When customer doing CVE scanning on TAP images, they could find some CVEs on stdlib are scanned out in the following files：

• layers/tanzu-buildpacks_elastic-apm/helper/helper
• layers/tanzu-buildpacks_spring-boot/helper/helper
• layers/tanzu-buildpacks_bellsoft-liberica/helper/helper
• layers/tanzu-buildpacks_ca-certificates/helper/helper

Tanzu Application Platform

These */helper are coming from Java Buildpack. They do not interact with HTML/templating: they usually just set java arguments for the command line. The vulnerabilities would not apply.
An upgrade of the Go stdlib could help to remove those CVEs from CVE scan output.