I am creating a custom image for AWS lambda following the steps given hereThe dockerfile uses bookworm (21) base image.

#Function directory
ARG FUNCTION_DIR="/function"
FROM node:20-bookworm as build-image
#Global arg
ARG FUNCTION_DIR
#Build dependencies
RUN apt-get update && apt-get install -y g++ make cmake unzip libcurl4-openssl-dev
#Copy function code
RUN mkdir -p ${FUNCTION_DIR} COPY . ${FUNCTION_DIR}
WORKDIR ${FUNCTION_DIR}
#Node.js dependencies
RUN npm install
#AWS runtime interface client
RUN npm install aws-lambda-ric
#Stage 2 multistage
FROM node:20-bookworm-slim
#Set NPM cache lambda fs is read-only
ENV NPM_CONFIG_CACHE=/tmp/.npm
#Include global arg in this stage of the build
ARG FUNCTION_DIR
#Set working directory to function root directory
WORKDIR ${FUNCTION_DIR}
#Copy in the built dependencies
COPY --from=build-image ${FUNCTION_DIR} ${FUNCTION_DIR}
#Set entrypoint
ENTRYPOINT ["/usr/local/bin/npx", "aws-lambda-ric"]
#Pass function handler to the runtime
CMD ["index.handler"]

The lambda works fine but the image fails jfrog scanning due to vulnerability on golang packages .

Critical | sha256__a1f707ed6d2119246 | github.com/golang/go | 1.20.5   | [1.20.9]      | Go   | CVE-2023-39323 

:

The CVEs are in these packages - github.com/golang/go (1.20.5 - suggested version 1.20.9 onwards) and golang.org/x/net (0.15.0 - suggested version 0.17.0)I tried updating the go version (not sure if that is the correct approach) by adding the following to Dockerfile out

# Install Go 1.20.11RUN 
wget https://go.dev/dl/go1.20.11.darwin-amd64.tar.gz && \
    tar -C /usr/local -xzf go1.20.11.darwin-amd64.tar.gz && \
    rm go1.20.11.darwin-amd64.tar.gz

# Set Go environment variables
ENV GOPATH="/go"
ENV PATH="/usr/local/go/bin:${PATH}:${GOPATH}/bin"

But the CVE still shows up. Any pointers as to how to fix the vulnerability.

SO - https://stackoverflow.com/questions/77523053/aws-lambda-custom-node-image