Skip to content

manually build gosu with current golang image to resolve CVE (pull/1323) #1324

@nathanlaceyraft

Description

@nathanlaceyraft

#1323

trivy image --scanners vuln
shows that we'll get rid of the following CVE's

usr/local/bin/gosu (gobinary)

Total: 58 (UNKNOWN: 0, LOW: 1, MEDIUM: 23, HIGH: 31, CRITICAL: 3)

gosu security policy https://github.com/tianon/gosu/blob/master/SECURITY.md says they don't update golang for CVE's
So gosu is build with a unsupported version of go (1.20)
The two support go versions that have the most CVE's resolved are 1.23.6 and 1.24.0
I felt using 1.23.6 was a safer upgrade.

Your own documents talk about gosu, and I believe gosu hase a fundamental misunderstanding about what a vulnerability free govulncheck means. I understand it to mean that you don't have any external dependencies with vulnerabilities, not that you shouldn't update compiler versions. They are 2 different things.

This PR removes the CVE caused by gosu by doing a custom build of gosu with a currently supported go version.
And copies it into the final image.

Thanks for your consideration

Activity

tianon

tianon commented on Feb 25, 2025

@tianon
Member

The CVEs in question specify a particular bit of code which has a defect (some of which exhibit as a "vulnerability", in that they're exploitable). The govulncheck tool works by checking whether or not the code in the binary or codebase being tested actually ever invokes those code paths. When coupled with the feature of the compiler where it trims out code that isn't invoked, the binary literally does not contain the "vulnerable" code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @tianon@nathanlaceyraft

        Issue actions

          manually build gosu with current golang image to resolve CVE (pull/1323) · Issue #1324 · docker-library/postgres