Open
Description
Summary
gosu security policy https://github.com/tianon/gosu/blob/master/SECURITY.md says they don't update golang for CVE's
So gosu is build with a unsupported version of go (1.20)
The two support go versions that have the most CVE's resolved are 1.23.6 and 1.24.0
I felt using 1.23.6 was a safer upgrade.
This PR custom builds gosu with a currently supported go version.
And copies it into the final image.
trivy image --scanners vuln wiremock/wiremock:3.12.0
shows that we'll get rid of the following CVE's
usr/local/bin/gosu (gobinary)
Total: 58 (UNKNOWN: 0, LOW: 1, MEDIUM: 23, HIGH: 31, CRITICAL: 3)
Thanks for your consideration
Activity