available for Java functional programming questions: StackOverflow: The world's largest programming Q&A website with a community of Java functional programming experts. JavaFunctionalProgramming: A community forum focused on Java functional programming, providing discussions on concepts, language features, and best practices. Redditr/functionaljava: A subreddit focused on functional programming in Java, focusing on tools, libraries, and technologies. Discord: JavaFunctional Programming: Discord service that provides real-time discussion, code sharing and collaboration
How to use other people's code in python
May 05, 2024 pm 07:54 PM
How do I use other people's Python code? Find code repositories: Find the code you need on platforms like PyPI and GitHub. Installation code: Use pip or clone the GitHub repository to install. Import modules: Use the import statement in your script to import installed modules. Working with code: Access functions and classes in modules. (Optional) Adapt the code: Modify the code as needed to fit your project.
What should I do if the time on my win11 computer is always wrong? How to adjust the wrong time on Windows 11 computer
May 03, 2024 pm 09:20 PM
What should I do if the time on my win11 computer is always wrong? We all set the time or calendar when using win11 system, but many users are asking that the computer time is always wrong, so what is going on? Users can directly click on the taskbar below, and then find taskbarcorneroverflow to set it up. Let this site introduce to users in detail how to adjust the time error on Win11 computers. How to adjust the computer time error in Windows 11. Method 1: 1. We first right-click on the blank space of the taskbar below and select Taskbar Settings. Method 2: 1. Press the keyboard shortcut win+r to call up run, enter regedit and press Enter to confirm.
Common exception types and their repair measures in Java function development
May 03, 2024 pm 02:09 PM
Common exception types and their repair measures in Java function development During the development of Java functions, various exceptions may be encountered, which affect the correct execution of the function. The following are common exception types and their repair measures: 1. NullPointerException Description: Thrown when accessing an object that has not been initialized. Fix: Make sure you check the object for non-null before using it. Sample code: try{Stringname=null;System.out.println(name.length());}catch(NullPointerExceptione){
What does overflow mean in css
Apr 28, 2024 pm 03:15 PM
overflow is a property of CSS that is used to control the display mode of element content when it exceeds the container. Available values include: visible: the content is visible, the overflow container is hidden: the overflow content is cut scroll: the scroll bar is displayed to view the overflow content auto: the browser automatically determines Whether to display the scroll bar inherit: inherit the overflow attribute of the parent element
Doesn't anyone take care of Douyin's random accounts? Can I appeal a second time?
May 03, 2024 am 09:37 AM
As a world-renowned short video platform, Douyin has a huge user base and content creators. However, as the platform rules are constantly updated and improved, some users may encounter account bans. This has raised public questions about the transparency and fairness of platform management. This article will discuss the issue of Douyin account bans and whether users have ways to appeal after their accounts are banned. There may be many reasons for being banned on the Douyin platform, including but not limited to illegal content, violation of platform regulations, infringement of other people's rights, etc. In order to maintain the order of the platform and the interests of users, Douyin has set up a series of rules and review mechanisms. When some users violate the rules, their accounts may be banned. However, some users may question or be dissatisfied with the reasons for the ban
