golang:1.10-stretch contains curl 7.52.1-5+deb9u8 which is vulnerable to CVE-2018-16890

[apetherick]

Suspect this is waiting on docker-library/buildpack-deps#46

[wglambert]

1.10 is no longer supported by upstream https://golang.org/doc/devel/release.html

Each major Go release is supported until there are two newer major releases.

It was deprecated three hours after you made this issue on the merge of #264

[tianon]

Additionally, looking at https://security-tracker.debian.org/tracker/CVE-2018-16890, this particular CVE only affects NTLM exchanges, which I imagine are not very common in Docker containers, especially those that are FROM golang.

See also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-so-many-cves.