- Notifications
You must be signed in to change notification settings - Fork1.2k
Remove gosu based CVE by building gosu with current golang image#1323
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
base:master
Are you sure you want to change the base?
Uh oh!
There was an error while loading.Please reload this page.
Conversation
While the list of CVEs is annoying for users,@tianon is correct and the problem lies in security scanners. They should not blindly attribute a CVE for including a library when go has tooling that they can use to do better and know which functions of the library were included in the binary. They should only attribute the CVE if the vulnerable code path is included and useable in the binary. |
nathanlaceyraft commentedFeb 25, 2025 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
Lets pretend we are living in a better world where the vulnerability scanners are better and don't report any false CVE's. You still have a problem of docker postgres including a binary that was created with a compiler that is a year past End Of Life! The 2 golang compilers that aren't EOL are 1.23.x and 1.24.x |
Is there a concrete problem caused by using an "end of life" compiler? Because if so, the Linux distributions would probably like to know about it. As far as I know, there is no meaningful change caused to the |
The point about not using EOL software, is that no one is maintaining it any longer, no one is fixing newly discovered problems with it. |
bgehman commentedMar 26, 2025
I would add that security researchers are focused on up-to-date supported software versions: that's where they are looking and where CVEs are discovered, and only afterwards are any related older versions called out. Researches are not hacking on old EOL versions of compilers and libraries. This entire debate is akin to someone claiming their Win-95 server is secure because nobody has reported a CVE against Win-95 in the past 20-odd years. 🤦 I would like to see Golang owners chime in here, and confirm or deny this "best practice" of refusing to upgrade dependencies off of EOL. |
| @@ -4,6 +4,14 @@ | |||
| # PLEASE DO NOT EDIT IT DIRECTLY. | |||
| # | |||
| FROM golang:1.23.6 AS gosubuilder | |||
reneleonhardtJun 6, 2025 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
If security is the reason for rebuilding, then you probably should always use the latestgolang (1.23.10) by removing the patch digits.
In addition, Alpine images should probably use -alpine base images instead of Debian.
| FROM golang:1.23.6 AS gosubuilder | |
| FROM golang:1.23-alpine3.21 AS gosubuilder |
Furthermore alpine3.20 has been removed already, the latest release is 3.22, I recommend to rebase.
postgres 18 has been added too by the way.
nathanlaceyraftJun 16, 2025 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
@reneleonhardt the go image only matters for creating the binary artifact, and isn't part of the final image, so I don't think we are gaining anything from using alpine in this case.
This pr has been sitting for months, so I won't be touching it unless it looks like it starts moving forward.
But I believe you are wrong about removing patch digits.
They are important, otherwise you don't know when you need to create a new release. And update your own patch digits on your image
golang:1.24.4@sha256:10c131810f80a4802c49cab0961bbe18a16f4bb2fb99ef16deaa23e4246fc817
is how the current image should really be tagged.
The hash gives us protection from Supply Chain attack, if the image was compromised we would be told there was a problem instead of releasing our own compromised image
In my ideal world, we would add a .github/dependabot.yml file with
version: 2
updates:
- package-ecosystem: "docker"
directories:- "/"
schedule:
interval: "daily"
- "/"
And dependabot would be able to keep these files updated (we would need to include all the sub-folders within the directories config)
| @@ -4,6 +4,14 @@ | |||
| # PLEASE DO NOT EDIT IT DIRECTLY. | |||
| # | |||
| FROM golang:1.23.6 AS gosubuilder | |||
| ENV GOSU_VERSION=1.17 | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Please note that ENV variables are propagated to runtime, I suggest using ARG variables during build.
In addition, there have been 33 commits since 1.17, rebuilds could actually use the latest code instead of an outdated tag.
| ENV GOSU_VERSION=1.17 | |
| ARG GOSU_VERSION=1.17 |
| RUN git clone https://github.com/tianon/gosu.git --branch $GOSU_VERSION | ||
| WORKDIR /go/src/github.com/tianon/gosu | ||
| RUN go mod download | ||
| RUN go build |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Maybe it would be better to stay closer to the original build instructions, for example the build flags.
-trimpath -ldflags '-d -w'
Uh oh!
There was an error while loading.Please reload this page.
gosu security policyhttps://github.com/tianon/gosu/blob/master/SECURITY.md says they don't update golang unless govulncheck reports CVE's
So gosu is build with a unsupported version of go (1.18)
The two supported go versions that have the most CVE's resolved are 1.23.6 and 1.24.0
I felt using 1.23.6 was a safer upgrade.
Your own documents talk about gosu, and I believe gosu has a fundamental misunderstanding about what a vulnerability free govulncheck means. I understand it to mean that you don't have any external dependencies with vulnerabilities, not that you shouldn't update compiler versions. They are 2 different things.
This PR removes the CVE caused by gosu by doing a custom build of gosu with a currently supported go version.
And copies it into the final image.
trivy image --scanners vuln
shows that we'll get rid of the following CVE's
usr/local/bin/gosu (gobinary)
Total: 58 (UNKNOWN: 0, LOW: 1, MEDIUM: 23, HIGH: 31, CRITICAL: 3)
Thanks for your consideration