The answer to this question, as with so many in security is, it depends on your threat model.
What I'd say is that some container vulnerability scanning tools are slightly unusual in that they flag "unfixable" issues for which there is no patched version in the distributions repositories, by default. For example Synk, Trivy, Anchore and Clair, all default to this approach.
Standard Vulnerability assessment tools used for Virtual machine or physical server VA such as Nessus, do not flag CVEs if there is no patch available, by default.
So you have a couple of choices here :-
If your container VA tool has the option, tell it to ignore unpatchable issues (For example, Trivy has the --ignore-unfixed
option. For most setups, this is probably the correct choice
Assess each unpatchable issue and decide whether it's relevant to your environment, then add it to a list of "thigns you're not worried about" if it's not.
Compile packages manually to address the CVEs.
One other point to make is that there's a couple of ways of reducing the incidence of these issues
work to minimize the number of packages used by your container images. Things like multi-stage builds are good for this
If possible, consider using things like using static binaries in scratch images, which will largely remove this issue (although it does come with it's own challenges)