Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom build gosu with current go to remove CVEs #130

Open
nathanlaceyraft opened this issue Feb 24, 2025 · 0 comments
Open

Custom build gosu with current go to remove CVEs #130

nathanlaceyraft opened this issue Feb 24, 2025 · 0 comments
Labels
chore Maintenance

Comments

@nathanlaceyraft
Copy link

Summary

gosu security policy https://github.com/tianon/gosu/blob/master/SECURITY.md says they don't update golang for CVE's
So gosu is build with a unsupported version of go (1.20)

The two support go versions that have the most CVE's resolved are 1.23.6 and 1.24.0
I felt using 1.23.6 was a safer upgrade.

This PR custom builds gosu with a currently supported go version.
And copies it into the final image.

trivy image --scanners vuln wiremock/wiremock:3.12.0
shows that we'll get rid of the following CVE's

usr/local/bin/gosu (gobinary)

Total: 58 (UNKNOWN: 0, LOW: 1, MEDIUM: 23, HIGH: 31, CRITICAL: 3)

Thanks for your consideration

References

#129
@nathanlaceyraft nathanlaceyraft added the chore Maintenance label Feb 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
chore Maintenance
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nathanlaceyraft