wiremock-docker icon indicating copy to clipboard operation
wiremock-docker copied to clipboard
verified publisher icon wiremock

Custom build gosu with current go to remove CVEs

Open nathanlaceyraft opened this issue 10 months ago • 1 comments

Summary

gosu security policy https://github.com/tianon/gosu/blob/master/SECURITY.md says they don't update golang for CVE's So gosu is build with a unsupported version of go (1.20)

The two support go versions that have the most CVE's resolved are 1.23.6 and 1.24.0 I felt using 1.23.6 was a safer upgrade.

This PR custom builds gosu with a currently supported go version. And copies it into the final image.

trivy image --scanners vuln wiremock/wiremock:3.12.0 shows that we'll get rid of the following CVE's

usr/local/bin/gosu (gobinary)

Total: 58 (UNKNOWN: 0, LOW: 1, MEDIUM: 23, HIGH: 31, CRITICAL: 3)

Thanks for your consideration

References

https://github.com/wiremock/wiremock-docker/pull/129

nathanlaceyraft avatar Feb 24 '25 19:02 nathanlaceyraft

Hi, bumping this! We have several CVEs marked here because this was built using 1.18.2

mguezuraga avatar Apr 08 '25 14:04 mguezuraga