Remove gosu based CVE by building gosu with current golang image #1323
Conversation
cleanup reference
While the list of CVEs is annoying for users, @tianon is correct and the problem lies in security scanners. They should not blindly attribute a CVE for including a library when go has tooling that they can use to do better and know which functions of the library were included in the binary. They should only attribute the CVE if the vulnerable code path is included and useable in the binary. |
|
Lets pretend we are living in a better world where the vulnerability scanners are better and don't report any false CVE's. You still have a problem of docker postgres including a binary that was created with a compiler that is a year past End Of Life! The 2 golang compilers that aren't EOL are 1.23.x and 1.24.x |
|
Is there a concrete problem caused by using an "end of life" compiler? Because if so, the Linux distributions would probably like to know about it. As far as I know, there is no meaningful change caused to the |
|
The point about not using EOL software, is that no one is maintaining it any longer, no one is fixing newly discovered problems with it. |
I would add that security researchers are focused on up-to-date supported software versions: that's where they are looking and where CVEs are discovered, and only afterwards are any related older versions called out. Researches are not hacking on old EOL versions of compilers and libraries. This entire debate is akin to someone claiming their Win-95 server is secure because nobody has reported a CVE against Win-95 in the past 20-odd years. 🤦 I would like to see Golang owners chime in here, and confirm or deny this "best practice" of refusing to upgrade dependencies off of EOL. |
| @@ -4,6 +4,14 @@ | |||
| # PLEASE DO NOT EDIT IT DIRECTLY. | |||
| # | |||
|
|
|||
| FROM golang:1.23.6 AS gosubuilder | |||
There was a problem hiding this comment.
If security is the reason for rebuilding, then you probably should always use the latest golang (1.23.10) by removing the patch digits.
In addition, Alpine images should probably use -alpine base images instead of Debian.
| FROM golang:1.23.6 AS gosubuilder | |
| FROM golang:1.23-alpine3.21 AS gosubuilder |
Furthermore alpine3.20 has been removed already, the latest release is 3.22, I recommend to rebase.
postgres 18 has been added too by the way.
There was a problem hiding this comment.
@reneleonhardt the go image only matters for creating the binary artifact, and isn't part of the final image, so I don't think we are gaining anything from using alpine in this case.
This pr has been sitting for months, so I won't be touching it unless it looks like it starts moving forward.
But I believe you are wrong about removing patch digits.
They are important, otherwise you don't know when you need to create a new release. And update your own patch digits on your image
golang:1.24.4@sha256:10c131810f80a4802c49cab0961bbe18a16f4bb2fb99ef16deaa23e4246fc817
is how the current image should really be tagged.
The hash gives us protection from Supply Chain attack, if the image was compromised we would be told there was a problem instead of releasing our own compromised image
In my ideal world, we would add a .github/dependabot.yml file with
version: 2
updates:
- package-ecosystem: "docker"
directories:- "/"
schedule:
interval: "daily"
- "/"
And dependabot would be able to keep these files updated (we would need to include all the sub-folders within the directories config)
There was a problem hiding this comment.
Most maintainers in most projects don't allow update contributions as you can see here after your own work.
Most of my pull requests have never been accepted, especially if I added dependabot in addition to all my tedious manual updates (docker, npm, gomod, cargo, github-actions, ...).
I mean there's a reason why there are decades of technical debt in most projects if the maintainers even don't allow dependabot to automate most of that work 🤷
Of course it would be nice if dependabot would create those patches / hashes in a timely matter, but maintainers would still not merge them, so what would be gained?
What could work much better for users would be a cron workflow to rebuild the image with all available updates, compare if anything (meaningful) changed and release / publish if necessary without having to wait for a maintainer to press a merge button.
Then consumers would receive the best possible fresh image everyday.
It's hard to conceive why thousands of upstream maintainers work hard everyday to analyze and fix bugs when downstream maintainers just choose to ignore those updates for months or years.
| @@ -4,6 +4,14 @@ | |||
| # PLEASE DO NOT EDIT IT DIRECTLY. | |||
| # | |||
|
|
|||
| FROM golang:1.23.6 AS gosubuilder | |||
| ENV GOSU_VERSION=1.17 | |||
There was a problem hiding this comment.
Please note that ENV variables are propagated to runtime, I suggest using ARG variables during build.
In addition, there have been 33 commits since 1.17, rebuilds could actually use the latest code instead of an outdated tag.
| ENV GOSU_VERSION=1.17 | |
| ARG GOSU_VERSION=1.17 |
| RUN git clone https://github.com/tianon/gosu.git --branch $GOSU_VERSION | ||
| WORKDIR /go/src/github.com/tianon/gosu | ||
| RUN go mod download | ||
| RUN go build |
There was a problem hiding this comment.
Maybe it would be better to stay closer to the original build instructions, for example the build flags.
-trimpath -ldflags '-d -w'
|
I there a plan to patch this out? I understand the the 2 differing views on this and I have to say I am disappointed that security is taken so lightly in this day and age. I the enterprise IT world the idea of having a CVE with a known exploit in the wild is not tolerated given the number, size and cost of data breaches I ran postgres:17.6-alpine thru one of my scan tools ad to see the shear number of CVE's against gosu made my heart sink, especially after reading this thread and the related issue I think we all have a duty of care to make this container the best it can be, and to do that we need to remove as many CVE's as possible so that the enterprise CTO,CISO etc feel good when there InfoSEC teams conduct scans. here is my scan that could be fixed just by bumping up the golang and gosu versions |
|
We take security very seriously - if there really is a known exploit in See also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves |
|
@tianon I am not understanding your inertia to the change that in all honesty would just take you to compile your gosu under a new go version OR, remove it all together as is not required in docker as you can just use the USER in the Dockerfile to set and forget as there is no part of of postgres that requires to be run as root after you build the container. This would remove all the issues and make the community happy I have created a postgres container that has no gosu, runs as postgres and is alpine so as to keep the CVE list small This is what all maintainers strive for, no tech debt and as small an attack surface as possible.... https://hub.docker.com/r/jlcox1970/postgresql-hardened I implore you to do the simple easy thing and either upgrade the version or remove it entirely |
|
@jlcox1970 Thank you so much for providing a minimal docker image, much obliged 🙏 The text works, can you correct the link? |
|
@reneleonhard, I currently dont have an automated build pipeline but I will set one up over the next few days |
|
Weirdest part of this whole thread and the suposed "false possitive" @tianon is that for someone who works for Docker that this container even lists the KEV in the Docker Scout |
|
Correct - Docker Scout should also take |
gosu security policy https://github.com/tianon/gosu/blob/master/SECURITY.md says they don't update golang unless govulncheck reports CVE's
So gosu is build with a unsupported version of go (1.18)
The two supported go versions that have the most CVE's resolved are 1.23.6 and 1.24.0
I felt using 1.23.6 was a safer upgrade.
Your own documents talk about gosu, and I believe gosu has a fundamental misunderstanding about what a vulnerability free govulncheck means. I understand it to mean that you don't have any external dependencies with vulnerabilities, not that you shouldn't update compiler versions. They are 2 different things.
This PR removes the CVE caused by gosu by doing a custom build of gosu with a currently supported go version.
And copies it into the final image.
trivy image --scanners vuln
shows that we'll get rid of the following CVE's
usr/local/bin/gosu (gobinary)
Total: 58 (UNKNOWN: 0, LOW: 1, MEDIUM: 23, HIGH: 31, CRITICAL: 3)
Thanks for your consideration