-
Notifications
You must be signed in to change notification settings - Fork 321
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update gosu binaries and dependencies to eliminate vulnerabilities #149
Conversation
Please (re-)read https://github.com/tianon/gosu/blob/4233b796eeb3ba76c8597a46d89eab1f116188e2/SECURITY.md and follow up with your security scanner vendor on integrating with the Go-upstream-maintained |
To illustrate further: $ cat Dockerfile
FROM golang
RUN apt-get update -qq && apt-get install -yqq jq && rm -rf /var/lib/apt/lists/*
ADD --chmod=0755 https://github.com/tianon/gosu/raw/HEAD/govulncheck-with-excludes.sh /usr/local/bin/
RUN --mount=type=bind,from=tianon/gosu,src=/usr/local/bin/gosu,dst=/tmp/gosu \
set -eux; \
/tmp/gosu -v; \
go install golang.org/x/vuln/cmd/govulncheck@latest; \
govulncheck-with-excludes.sh -mode=binary /tmp/gosu $ docker buildx build --pull --no-cache .
#0 building with "default" instance using docker driver
#1 [internal] load build definition from Dockerfile
#1 transferring dockerfile: 455B done
#1 DONE 0.0s
#2 [internal] load .dockerignore
#2 transferring context: 2B done
#2 DONE 0.0s
#3 [internal] load metadata for docker.io/library/golang:latest
#3 DONE 0.2s
#4 [internal] load metadata for docker.io/tianon/gosu:latest
#4 DONE 0.2s
#5 FROM docker.io/tianon/gosu@sha256:379167da67b16bef805283c11a8f3a05e5c64b83aacdd0adf1568cb4b646cd8a
#5 CACHED
#6 [stage-0 1/4] FROM docker.io/library/golang@sha256:a7f2fc9834049c1f5df787690026a53738e55fc097cd8a4a93faa3e06c67ee32
#6 CACHED
#7 [stage-0 2/4] RUN apt-get update -qq && apt-get install -yqq jq && rm -rf /var/lib/apt/lists/*
#7 ...
#8 https://github.com/tianon/gosu/raw/HEAD/govulncheck-with-excludes.sh
#8 DONE 0.2s
#8 https://github.com/tianon/gosu/raw/HEAD/govulncheck-with-excludes.sh
#8 CACHED
#7 [stage-0 2/4] RUN apt-get update -qq && apt-get install -yqq jq && rm -rf /var/lib/apt/lists/*
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package libonig5:amd64.
(Reading database ... 15612 files and directories currently installed.)
Preparing to unpack .../libonig5_6.9.8-1_amd64.deb ...
Unpacking libonig5:amd64 (6.9.8-1) ...
Selecting previously unselected package libjq1:amd64.
Preparing to unpack .../libjq1_1.6-2.1_amd64.deb ...
Unpacking libjq1:amd64 (1.6-2.1) ...
Selecting previously unselected package jq.
Preparing to unpack .../archives/jq_1.6-2.1_amd64.deb ...
Unpacking jq (1.6-2.1) ...
Setting up libonig5:amd64 (6.9.8-1) ...
Setting up libjq1:amd64 (1.6-2.1) ...
Setting up jq (1.6-2.1) ...
Processing triggers for libc-bin (2.36-9+deb12u8) ...
#7 DONE 2.6s
#9 [stage-0 3/4] ADD --chmod=0755 https://github.com/tianon/gosu/raw/HEAD/govulncheck-with-excludes.sh /usr/local/bin/
#9 DONE 0.0s
#10 [stage-0 4/4] RUN --mount=type=bind,from=tianon/gosu,src=/usr/local/bin/gosu,dst=/tmp/gosu set -eux; /tmp/gosu -v; go install golang.org/x/vuln/cmd/govulncheck@latest; govulncheck-with-excludes.sh -mode=binary /tmp/gosu
+ /tmp/gosu -v
1.17 (go1.18.2 on linux/amd64; gc)
+ go install golang.org/x/vuln/cmd/govulncheck@latest
go: downloading golang.org/x/vuln v1.1.3
go: downloading golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7
go: downloading golang.org/x/mod v0.19.0
go: downloading golang.org/x/tools v0.23.0
go: downloading golang.org/x/sync v0.7.0
+ govulncheck-with-excludes.sh -mode=binary /tmp/gosu
No vulnerabilities found.
#10 DONE 9.6s
#11 exporting to image
#11 exporting layers
#11 exporting layers 0.7s done
#11 writing image sha256:e81f3dac048807891689e0ac26e91a4c5c3e31719c69ee418525229f17eb45b6 done
#11 DONE 0.7s |
@tianon Thank you, but what your thoughts about version update along with build base image version, because these are old
|
What harm is caused by them being "old" and/or what is fixed or improved in the code we actually invoke within the |
there is no issue with old version , this worked perfect , I also did the same, Thank you man for the time |
This pull request addresses the vulnerabilities found in the
redis:7.4.1-alpine3.20
image due to the gosu binaries. The following changes have been made to mitigate these vulnerabilities:Rebuilt gosu Binaries:
Rebuilt the gosu binaries using
golang:1.23.2-bookworm
.Ensured that the latest security patches and updates are included.
Verify Changes
Copied the rebuilt
gosu
binaries to the container image.re-run the scan using
trivy
Changes Made:
Update Docker file to this version
golang:1.23.2-bookworm
.Update Modules
Update Application version
Please review the changes and provide feedback.
Ensure that all relevant tests are passed before merging.