Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update gosu binaries and dependencies to eliminate vulnerabilities #149

Closed
wants to merge 2 commits into from

Conversation

shusaan
Copy link

@shusaan shusaan commented Oct 17, 2024

This pull request addresses the vulnerabilities found in the redis:7.4.1-alpine3.20 image due to the gosu binaries. The following changes have been made to mitigate these vulnerabilities:
image

Rebuilt gosu Binaries:
Rebuilt the gosu binaries using golang:1.23.2-bookworm.
Ensured that the latest security patches and updates are included.

github.com/moby/sys/user to v0.3.0
golang.org/x/sys to v0.26.0

Verify Changes
Copied the rebuilt gosu binaries to the container image.
re-run the scan using trivy
image
Changes Made:
Update Docker file to this version golang:1.23.2-bookworm.
Update Modules

github.com/moby/sys/user to v0.3.0
golang.org/x/sys to v0.26.0

Update Application version

Please review the changes and provide feedback.
Ensure that all relevant tests are passed before merging.

@tianon
Copy link
Owner

tianon commented Oct 17, 2024

Please (re-)read https://github.com/tianon/gosu/blob/4233b796eeb3ba76c8597a46d89eab1f116188e2/SECURITY.md and follow up with your security scanner vendor on integrating with the Go-upstream-maintained govulncheck tool for appropriately detecting and more importantly filtering out vulnerabilities that do not apply / are not relevant in Go programs, libraries, and their dependencies.

@tianon tianon closed this Oct 17, 2024
@tianon
Copy link
Owner

tianon commented Oct 17, 2024

To illustrate further:

$ cat Dockerfile
FROM golang

RUN apt-get update -qq && apt-get install -yqq jq && rm -rf /var/lib/apt/lists/*

ADD --chmod=0755 https://github.com/tianon/gosu/raw/HEAD/govulncheck-with-excludes.sh /usr/local/bin/

RUN --mount=type=bind,from=tianon/gosu,src=/usr/local/bin/gosu,dst=/tmp/gosu \
	set -eux; \
	/tmp/gosu -v; \
	go install golang.org/x/vuln/cmd/govulncheck@latest; \
	govulncheck-with-excludes.sh -mode=binary /tmp/gosu
$ docker buildx build --pull --no-cache .
#0 building with "default" instance using docker driver

#1 [internal] load build definition from Dockerfile
#1 transferring dockerfile: 455B done
#1 DONE 0.0s

#2 [internal] load .dockerignore
#2 transferring context: 2B done
#2 DONE 0.0s

#3 [internal] load metadata for docker.io/library/golang:latest
#3 DONE 0.2s

#4 [internal] load metadata for docker.io/tianon/gosu:latest
#4 DONE 0.2s

#5 FROM docker.io/tianon/gosu@sha256:379167da67b16bef805283c11a8f3a05e5c64b83aacdd0adf1568cb4b646cd8a
#5 CACHED

#6 [stage-0 1/4] FROM docker.io/library/golang@sha256:a7f2fc9834049c1f5df787690026a53738e55fc097cd8a4a93faa3e06c67ee32
#6 CACHED

#7 [stage-0 2/4] RUN apt-get update -qq && apt-get install -yqq jq && rm -rf /var/lib/apt/lists/*
#7 ...

#8 https://github.com/tianon/gosu/raw/HEAD/govulncheck-with-excludes.sh
#8 DONE 0.2s

#8 https://github.com/tianon/gosu/raw/HEAD/govulncheck-with-excludes.sh
#8 CACHED

#7 [stage-0 2/4] RUN apt-get update -qq && apt-get install -yqq jq && rm -rf /var/lib/apt/lists/*
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package libonig5:amd64.
(Reading database ... 15612 files and directories currently installed.)
Preparing to unpack .../libonig5_6.9.8-1_amd64.deb ...
Unpacking libonig5:amd64 (6.9.8-1) ...
Selecting previously unselected package libjq1:amd64.
Preparing to unpack .../libjq1_1.6-2.1_amd64.deb ...
Unpacking libjq1:amd64 (1.6-2.1) ...
Selecting previously unselected package jq.
Preparing to unpack .../archives/jq_1.6-2.1_amd64.deb ...
Unpacking jq (1.6-2.1) ...
Setting up libonig5:amd64 (6.9.8-1) ...
Setting up libjq1:amd64 (1.6-2.1) ...
Setting up jq (1.6-2.1) ...
Processing triggers for libc-bin (2.36-9+deb12u8) ...
#7 DONE 2.6s

#9 [stage-0 3/4] ADD --chmod=0755 https://github.com/tianon/gosu/raw/HEAD/govulncheck-with-excludes.sh /usr/local/bin/
#9 DONE 0.0s

#10 [stage-0 4/4] RUN --mount=type=bind,from=tianon/gosu,src=/usr/local/bin/gosu,dst=/tmp/gosu 	set -eux; 	/tmp/gosu -v; go install golang.org/x/vuln/cmd/govulncheck@latest; 	govulncheck-with-excludes.sh -mode=binary /tmp/gosu
+ /tmp/gosu -v
1.17 (go1.18.2 on linux/amd64; gc)
+ go install golang.org/x/vuln/cmd/govulncheck@latest
go: downloading golang.org/x/vuln v1.1.3
go: downloading golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7
go: downloading golang.org/x/mod v0.19.0
go: downloading golang.org/x/tools v0.23.0
go: downloading golang.org/x/sync v0.7.0
+ govulncheck-with-excludes.sh -mode=binary /tmp/gosu
No vulnerabilities found.
#10 DONE 9.6s

#11 exporting to image
#11 exporting layers
#11 exporting layers 0.7s done
#11 writing image sha256:e81f3dac048807891689e0ac26e91a4c5c3e31719c69ee418525229f17eb45b6 done
#11 DONE 0.7s

@shusaan
Copy link
Author

shusaan commented Oct 17, 2024

@tianon Thank you, but what your thoughts about version update along with build base image version, because these are old

github.com/moby/sys/user to v0.1.0
golang.org/x/sys to v0.1.0

@tianon
Copy link
Owner

tianon commented Oct 17, 2024

What harm is caused by them being "old" and/or what is fixed or improved in the code we actually invoke within the gosu codepaths by updating them?

@shusaan
Copy link
Author

shusaan commented Oct 17, 2024

there is no issue with old version , this worked perfect , I also did the same,
+ govulncheck-with-excludes.sh -mode=binary /tmp/gosu No vulnerabilities found. but if we update the version then no complain from other scanner tools as well, i know this tool is used for govulncheck-with-excludes.sh for Go project , it's your choice you want update or leave as it is

Thank you man for the time

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants