Our scanner found some CVEs in Traefik v2.10.7 so I was wondering if anyone would be able to tell me which are false positives or not. I realize that Traefik v2.10.7 is unsupported now so I'm not expecting anything to get updated or fixed, but it would be nice to know which of these can be dismissed and which will be affecting the Traefik version my team is using until we can update to v3.0.0.
I've already gone through the forum and eliminated the CVEs that have already been discussed, but there were a couple that hadn't been brought up before:
We can't upgrade to 2.11 because it is built with Go 1.22. I work at Red Hat and we try to use internal containers as base images, and the latest Go version available there is 1.20 for RHEL 8 and 1.21 for RHEL 9. We fully intend to move to v3.0.0 as soon as 1.22 is available internally, but since my team doesn't control that timeline we were wondering if it'd be possible to get confirmation on these in the meantime.
I did go through the other CVE threads, including the one you linked. I've already eliminated those as false positives and they aren't included in the list above. Some of the moby CVEs were dismissed because traefik only uses the Docker API, and CVE's CVE-2024-23653, CVE-2024-23652, CVE-2024-23651 and CVE-2024-23650 are about buildkit which does provide APIs.